Checker Passwords

belongs to group Basic
Identify insecure manipulations of passwords

Frameworks supported by this checker

  • java up to 11
  • android up to API level 28
  • dotnet

Warnings generated by this checker

  • HardcodedPasswordWarning: a hardcoded password is used [ CWE259 ]
  • PasswordInPropertyFileWarning: a password is retrieved from a property file [ CWE522 ]

Options accepted by this checker

  • none

Annotations understood by this checker

  • @com.juliasoft.julia.checkers.passwords.Password


Description

Password manipulation can be risky, for instance if passwords are stored in plain in a property file. Moreover, passwords stored as program constants expose to the risk of inferring the password by simply looking at the binary executable of the code. This checker identifies situations when password manipulation is done in an unsafe way.

Action: Avoid storing passwords in property files and use encrypted files instead. Do not use program constants for passwords, store them in encrypted files instead.

Password manipulation can be risky, for instance if passwords are stored in plain in a property file. Moreover, passwords stored as program constants expose to the risk of inferring the password by simply looking at the binary executable of the code. This checker identifies situations when password manipulation is done in an unsafe way.

Action: Avoid storing passwords in property files and use encrypted files instead. Do not use program constants for passwords, store them in encrypted files instead.

Examples

Consider the following program:

import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;

public class Passwords {
  private final static String pwd = "password";

  public void test(Properties props) throws SQLException {
    String s = "password";

    props.getProperty("password");
    props.getProperty(pwd);
    props.getProperty(s);
    props.getProperty("www.juliasoft.password");
    props.getProperty("password", "default");
    props.getProperty("www.juliasoft.password", "default");
    props.setProperty("com.julia.password", "goofy mouse");
    props.setProperty("com.julia.password", s);
    props.setProperty("com.julia.password", s + " and " + pwd);
    DriverManager.getConnection("www.juliasoft.com", "silvio", pwd);
  }
}

This checker issues the following warnings:

Passwords.java:11: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:12: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:13: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:14: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:15: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:16: [Passwords: PasswordInPropertyFileWarning] passwords should not be retrieved from a property file
Passwords.java:17: [Passwords: HardcodedPasswordWarning] hardcoded password
Passwords.java:18: [Passwords: HardcodedPasswordWarning] hardcoded password
Passwords.java:20: [Passwords: HardcodedPasswordWarning] hardcoded password

since a password is retrieved at lines 11-16 from an unencrypted property file and since the passwords used at lines 17, 18 and 20 are hardcoded in the program text.

Consider the following program:

using System;
using System.Net;


namespace DocumentationExamples
{

    public class Passwords
    {
        private static void Main(string[] args)
        { }

       private static readonly string pwd = "password";
        public void Test()
        {
            string s = "password";
            Environment.GetEnvironmentVariable("password");
            Environment.GetEnvironmentVariable(pwd); 
            Environment.GetEnvironmentVariable(s);
            Environment.GetEnvironmentVariable("www.juliasoft.password");
            Environment.GetEnvironmentVariable("password", EnvironmentVariableTarget.Machine);
            Environment.GetEnvironmentVariable("www.juliasoft.password", EnvironmentVariableTarget.Process);
            Environment.SetEnvironmentVariable("com.julia.password", "goofy mouse");
            Environment.SetEnvironmentVariable("com.julia.password", s);
            Environment.SetEnvironmentVariable("com.julia.password", s + " and " + pwd);
            NetworkCredential nc = new NetworkCredential("www.juliasoft.com", "silvio");
        }
    }
}

This checker issues the following warnings:

Passwords.java:17: [Passwords: PasswordInPropertyFileWarning] Passwords should not be retrieved from a property file
Passwords.java:18: [Passwords: PasswordInPropertyFileWarning] Passwords should not be retrieved from a property file
Passwords.java:19: [Passwords: PasswordInPropertyFileWarning] Passwords should not be retrieved from a property file
Passwords.java:20: [Passwords: PasswordInPropertyFileWarning] Passwords should not be retrieved from a property file
Passwords.java:21: [Passwords: PasswordInPropertyFileWarning] Passwords should not be retrieved from a property file
Passwords.java:22: [Passwords: PasswordInPropertyFileWarning] Passwords should not be retrieved from a property file
Passwords.java:23: [Passwords: HardcodedPasswordWarning] Use of password "goofy mouse" hardcoded at the same line
Passwords.java:24: [Passwords: HardcodedPasswordWarning] Use of password "password" hardcoded at line 16
Passwords.java:26: [Passwords: HardcodedPasswordWarning] Use of password "silvio" hardcoded at the same line

since a password is retrieved at lines 17-22 from an unencrypted property file and since the passwords used at lines 23, 24 and 26 are hardcoded in the program text.