This error occurs when a hardcoded string, or part of a hardcoded string, reaches a method that accepts passwords or a method which performs encryption.

Vulnerability and risk

Source code is bad storage for secrets. First, it allows other developers to read them. String passwords can be easily extracted from Java bytecode, allowing people who have bytecode to read them. Also, it is not possible to change them without upgrading software. Hard-coded strings used as part of a digest can provide attackers with a clue to how a key is made, so attackers can try to predict it (for example, a session key).

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Passwords should be entered dynamically and should store irreversible digest, such as md5. If methods require a password in plain text, store the encrypted password in the configuration file.

Example 1

13     public static void main(String[] args) throws Exception {
14         Properties info = new Properties();
15         info.setProperty("user", "root");
16         info.setProperty("password", "^6nR$%_");
17         Connection connection = DriverManager.getConnection("jdbc:mysql://localhost:3307", info);
18         try {
19             //...
20         } finally {
21             connection.close();
22         }
23     }

SV.PASSWD.HC is reported for line 16: string '"^6nR$%_"' used as password or its part: source code is bad storage for secrets; using this string, an attacker can determine an alternate authentication channel or guess how your session keys are formed.

Security training

Application security training materials provided by Secure Code Warrior.


This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.