Reputation: 115
Detecting Hard Coded Passwords
I have been trying to detect hard coded passwords in source code files.
Currently I am checking for variable assignments and comparison for identifiers with a sub-string matching with password,pswd.
But it is leading to lots of false positives like in this case(Reading passwords from a config file)
String PASSWORD_KEY = "server.password";
String password = prop.getProperty(PASSWORD_KEY);
I can flag out some sub-strings like Key,location,path for which i can skip the error generation but apart from this I cannot think of a better approach.
All suggestions are appreciated.
Upvotes: 6
Views: 3731
Answers (1)
Reputation:
Real world cases of hidden backdoors learn that the code is typically far more obscured to use a variable name that indicates the purpose.
So to get to something foolproof, you'd need to do a full static analysis and have "intelligence" in the code checker to understand the code and find where the authentication happens and then work backwards to verify there are no hidden ways to achieve this.
IMHO it's cheaper to hire somebody to do (security) code reviews than to try to automate this.
Upvotes: 1
Related Questions
- Checking Password Code
- SonarLint best practice for "hard coded password" false positives
- How to create a Java program to check if your password is strong or not?
- Java Password searching for characters
- check password for digits and letters
- User password check
- Detecting terminal command errors in Java
- Password checker java program
- Java program - password checker
- hashed password