SQL Account Creation with Password
Detects SQL statements that create database user accounts or logins with embedded passwords, covering SQL Server CREATE LOGIN, MySQL CREATE USER IDENTIFIED BY, and PostgreSQL CREATE USER WITH PASSWORD. Mirrors Snaffler rule KeepSqlAccountCreation.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the combination of SQL account-creation keywords and an explicit password clause is highly specific to credential-bearing SQL scripts. DDL without password clauses (CREATE TABLE, CREATE INDEX) does not match.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported
Pattern
CREATE\s+(?:USER|LOGIN)\s+[\s\S]{0,200}(?:IDENTIFIED BY|WITH PASSWORD)Corroborative evidence keywords
GRANT, ALTER LOGIN, sp_addlogin, sysadmin
Proximity: 300 characters
Should match
CREATE LOGIN svc_app WITH PASSWORD = 'S3rv1ce!2024';— SQL Server CREATE LOGIN with passwordCREATE USER 'app'@'%' IDENTIFIED BY 'p4ss';— MySQL CREATE USER IDENTIFIED BYCREATE USER etl_user WITH PASSWORD 'Etl$ecret2024';— PostgreSQL CREATE USER WITH PASSWORD
Should not match
CREATE TABLE Users (id INT, name VARCHAR(50));— DDL table creation, no password clauseCREATE INDEX idx_login ON users(login);— Index DDL, not account creation
Known false positives
- SQL migration scripts or database setup documentation that include CREATE USER statements with placeholder or masked passwords for illustrative purposes. Mitigation: Require proximity to operational SQL keywords (GRANT, ALTER LOGIN, sp_addlogin) that indicate production-grade credential scripts rather than documentation.
- ORM or framework generated SQL in test fixtures that creates test accounts with known weak passwords. Mitigation: Template exclusion keywords at 65-tier catch common test/example/placeholder markers.