Skip to content

Latest commit

 

History

History
39 lines (27 loc) · 1.01 KB

B105.md

File metadata and controls

39 lines (27 loc) · 1.01 KB

Pattern: Use of hard-coded password strings

Issue: -

Description

The use of hard-coded passwords increases the possibility of password guessing tremendously. This rule looks for all string literals and checks the following conditions:

  • assigned to a variable that looks like a password
  • assigned to a dict key that looks like a password
  • used in a comparison with a variable that looks like a password

Variables are considered to look like a password if they have match any one of:

  • password
  • pass
  • passwd
  • pwd
  • secret
  • token
  • secrete

Note: this can be noisy and may generate false positives.

Example of insecure code:

if password == "root":
	print("OK, logged in")

Further Reading