User Login Credentials

Detects user login credential patterns in documents and configuration files. This pattern is based on a Microsoft Purview built-in sensitive information type. In Purview, this is a broad, function-based detector. This keyword-based version flags documents that may contain login credentials for further review.

Type

regex

Engine

universal

Confidence

low

Confidence justification

Low confidence: broad pattern matching that will match login credential assignments in documentation, code comments, and non-sensitive contexts. Intended as a wide-net classifier. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Partial

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

wide

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)\b(?:username|user[._-]?name|user[._-]?id|login)\s*[:=]\s*"?[^\s"']{3,}"?\s*[;,\n]\s*(?:password|passwd|pwd)\s*[:=]\s*"?[^\s"';,]{6,}"?

Corroborative evidence keywords

username, password, login, credential, authentication, sign in, user account, logon, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+42 more)

Proximity: 300 characters

Should match

• username=admin;password=P@ssw0rd123 — Login credentials in connection string format
• user_name="testuser" password="TestS3cret" — Login credentials in config file
• login=root,pwd=000000000000 — Login credentials with placeholder

Should not match

• Please enter your username and password — Login form description, not actual credentials
• username=admin — Username without password
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Login form descriptions, authentication flow documentation, and security training materials. Mitigation: Check for assignment operators and actual credential values rather than descriptive text.
• Automated test scripts with test account credentials. Mitigation: Flag for review since test credentials may still provide access.

References

• User login credentials entity definition - Microsoft Learn