Hardcoded Passwords and Credentials

Description

Hardcoded passwords in client-side code are a critical security vulnerability. These credentials are visible to anyone who views your website's source code or uses browser developer tools.

Unlike server-side code, client-side JavaScript is downloaded and executed in the user's browser, making it impossible to keep secrets hidden. Any passwords, credentials, or authentication tokens in this code should be considered publicly known.

Attackers routinely scan websites for hardcoded credentials, and automated tools can discover them within minutes of deployment.

Potential Impact & Risks

• Unauthorized access to systems and databases
• Account takeover and identity theft
• Data breaches and information leakage
• Lateral movement to other systems
• Compliance violations and legal liability
• Complete system compromise

Remediation

Immediate Actions

1. Change all exposed passwords immediately

2. Review access logs for unauthorized logins

3. Check for data exfiltration or system changes

4. Notify affected users if applicable

Long-term Solution

1. **Never hardcode credentials**: Use secure authentication patterns

2. **Implement OAuth/OIDC**: Use industry-standard authentication

3. **Use session tokens**: Authenticate users with server-issued tokens

4. **Backend authentication**: Verify credentials server-side only

5. **Enable MFA**: Add multi-factor authentication

6. **Use password managers**: Store credentials securely

7. **Regular audits**: Scan code for hardcoded secrets

8. **Secret scanning in CI/CD**: Prevent commits with secrets

Code Examples

// ❌ BAD - Never do this:
if (password === "admin123") {
  login();
}

// ✅ GOOD - Use backend authentication:
// Frontend:
const response = await fetch("/api/login", {
  method: "POST",
  body: JSON.stringify({ username, password }),
  headers: { "Content-Type": "application/json" }
});
const { token } = await response.json();

// Backend:
app.post("/api/login", async (req, res) => {
  const { username, password } = req.body;
  const user = await db.users.findOne({ username });
  const valid = await bcrypt.compare(password, user.passwordHash);
  if (valid) {
    const token = jwt.sign({ userId: user.id }, process.env.JWT_SECRET);
    res.json({ token });
  }
});

Further Reading

• OWASP - Authentication Cheat Sheet ↗
• NIST - Digital Identity Guidelines ↗
• OAuth 2.0 and OpenID Connect Specifications ↗