Password File Credential List
Detects credential list files — documents containing multiple username/password pairs in a structured, enumerated format (passwords.txt, secrets.*, BitlockerLAPSPasswords.csv, etc.). Distinguishes a credential roster from prose mentioning "password". Mirrors Snaffler rule KeepPasswordFilesByName.
- Type
- regex
- Engine
- boost_regex
- Confidence
- medium
- Confidence justification
- Medium confidence: the paired username+password structure is highly indicative of a credential list file, but the regex is intentionally broad to survive line-wrapped PDF extraction and varied formats. min_count gating at tier 85 anchors precision to multi-pair files. Inherent list heuristic; gate on evidence to suppress false positives in config files that legitimately set one username and one password.
- Jurisdictions
- global
- Regulations
- GDPR, Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- wide
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported
Pattern
(?i)(?:username|user|login|account)\s*[:=][\s\S]{0,60}(?:password|passwd|pwd)\s*[:=]\s*[^\s]{4,}Corroborative evidence keywords
account, login, credentials, server, host, username, password, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie, credential (+36 more)
Proximity: 300 characters
Should match
Server: db01 Username: admin Password: P@ssw0rd Server: db02 Username: sa Password: Secret2!— Multi-entry credential list — server/username/password blocksuser=deploy login=svc-deploy password=xK9#mPqR7!— Single-line credential pair with equals signsaccount: ops_user password: hunter2 account: dev_user password: abc123xyz— YAML-style credential list with account/password fieldslogin: nathanc passwd: S3cr3tP@ss99 login: guest passwd: Welcome1!— login/passwd variant with multiple pairs
Should not match
Please reset your password by clicking the link below. Contact your admin if you need help.— Prose about passwords with no credential pair structureError: invalid username or password supplied— Generic auth error message with no credential assignmentThe system requires a minimum password length of 12 characters.— Password policy documentation without actual credentials
Known false positives
- Configuration files (httpd.conf, wp-config.php) that set a single username and password for a service. These are valid credentials but not a credential list — distinguish by requiring min_count >= 2. Mitigation: Use tier 85 with min_count 2 and unique_results to require at least two distinct credential pairs before escalating confidence.
- Security training materials, CTF challenge write-ups, and documentation that show example credential pairs as illustrations. Mitigation: Gate on noise-exclusion keyword list (template-exclusion) and require domain-context evidence (server, host, account, credentials).