← back to index

S2068 — Credentials should not be hard-coded

Language: C#  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, former-hotspot

Why is this an issue?

Hard-coding credentials in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes your application to significant security risks.

This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.

In the past, it has led to the following vulnerabilities:

Exceptions

How to fix it

Credentials should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s secrets management service. If a password is exposed in the source code, it must be changed immediately.

Code Examples

Noncompliant code example

string username = "admin";
string password = "Admin123"; // Noncompliant
string usernamePassword  = "user=admin&password=Admin123"; // Noncompliant
string url = "scheme://user:Admin123@domain.com"; // Noncompliant

Compliant solution

string username = "admin";
string password = GetEncryptedPassword();
string usernamePassword = string.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword());
string url = $"scheme://{username}:{password}@domain.com";

string url2 = "http://guest:guest@domain.com"; // Compliant
const string Password_Property = "custom.password"; // Compliant

Resources