Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed.

Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials. It checks for keys containing login, username, password, passwd or pwd.

Even if it is not very secure, encrypted credentials can be set in Java .properties files. By default, issues are raised on those encrypted credentials. But, if you don't want issues to be raised on encrypted credentials, you can set the encryptedCredentialsToIgnore parameter.

Noncompliant Code Example

db_username=myusername
db_passwd=mypassword

See

• MITRE, CWE-798 - Use of Hard-coded Credentials
• MITRE, CWE-259 - Use of Hard-coded Password
• SANS Top 25 - Porous Defenses
• OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management