Tales from the Git: Automating the detection of secrets on code and assessing developers' passwords choices

TL;DR

This study analyzes developers' passwords from public GitHub repositories, revealing they generally choose more secure passwords than typical users but still follow common patterns, highlighting the need for better awareness.

Contribution

First comprehensive analysis of developer password choices across programming languages and contexts, using a large-scale dataset from public repositories.

Findings

Developers tend to use more secure passwords than average users.

Password selection patterns are similar to those of typical users when context permits.

Publicly available passwords in cleartext highlight the need for increased security awareness.

Abstract

Typical users are known to use and reuse weak passwords. Yet, as cybersecurity concerns continue to rise, understanding the password practices of software developers becomes increasingly important. In this work, we examine developers' passwords on public repositories. Our dedicated crawler collected millions of passwords from public GitHub repositories; however, our focus is on their unique characteristics. To this end, this is the first study investigating the developer traits in password selection across different programming languages and contexts, e.g. email and database. Despite the fact that developers may have carelessly leaked their code on public repositories, our findings indicate that they tend to use significantly more secure passwords, regardless of the underlying programming language and context. Nevertheless, when the context allows, they often resort to similar password selection criteria as typical users. The public availability of such information in a cleartext format indicates that there is still much room for improvement and that further targeted awareness campaigns are necessary.