What are hardcoded password

Hardcoded Password :

Summary

Hardcoded passwords could compromise system security in a way that cannot be easily remedied.

Passwords should never be hardcoded and should generally be obfuscated and managed in an external source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient permissions to read and potentially misuse the password.

Some third-party products claim the ability to manage passwords in a more secure way. For a secure solution, the only viable option today appears to be a proprietary one that you create.

Explanation

It is never a good idea to hardcode a password. Not only does hardcoding a password allow all of the project’s developers to view the password, it also makes fixing the problem extremely difficult. Once the code is in production, the password cannot be changed without patching the software. If the account protected by the password is compromised, the owners of the system will be forced to choose between security and availability.

$password = $_POST[‘password’] ? $_POST[‘password’] : $_GET[‘password’];

In this case the password was used to access a resource at line 26

Image for post
Image for post

The following code uses a hardcoded password to connect to a database:

...
$link = mysql_connect($url, 'scott', 'tiger');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
...

This code will run successfully, but anyone who has access to it will have access to the password. Once the program has shipped, there is likely no way to change the database user “scott” with a password of “tiger” unless the program is patched. An employee with access to this information could use it to break into the system.

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store