Hard Coded Credentials for Dummies

or

How to not unknowingly, accidently and unconsciously reveal all your passwords and secrets to bad people

Credentials or passwords are the integral part of online and software world. In the simplest example they are the key protecting your “online house” such as Instagram, Facebook, email, etc.

And even in these cases, where they protect “just” your private data, a lot damage can be done if credentials get obtained by “bad people”.

Now imagine the potential damage if “bad people” get credentials of bigger organizations such as world banks, major retailers, insurance companies, etc., all of which have numerous credentials in their system and all of which, by potentially revealing those credentials, endanger not only themselves but also the end users.

So you know what are credentials, but what are Hardcoded Credentials?
Hardcoded Credentials are a practice used by developers when building a webpage or an application (or absolutely anything that needs a computer code to operate and run); by using this practice developers embed important information (passwords and other secret data) into the code language (as opposed to getting the passwords from external sources or generating them when needed).

Consequently, Hardcoded Credentials contain passwords and other important secrets, and while they are not visible from the outside, they are almost very obvious and easy to find in the code language which makes them a great security risk.

Why are they so risky?
When a developer is building an app, webpage or any kind of software, he / she will use Hardcoded Credentials in the code language. You may consider the code language as complicated and hard to comprehend but anyone with a bit of programming knowledge can sometimes detect Hardcoded Credentials (they are usually written in plain text and contain words such as “password” or “user”).

Since it is not complicated to find them in the code language, Hardcoded Credentials are an easy target of hackers. Once the hackers source passwords and other secret data from Hardcoded Credentials they can make a substantial damage.

Unfortunately, this risky practice is fairly common coding practice.

Where do developers use Hardcoded Credentials?
Even though it is fairly easy to hack Hardcoded Credentials and they pose a big security risk, they can be found in different types of applications, web pages of all kinds, and also in programs that run computers, mobile phones, printers, routers and all sorts of devices (anything that needs a computer code to operate and run!).

More specific examples include mobile apps where you reveal personal information or medical devices such as ventilators or analysis equipment! The examples are vast and numerous.

Why are we making it easy for attackers?
You are probably wondering why people are still using Hardcoded Credentials. Mostly because it is easier to do it, it keeps the process of coding less complicated.   

Also, Hardcoded Credentials are made with the intention of never to be changed, so they represent a part of the code language. Many developers fear of changing them so as not to disrupt different kinds of operations within the system.  

If you take into account that an average sized organization can have hundreds or thousands of passwords and other secret data spread across all of the devices, applications and systems, it is logical to assume it is not an easy process to fix  Hardcoded Credentials.  

It is much easier to think about Hardcoded Credentials before the actual design (there are ways to make them harder to hack) but it is possible (though costly and complicated) to fix them within the code language and make necessary adjustments so as to keep malicious people from obtaining important passwords and secrets.

Der Beitrag Hard Coded Credentials for Dummies erschien zuerst auf e2 Security.