Checker Passwords   as of Julia version 2.4 (built on 23 Oct 2017)

belongs to group Basic

Identify insecure manipulations of passwords


Password manipulation can be risky, for instance if passwords are stored in plain in a property file. Moreover, passwords stored as program constants expose to the risk of inferring the password by simply looking at the binary executable of the code. This checker identifies situations when password manipulation is done in an unsafe way.

Action: Avoid storing passwords in property files and use encrypted files instead. Do not use program constants for passwords, store them in encrypted files instead.

Examples


Consider the following program:

import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;

public class Passwords {
  private final static String pwd = "password";

  public void test(Properties props) throws SQLException {
    String s = "password";

    props.getProperty("password");
    props.getProperty(pwd);
    props.getProperty(s);
    props.getProperty("www.juliasoft.password");
    props.getProperty("password", "default");
    props.getProperty("www.juliasoft.password", "default");
    props.setProperty("com.julia.password", "goofy mouse");
    props.setProperty("com.julia.password", s);
    props.setProperty("com.julia.password", s + " and " + pwd);
    DriverManager.getConnection("www.juliasoft.com", "silvio", pwd);
  }
}

This checker issues the following warnings:

Passwords.java:11: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:12: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:13: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:14: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:15: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:16: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:17: [Passwords: HardcodedPasswordWarning] hardcoded password
Passwords.java:18: [Passwords: HardcodedPasswordWarning] hardcoded password
Passwords.java:20: [Passwords: HardcodedPasswordWarning] hardcoded password

since a password is retrieved at lines 11-16 from an unencrypted property file and since the passwords used at lines 17, 18 and 20 are hardcoded in the program text.