== Why is this an issue? include::../description.adoc[] === Noncompliant code example [source,php] ---- use Defuse\Crypto\KeyOrPassword; function createKey() { $password = "example"; return KeyOrPassword::createFromPassword($password); // Noncompliant } ---- === Compliant solution Modern web frameworks tend to provide a secure way to pass passwords and secrets to the code. For example, in Symfony you can use https://symfony.com/doc/current/configuration/secrets.html[vaults] to store your secrets. The secret values are referenced in the same way as environment variables, so you can easily access them through https://symfony.com/doc/current/configuration.html#configuration-parameters[configuration parameters]. [source,php] ---- use Defuse\Crypto\KeyOrPassword; class PasswordService { private string $password; public function setPassword(string $password): void { $this->password = $password; } public function createKey(): KeyOrPassword { return KeyOrPassword::createFromPassword($this->password); } } ---- == Resources * https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures * https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication * https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials * https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password * https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information * https://symfony.com/doc/current/configuration/env_var_processors.html[Symfony] - Environment Variable Processors * https://symfony.com/doc/current/configuration.html#configuration-parameters[Symfony] - Configuring Symfony * https://symfony.com/doc/current/configuration/secrets.html[Symfony] - How to Keep Sensitive Information Secret ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message Revoke and change this password, as it is compromised. === Highlighting Highlight the credential use and its initialization. ''' endif::env-github,rspecator-view[]