The CreatorCon Call for Content is officially open! Get started here.

What is the best way to detect password stored in text fields?

Go to solution
JozsefB
Tera Expert

‎08-14-2025 01:58 AM

I was looking for options, what is the best way to detect if someone ingested sensitive information (password  to be very specific) into free text fields? (Like adding user-pwd combo into a Work notes of an incident)

 

I found Data Privacy plugin, but as far as I can see, it is good for credit card numbers, birthdays. Passwords are harder to catch, and easy to run into false-positive cases.

 

Does anyone know a good solution?

0 Helpfuls
  • 550 Views
2 ACCEPTED SOLUTIONS

Go to solution
Mark Manders
Mega Patron

‎08-14-2025 02:42 AM

You already gave the answer yourself. Any 'check' on free text field for passwords will return false positives, no matter how you do it. 

You can of course do checks for phrases (password, credentials, pw, username, etc), but those are all general (and in multilingual instances even harder to check on). And the fields you have to check are also numerous (description, short description on task table(s) and all values in the sys_journal_field table). And still you can miss some (people not using any of the phrases/words, but still record a password). 
And what to think of someone just adding their password as a single comment?

Regex can help to some level (checking on minimal required characters), but that won't help if someone says they can't login to an application without a pw policy.

 

I think AI could help you here, but I think it will be something custom and also run your license fee up.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

View solution in original post

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎08-14-2025 02:46 AM

@JozsefB 

Not possible as user can enter anything in text field.

It may or may not be a password.

You are not storing passwords anywhere in instance so you cannot compare it against what user entered.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

4 REPLIES 4

Go to solution
Mark Manders
Mega Patron

‎08-14-2025 02:42 AM

You already gave the answer yourself. Any 'check' on free text field for passwords will return false positives, no matter how you do it. 

You can of course do checks for phrases (password, credentials, pw, username, etc), but those are all general (and in multilingual instances even harder to check on). And the fields you have to check are also numerous (description, short description on task table(s) and all values in the sys_journal_field table). And still you can miss some (people not using any of the phrases/words, but still record a password). 
And what to think of someone just adding their password as a single comment?

Regex can help to some level (checking on minimal required characters), but that won't help if someone says they can't login to an application without a pw policy.

 

I think AI could help you here, but I think it will be something custom and also run your license fee up.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎08-14-2025 02:46 AM

@JozsefB 

Not possible as user can enter anything in text field.

It may or may not be a password.

You are not storing passwords anywhere in instance so you cannot compare it against what user entered.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to Ankur Bawiskar

‎08-14-2025 02:56 AM

@JozsefB 

Thank you for marking my response as helpful.

If my response helped please close the thread by marking appropriate response(s) as correct so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Go to solution
RaghavSh
Kilo Patron

‎08-14-2025 03:15 AM

If you know the pattern followed by your organization  to setup password a Regex can be built and applied on client or server side to stop users entering password.

 

w.r.t your concern about false positive, thats is always a case in such solutions but you will have to live with that if this has to be implemented.


Raghav
MVP 2023
LinkedIn
0 Helpfuls