From 58b37d6d0ada548963b355a1cc4342af320a7ebb Mon Sep 17 00:00:00 2001
From: Kevin Pilch <kevinpi@microsoft.com>
Date: Thu, 18 Mar 2021 13:47:55 -0700
Subject: [PATCH] Fix credscan issues in aspnetcore (#30337)

* Fix credscan issues in DataProtection

* Fix credscan issues in Identity, except where they affect checked in certs

* Updated scan
---
 .../Tests/WebAssemblyAuthenticationTests.cs   | 18 +++---
 ...tedEncryptorDescriptorDeserializerTests.cs |  8 ++-
 .../AuthenticatedEncryptorDescriptorTests.cs  | 17 ++---
 ...tedEncryptorDescriptorDeserializerTests.cs |  8 ++-
 ...bcAuthenticatedEncryptorDescriptorTests.cs | 17 ++---
 ...tedEncryptorDescriptorDeserializerTests.cs |  8 ++-
 ...cmAuthenticatedEncryptorDescriptorTests.cs | 17 ++---
 ...tedEncryptorDescriptorDeserializerTests.cs | 33 +++++-----
 ...edAuthenticatedEncryptorDescriptorTests.cs | 35 +++++------
 .../test/EF.Test/DefaultPocoTest.cs           |  2 +-
 .../test/EF.Test/UserOnlyCustomContextTest.cs |  2 +-
 .../test/EF.Test/UserOnlyTest.cs              |  4 +-
 .../Identity.FunctionalTests/LoginTests.cs    | 34 +++++-----
 .../ManagementTests.cs                        | 27 ++++----
 .../RegistrationTests.cs                      |  8 +--
 .../test/Identity.Test/SignInManagerTest.cs   | 62 +++++++++----------
 .../test/InMemory.Test/ControllerTest.cs      |  2 +-
 .../test/InMemory.Test/FunctionalTest.cs      |  2 +-
 18 files changed, 153 insertions(+), 151 deletions(-)

diff --git a/src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs b/src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs
index 171c82c20666..b3c1d12accc0 100644
--- a/src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs
+++ b/src/Components/test/E2ETest/Tests/WebAssemblyAuthenticationTests.cs
@@ -80,7 +80,7 @@ public void AnonymousUser_GetsRedirectedToLogin_AndBackToOriginalProtectedResour
             ClickAndNavigate(link, page);
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             FirstTimeRegister(userName, password);
 
@@ -98,7 +98,7 @@ public void CanPreserveApplicationState_DuringLogIn()
             ClickAndNavigate(link, page);
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             FirstTimeRegister(userName, password);
 
@@ -118,7 +118,7 @@ public void CanShareUserRolesBetweenClientAndServer()
             ClickAndNavigate(By.PartialLinkText("Log in"), "/Identity/Account/Login");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             FirstTimeRegister(userName, password);
 
             ClickAndNavigate(By.PartialLinkText("Make admin"), "/new-admin");
@@ -143,7 +143,7 @@ public void AnonymousUser_CanRegister_AndGetLoggedIn()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -160,7 +160,7 @@ public void AuthenticatedUser_ProfileIncludesDetails_And_AccessToken()
             ClickAndNavigate(By.PartialLinkText("User"), "/Identity/Account/Login");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             FirstTimeRegister(userName, password);
 
             Browser.Contains("user", () => Browser.Url);
@@ -215,7 +215,7 @@ public void AuthenticatedUser_CanGoToProfile()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -257,7 +257,7 @@ public void NewlyRegisteredUser_CanLogOut()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -270,7 +270,7 @@ public void AlreadyRegisteredUser_CanLogOut()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
 
@@ -296,7 +296,7 @@ public void LoggedInUser_OnTheIdP_CanLogInSilently()
             ClickAndNavigate(By.PartialLinkText("Register"), "/Identity/Account/Register");
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             RegisterCore(userName, password);
             CompleteProfileDetails();
             ValidateLoggedIn(userName);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
index e7ef5d69c74f..fb4c9189f4ac 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -15,20 +16,21 @@ public class AuthenticatedEncryptorDescriptorDeserializerTests
         public void ImportFromXml_Cbc_CreatesAppropriateDescriptor()
         {
             // Arrange
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new AuthenticatedEncryptorDescriptor(
                 new AuthenticatedEncryptorConfiguration()
                 {
                     EncryptionAlgorithm = EncryptionAlgorithm.AES_192_CBC,
                     ValidationAlgorithm = ValidationAlgorithm.HMACSHA512
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            const string xml = @"
+            var xml = $@"
                 <encryptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   <encryption algorithm='AES_192_CBC' />
                   <validation algorithm='HMACSHA512' />
-                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                  <masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
                 </encryptor>";
             var deserializedDescriptor = new AuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as AuthenticatedEncryptorDescriptor);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index e7dac35da21d..5983ab6d9c26 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
+using System.Text;
 using System.Text.RegularExpressions;
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
@@ -144,20 +145,20 @@ public void CreateAuthenticatedEncryptor_RoundTripsData_ManagedImplementation(
         public void ExportToXml_ProducesCorrectPayload_Cbc()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey);
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
+            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_CBC, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='AES_192_CBC' />
                   <validation algorithm='HMACSHA512' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
@@ -167,20 +168,20 @@ public void ExportToXml_ProducesCorrectPayload_Cbc()
         public void ExportToXml_ProducesCorrectPayload_Gcm()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
-            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey);
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
+            var descriptor = CreateDescriptor(EncryptionAlgorithm.AES_192_GCM, ValidationAlgorithm.HMACSHA512, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(AuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='AES_192_GCM' />
                   <!-- some comment here -->
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
index 483567e815d8..c56ec763d53d 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
@@ -18,6 +19,7 @@ public class CngCbcAuthenticatedEncryptorDescriptorDeserializerTests
         [ConditionalRunTestOnlyOnWindows]
         public void ImportFromXml_CreatesAppropriateDescriptor()
         {
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             // Arrange
             var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(
                 new CngCbcAuthenticatedEncryptorConfiguration()
@@ -28,14 +30,14 @@ public void ImportFromXml_CreatesAppropriateDescriptor()
                     HashAlgorithm = Constants.BCRYPT_SHA512_ALGORITHM,
                     HashAlgorithmProvider = null
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            const string xml = @"
+            var xml = $@"
                 <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   <encryption algorithm='AES' keyLength='192' />
                   <hash algorithm='SHA512' />
-                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                  <masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
                 </descriptor>";
             var deserializedDescriptor = new CngCbcAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngCbcAuthenticatedEncryptorDescriptor);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
index 090465fb136e..6e251e03e9fb 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorDescriptorTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -12,7 +13,7 @@ public class CngCbcAuthenticatedEncryptorDescriptorTests
         public void ExportToXml_WithProviders_ProducesCorrectPayload()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
@@ -20,19 +21,19 @@ public void ExportToXml_WithProviders_ProducesCorrectPayload()
                 EncryptionAlgorithmProvider = "enc-alg-prov",
                 HashAlgorithm = "hash-alg",
                 HashAlgorithmProvider = "hash-alg-prov"
-            }, masterKey);
+            }, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='enc-alg' keyLength='2048' provider='enc-alg-prov' />
                   <hash algorithm='hash-alg' provider='hash-alg-prov' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
@@ -42,25 +43,25 @@ public void ExportToXml_WithProviders_ProducesCorrectPayload()
         public void ExportToXml_WithoutProviders_ProducesCorrectPayload()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new CngCbcAuthenticatedEncryptorDescriptor(new CngCbcAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
                 HashAlgorithm = "hash-alg"
-            }, masterKey);
+            }, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(CngCbcAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='enc-alg' keyLength='2048' />
                   <hash algorithm='hash-alg' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
index ca81db58461e..dff9d40e634d 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
@@ -19,6 +20,7 @@ public class CngGcmAuthenticatedEncryptorDescriptorDeserializerTests
         public void ImportFromXml_CreatesAppropriateDescriptor()
         {
             // Arrange
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(
                 new CngGcmAuthenticatedEncryptorConfiguration()
                 {
@@ -26,13 +28,13 @@ public void ImportFromXml_CreatesAppropriateDescriptor()
                     EncryptionAlgorithmKeySize = 192,
                     EncryptionAlgorithmProvider = null
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            const string xml = @"
+            var xml = $@"
                 <descriptor version='1' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
                   <encryption algorithm='AES' keyLength='192' />
-                  <masterKey enc:requiresEncryption='true'>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</masterKey>
+                  <masterKey enc:requiresEncryption='true'>{masterKey}</masterKey>
                 </descriptor>";
             var deserializedDescriptor = new CngGcmAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as CngGcmAuthenticatedEncryptorDescriptor);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
index 933f7e7d8564..16fcfd2cd74d 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorDescriptorTests.cs
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
+using System.Text;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -12,24 +13,24 @@ public class CngGcmAuthenticatedEncryptorDescriptorTests
         public void ExportToXml_WithProviders_ProducesCorrectPayload()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048,
                 EncryptionAlgorithmProvider = "enc-alg-prov"
-            }, masterKey);
+            }, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='enc-alg' keyLength='2048' provider='enc-alg-prov' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
@@ -39,23 +40,23 @@ public void ExportToXml_WithProviders_ProducesCorrectPayload()
         public void ExportToXml_WithoutProviders_ProducesCorrectPayload()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new CngGcmAuthenticatedEncryptorDescriptor(new CngGcmAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithm = "enc-alg",
                 EncryptionAlgorithmKeySize = 2048
-            }, masterKey);
+            }, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(CngGcmAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            const string expectedXml = @"
+            var expectedXml = $@"
                 <descriptor>
                   <encryption algorithm='enc-alg' keyLength='2048' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
                 </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
index ef2604e8ec2e..7e1f98c64b45 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorDeserializerTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
+using System.Text;
 using System.Xml.Linq;
 using Microsoft.AspNetCore.DataProtection.KeyManagement;
 using Microsoft.Extensions.Logging.Abstractions;
@@ -21,6 +22,7 @@ public class ManagedAuthenticatedEncryptorDescriptorDeserializerTests
         public void ImportFromXml_BuiltInTypes_CreatesAppropriateDescriptor(Type encryptionAlgorithmType, Type validationAlgorithmType)
         {
             // Arrange
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new ManagedAuthenticatedEncryptorDescriptor(
                 new ManagedAuthenticatedEncryptorConfiguration()
                 {
@@ -28,20 +30,17 @@ public void ImportFromXml_BuiltInTypes_CreatesAppropriateDescriptor(Type encrypt
                     EncryptionAlgorithmKeySize = 192,
                     ValidationAlgorithmType = validationAlgorithmType
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            string xml = string.Format(
-                CultureInfo.InvariantCulture,
-                @"
+            var xml = $@"
                 <descriptor>
-                  <encryption algorithm='{0}' keyLength='192' />
-                  <validation algorithm='{1}' />
+                  <encryption algorithm='{encryptionAlgorithmType.Name}' keyLength='192' />
+                  <validation algorithm='{validationAlgorithmType.Name}' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
-                </descriptor>",
-                 encryptionAlgorithmType.Name, validationAlgorithmType.Name);
+                </descriptor>";
             var deserializedDescriptor = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as ManagedAuthenticatedEncryptorDescriptor);
 
@@ -57,6 +56,7 @@ public void ImportFromXml_BuiltInTypes_CreatesAppropriateDescriptor(Type encrypt
         public void ImportFromXml_CustomType_CreatesAppropriateDescriptor()
         {
             // Arrange
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new ManagedAuthenticatedEncryptorDescriptor(
                 new ManagedAuthenticatedEncryptorConfiguration()
                 {
@@ -64,20 +64,17 @@ public void ImportFromXml_CustomType_CreatesAppropriateDescriptor()
                     EncryptionAlgorithmKeySize = 192,
                     ValidationAlgorithmType = typeof(HMACSHA384)
                 },
-                "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret());
+                masterKey.ToSecret());
             var control = CreateEncryptorInstanceFromDescriptor(descriptor);
 
-            string xml = string.Format(
-                CultureInfo.InvariantCulture,
-                @"
+            var xml = $@"
                 <descriptor>
-                  <encryption algorithm='{0}' keyLength='192' />
-                  <validation algorithm='{1}' />
+                  <encryption algorithm='{typeof(Aes).AssemblyQualifiedName}' keyLength='192' />
+                  <validation algorithm='{typeof(HMACSHA384).AssemblyQualifiedName}' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
-                </descriptor>",
-                 typeof(Aes).AssemblyQualifiedName, typeof(HMACSHA384).AssemblyQualifiedName);
+                </descriptor>";
             var deserializedDescriptor = new ManagedAuthenticatedEncryptorDescriptorDeserializer().ImportFromXml(XElement.Parse(xml));
             var test = CreateEncryptorInstanceFromDescriptor(deserializedDescriptor as ManagedAuthenticatedEncryptorDescriptor);
 
diff --git a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
index 6d92fcf7ddbc..40be1899c1a8 100644
--- a/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
+++ b/src/DataProtection/DataProtection/test/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorDescriptorTests.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Globalization;
 using System.Security.Cryptography;
+using System.Text;
 using Xunit;
 
 namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel
@@ -14,30 +15,27 @@ public class ManagedAuthenticatedEncryptorDescriptorTests
         public void ExportToXml_CustomTypes_ProducesCorrectPayload()
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithmType = typeof(MySymmetricAlgorithm),
                 EncryptionAlgorithmKeySize = 2048,
                 ValidationAlgorithmType = typeof(MyKeyedHashAlgorithm)
-            }, masterKey);
+            }, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            string expectedXml = string.Format(
-                CultureInfo.InvariantCulture,
-                @"
+            var expectedXml = $@"
                 <descriptor>
-                  <encryption algorithm='{0}' keyLength='2048' />
-                  <validation algorithm='{1}' />
+                  <encryption algorithm='{typeof(MySymmetricAlgorithm).AssemblyQualifiedName}' keyLength='2048' />
+                  <validation algorithm='{typeof(MyKeyedHashAlgorithm).AssemblyQualifiedName}' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
-                </descriptor>",
-                typeof(MySymmetricAlgorithm).AssemblyQualifiedName, typeof(MyKeyedHashAlgorithm).AssemblyQualifiedName);
+                </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
         }
 
@@ -49,30 +47,27 @@ public void ExportToXml_CustomTypes_ProducesCorrectPayload()
         public void ExportToXml_BuiltInTypes_ProducesCorrectPayload(Type encryptionAlgorithmType, Type validationAlgorithmType)
         {
             // Arrange
-            var masterKey = "k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==".ToSecret();
+            var masterKey = Convert.ToBase64String(Encoding.UTF8.GetBytes("[PLACEHOLDER]"));
             var descriptor = new ManagedAuthenticatedEncryptorDescriptor(new ManagedAuthenticatedEncryptorConfiguration()
             {
                 EncryptionAlgorithmType = encryptionAlgorithmType,
                 EncryptionAlgorithmKeySize = 2048,
                 ValidationAlgorithmType = validationAlgorithmType
-            }, masterKey);
+            }, masterKey.ToSecret());
 
             // Act
             var retVal = descriptor.ExportToXml();
 
             // Assert
             Assert.Equal(typeof(ManagedAuthenticatedEncryptorDescriptorDeserializer), retVal.DeserializerType);
-            string expectedXml = string.Format(
-                CultureInfo.InvariantCulture,
-                @"
+            var expectedXml = $@"
                 <descriptor>
-                  <encryption algorithm='{0}' keyLength='2048' />
-                  <validation algorithm='{1}' />
+                  <encryption algorithm='{encryptionAlgorithmType.Name}' keyLength='2048' />
+                  <validation algorithm='{validationAlgorithmType.Name}' />
                   <masterKey enc:requiresEncryption='true' xmlns:enc='http://schemas.asp.net/2015/03/dataProtection'>
-                    <value>k88VrwGLINfVAqzlAp7U4EAjdlmUG17c756McQGdjHU8Ajkfc/A3YOKdqlMcF6dXaIxATED+g2f62wkRRRRRzA==</value>
+                    <value>{masterKey}</value>
                   </masterKey>
-                </descriptor>",
-                encryptionAlgorithmType.Name, validationAlgorithmType.Name);
+                </descriptor>";
             XmlAssert.Equal(expectedXml, retVal.SerializedDescriptorElement);
         }
 
diff --git a/src/Identity/EntityFrameworkCore/test/EF.Test/DefaultPocoTest.cs b/src/Identity/EntityFrameworkCore/test/EF.Test/DefaultPocoTest.cs
index 7d16e21ea00a..7a6fb129c969 100644
--- a/src/Identity/EntityFrameworkCore/test/EF.Test/DefaultPocoTest.cs
+++ b/src/Identity/EntityFrameworkCore/test/EF.Test/DefaultPocoTest.cs
@@ -50,7 +50,7 @@ public async Task EnsureStartupUsageWorks()
             Assert.NotNull(userManager);
 
             const string userName = "admin";
-            const string password = "1qaz@WSX";
+            const string password = "[PLACEHOLDER]-1a";
             var user = new IdentityUser { UserName = userName };
             IdentityResultAssert.IsSuccess(await userManager.CreateAsync(user, password));
             IdentityResultAssert.IsSuccess(await userManager.DeleteAsync(user));
diff --git a/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyCustomContextTest.cs b/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyCustomContextTest.cs
index e59988136ae7..763a16d475c5 100644
--- a/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyCustomContextTest.cs
+++ b/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyCustomContextTest.cs
@@ -95,7 +95,7 @@ public async Task EnsureStartupUsageWorks()
             Assert.NotNull(userManager);
 
             const string userName = "admin";
-            const string password = "1qaz@WSX";
+            const string password = "[PLACEHOLDER]-1a";
             var user = new IdentityUser { UserName = userName };
             IdentityResultAssert.IsSuccess(await userManager.CreateAsync(user, password));
             IdentityResultAssert.IsSuccess(await userManager.DeleteAsync(user));
diff --git a/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyTest.cs b/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyTest.cs
index 0cd5c40fd8e8..13d0e85e04fc 100644
--- a/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyTest.cs
+++ b/src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyTest.cs
@@ -57,7 +57,7 @@ public async Task EnsureStartupUsageWorks()
             Assert.NotNull(userManager);
 
             const string userName = "admin";
-            const string password = "1qaz@WSX";
+            const string password = "[PLACEHOLDER]-1a";
             var user = new IdentityUser { UserName = userName };
             IdentityResultAssert.IsSuccess(await userManager.CreateAsync(user, password));
             IdentityResultAssert.IsSuccess(await userManager.DeleteAsync(user));
@@ -74,7 +74,7 @@ public async Task FindByEmailThrowsWithTwoUsersWithSameEmail()
 
             var userA = new IdentityUser(Guid.NewGuid().ToString());
             userA.Email = "dupe@dupe.com";
-            const string password = "1qaz@WSX";
+            const string password = "[PLACEHOLDER]-1a";
             IdentityResultAssert.IsSuccess(await manager.CreateAsync(userA, password));
             var userB = new IdentityUser(Guid.NewGuid().ToString());
             userB.Email = "dupe@dupe.com";
diff --git a/src/Identity/test/Identity.FunctionalTests/LoginTests.cs b/src/Identity/test/Identity.FunctionalTests/LoginTests.cs
index bb7529a3a6c2..7a7b0b59fce4 100644
--- a/src/Identity/test/Identity.FunctionalTests/LoginTests.cs
+++ b/src/Identity/test/Identity.FunctionalTests/LoginTests.cs
@@ -31,7 +31,7 @@ public async Task CanLogInWithAPreviouslyRegisteredUser()
             var newClient = ServerFactory.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act & Assert
             await UserStories.RegisterNewUserAsync(client, userName, password);
@@ -54,7 +54,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act & Assert
             await UserStories.RegisterNewUserAsync(client, userName, password);
@@ -71,7 +71,7 @@ public async Task CanLogInWithTwoFactorAuthentication()
             var newClient = ServerFactory.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
             var showRecoveryCodes = await UserStories.EnableTwoFactorAuthentication(loggedIn);
@@ -97,7 +97,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
             var showRecoveryCodes = await UserStories.EnableTwoFactorAuthentication(loggedIn);
@@ -117,7 +117,7 @@ public async Task CanLogInWithRecoveryCode()
             var newClient = ServerFactory.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
             var showRecoveryCodes = await UserStories.EnableTwoFactorAuthentication(loggedIn);
@@ -142,7 +142,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
             var showRecoveryCodes = await UserStories.EnableTwoFactorAuthentication(loggedIn);
@@ -169,7 +169,7 @@ void ConfigureTestServices(IServiceCollection services) => services
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -194,7 +194,7 @@ void ConfigureTestServices(IServiceCollection services) => services
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -218,7 +218,7 @@ void ConfigureTestServices(IServiceCollection services) => services
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -245,7 +245,7 @@ void ConfigureTestServices(IServiceCollection services) => services
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -273,7 +273,7 @@ void ConfigureTestServices(IServiceCollection services) => services
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -343,8 +343,8 @@ void ConfigureTestServices(IServiceCollection services) => services
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
-            var newPassword = $"!New.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
+            var newPassword = $"[PLACEHOLDER]-1a-updated";
 
             await UserStories.RegisterNewUserAsync(client, userName, password);
             var registrationEmail = Assert.Single(emailSender.SentEmails);
@@ -373,8 +373,8 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
-            var newPassword = $"!New.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
+            var newPassword = $"[PLACEHOLDER]-1a-updated";
 
             await UserStories.RegisterNewUserAsync(client, userName, password);
             var registrationEmail = Assert.Single(emailSender.SentEmails);
@@ -402,8 +402,8 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
-            var wrongPassword = $"!Wrong.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
+            var wrongPassword = $"[PLACEHOLDER]-1a-wrong";
 
             await UserStories.RegisterNewUserAsync(client, userName, password);
             var registrationEmail = Assert.Single(emailSender.SentEmails);
diff --git a/src/Identity/test/Identity.FunctionalTests/ManagementTests.cs b/src/Identity/test/Identity.FunctionalTests/ManagementTests.cs
index 6bb5c8e64d32..2325fe6fea90 100644
--- a/src/Identity/test/Identity.FunctionalTests/ManagementTests.cs
+++ b/src/Identity/test/Identity.FunctionalTests/ManagementTests.cs
@@ -38,7 +38,7 @@ public async Task CanEnableTwoFactorAuthentication()
                 .CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var index = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -54,7 +54,7 @@ public async Task CannotEnableTwoFactorAuthenticationWithoutCookieConsent()
                 .CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var index = await UserStories.RegisterNewUserAsync(client, userName, password);
 
@@ -75,7 +75,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var client = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var index = await UserStories.RegisterNewUserAsync(client, userName, password);
             var manageIndex = await UserStories.SendEmailConfirmationLinkAsync(index);
@@ -101,7 +101,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var failedClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
             var newEmail = "updatedEmail@example.com";
 
             var index = await UserStories.RegisterNewUserAsync(client, userName, password);
@@ -132,19 +132,20 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = "!Test.Password1";
+            var password = "[PLACEHOLDER]-1a";
+            var newPassword = "[PLACEHOLDER]-1a-updated";
 
             var index = await UserStories.RegisterNewUserAsync(client, userName, password);
 
             // Act 1
-            var changedPassword = await UserStories.ChangePasswordAsync(index, "!Test.Password1", "!Test.Password2");
+            var changedPassword = await UserStories.ChangePasswordAsync(index, password, newPassword);
 
             // Assert 1
             // RefreshSignIn generates a new security stamp claim
             AssertClaimsNotEqual(principals[0], principals[1], "AspNet.Identity.SecurityStamp");
 
             // Act 2
-            await UserStories.LoginExistingUserAsync(newClient, userName, "!Test.Password2");
+            await UserStories.LoginExistingUserAsync(newClient, userName, newPassword);
 
             // Assert 2
             // Signing in again with a different client uses the same security stamp claim
@@ -180,7 +181,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             Assert.NotNull(principals[1].Identities.Single().Claims.Single(c => c.Type == ClaimTypes.AuthenticationMethod).Value);
 
             // Act 2
-            await UserStories.SetPasswordAsync(index, "!Test.Password2");
+            await UserStories.SetPasswordAsync(index, "[PLACEHOLDER]-1a-updated");
 
             // Assert 2
             // RefreshSignIn uses the same AuthenticationMethod claim value
@@ -188,7 +189,7 @@ void ConfigureTestServices(IServiceCollection services) =>
 
             // Act & Assert 3
             // Can log in with the password set above
-            await UserStories.LoginExistingUserAsync(loginAfterSetPasswordClient, email, "!Test.Password2");
+            await UserStories.LoginExistingUserAsync(loginAfterSetPasswordClient, email, "[PLACEHOLDER]-1a-updated");
         }
 
         [Fact]
@@ -211,7 +212,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var email = $"{guid}@example.com";
 
             // Act
-            var index = await UserStories.RegisterNewUserAsync(client, email, "!TestPassword1");
+            var index = await UserStories.RegisterNewUserAsync(client, email, "[PLACEHOLDER]-1a");
             var linkLogin = await UserStories.LinkExternalLoginAsync(index, email);
             await UserStories.RemoveExternalLoginAsync(linkLogin, email);
 
@@ -258,7 +259,7 @@ void ConfigureTestServices(IServiceCollection services) =>
             var newClient = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act
             var loggedIn = await UserStories.RegisterNewUserAsync(client, userName, password);
@@ -295,7 +296,7 @@ void ConfigureTestServices(IServiceCollection services) =>
 
             var index = social
                 ? await UserStories.RegisterNewUserWithSocialLoginAsync(client, userName, email)
-                : await UserStories.RegisterNewUserAsync(client, email, "!TestPassword1");
+                : await UserStories.RegisterNewUserAsync(client, email, "[PLACEHOLDER]-1a");
 
             if (twoFactor)
             {
@@ -362,7 +363,7 @@ public async Task CanDeleteUser()
                 .CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             var index = await UserStories.RegisterNewUserAsync(client, userName, password);
 
diff --git a/src/Identity/test/Identity.FunctionalTests/RegistrationTests.cs b/src/Identity/test/Identity.FunctionalTests/RegistrationTests.cs
index 55d3cb693f51..8292f1dc1e73 100644
--- a/src/Identity/test/Identity.FunctionalTests/RegistrationTests.cs
+++ b/src/Identity/test/Identity.FunctionalTests/RegistrationTests.cs
@@ -34,7 +34,7 @@ public async Task CanRegisterAUser()
                     .CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act & Assert
             await UserStories.RegisterNewUserAsync(client, userName, password);
@@ -52,7 +52,7 @@ public async Task CanRegisterAUserWithRequiredConfirmation()
             var client2 = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act & Assert
             var register = await UserStories.RegisterNewUserAsyncWithConfirmation(client, userName, password);
@@ -84,7 +84,7 @@ void ConfigureTestServices(IServiceCollection services) {
             var client2 = server.CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act & Assert
             var register = await UserStories.RegisterNewUserAsyncWithConfirmation(client, userName, password, hasRealEmailSender: true);
@@ -105,7 +105,7 @@ void ConfigureTestServices(IServiceCollection services) =>
                     .CreateClient();
 
             var userName = $"{Guid.NewGuid()}@example.com";
-            var password = $"!Test.Password1$";
+            var password = $"[PLACEHOLDER]-1a";
 
             // Act & Assert
             await UserStories.RegisterNewUserAsync(client, userName, password);
diff --git a/src/Identity/test/Identity.Test/SignInManagerTest.cs b/src/Identity/test/Identity.Test/SignInManagerTest.cs
index c65f9900a5a7..89090591b0c3 100644
--- a/src/Identity/test/Identity.Test/SignInManagerTest.cs
+++ b/src/Identity/test/Identity.Test/SignInManagerTest.cs
@@ -54,7 +54,7 @@ public class SignInManagerTest
         //    {
         //        UserName = "Yolo"
         //    };
-        //    const string password = "Yol0Sw@g!";
+        //    const string password = "[PLACEHOLDER]-1a";
         //    var userManager = app.ApplicationServices.GetRequiredService<ApplicationUserManager>();
         //    var HttpSignInManager = app.ApplicationServices.GetRequiredService<ApplicationHttpSignInManager>();
 
@@ -127,7 +127,7 @@ public async Task PasswordSignInReturnsLockedOutWhenLockedOut()
             var helper = new SignInManager<PocoUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object, logger, new Mock<IAuthenticationSchemeProvider>().Object, new DefaultUserConfirmation<PocoUser>());
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "bogus", false, false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-bogus1", false, false);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -157,7 +157,7 @@ public async Task CheckPasswordSignInReturnsLockedOutWhenLockedOut()
             var helper = new SignInManager<PocoUser>(manager.Object, contextAccessor.Object, claimsFactory, options.Object, logger, new Mock<IAuthenticationSchemeProvider>().Object, new DefaultUserConfirmation<PocoUser>());
 
             // Act
-            var result = await helper.CheckPasswordSignInAsync(user, "bogus", false);
+            var result = await helper.CheckPasswordSignInAsync(user, "[PLACEHOLDER]-bogus1", false);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -201,14 +201,14 @@ public async Task CanPasswordSignIn(bool isPersistent)
             var manager = SetupUserManager(user);
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
             var context = new DefaultHttpContext();
             var auth = MockAuth(context);
             SetupSignIn(context, auth, user.Id, isPersistent, loginProvider: null, amr: "pwd");
             var helper = SetupSignInManager(manager.Object, context);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "password", isPersistent, false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-1a", isPersistent, false);
 
             // Assert
             Assert.True(result.Succeeded);
@@ -224,7 +224,7 @@ public async Task CanPasswordSignInWithNoLogger()
             var manager = SetupUserManager(user);
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
 
             var context = new DefaultHttpContext();
             var auth = MockAuth(context);
@@ -232,7 +232,7 @@ public async Task CanPasswordSignInWithNoLogger()
             var helper = SetupSignInManager(manager.Object, context);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "password", false, false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-1a", false, false);
 
             // Assert
             Assert.True(result.Succeeded);
@@ -249,7 +249,7 @@ public async Task PasswordSignInWorksWithNonTwoFactorStore()
             var manager = SetupUserManager(user);
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
             manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable();
 
             var context = new DefaultHttpContext();
@@ -258,7 +258,7 @@ public async Task PasswordSignInWorksWithNonTwoFactorStore()
             var helper = SetupSignInManager(manager.Object, context);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "password", false, false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-1a", false, false);
 
             // Assert
             Assert.True(result.Succeeded);
@@ -278,7 +278,7 @@ public async Task CheckPasswordOnlyResetLockoutWhenTfaNotEnabledOrRemembered(boo
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
             manager.Setup(m => m.SupportsUserTwoFactor).Returns(tfaEnabled).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
 
             var context = new DefaultHttpContext();
             var auth = MockAuth(context);
@@ -304,7 +304,7 @@ public async Task CheckPasswordOnlyResetLockoutWhenTfaNotEnabledOrRemembered(boo
 
             // Act
             var helper = SetupSignInManager(manager.Object, context);
-            var result = await helper.CheckPasswordSignInAsync(user, "password", false);
+            var result = await helper.CheckPasswordSignInAsync(user, "[PLACEHOLDER]-1a", false);
 
             // Assert
             Assert.True(result.Succeeded);
@@ -321,14 +321,14 @@ public async Task CheckPasswordAlwaysResetLockoutWhenQuirked()
             var manager = SetupUserManager(user);
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
             manager.Setup(m => m.ResetAccessFailedCountAsync(user)).ReturnsAsync(IdentityResult.Success).Verifiable();
 
             var context = new DefaultHttpContext();
             var helper = SetupSignInManager(manager.Object, context);
 
             // Act
-            var result = await helper.CheckPasswordSignInAsync(user, "password", false);
+            var result = await helper.CheckPasswordSignInAsync(user, "[PLACEHOLDER]-1a", false);
 
             // Assert
             Assert.True(result.Succeeded);
@@ -355,7 +355,7 @@ public async Task PasswordSignInRequiresVerification(bool supportsLockout)
             manager.Setup(m => m.GetValidTwoFactorProvidersAsync(user)).Returns(Task.FromResult(providers)).Verifiable();
             manager.Setup(m => m.SupportsUserTwoFactor).Returns(true).Verifiable();
             manager.Setup(m => m.GetTwoFactorEnabledAsync(user)).ReturnsAsync(true).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
             manager.Setup(m => m.GetValidTwoFactorProvidersAsync(user)).ReturnsAsync(new string[1] { "Fake" }).Verifiable();
             var context = new DefaultHttpContext();
             var helper = SetupSignInManager(manager.Object, context);
@@ -365,7 +365,7 @@ public async Task PasswordSignInRequiresVerification(bool supportsLockout)
                 It.IsAny<AuthenticationProperties>())).Returns(Task.FromResult(0)).Verifiable();
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "password", false, false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-1a", false, false);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -717,7 +717,7 @@ public async Task RememberBrowserSkipsTwoFactorVerificationSignIn(bool isPersist
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.SupportsUserTwoFactor).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
             var context = new DefaultHttpContext();
             var auth = MockAuth(context);
             SetupSignIn(context, auth);
@@ -728,7 +728,7 @@ public async Task RememberBrowserSkipsTwoFactorVerificationSignIn(bool isPersist
             var helper = SetupSignInManager(manager.Object, context);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "password", isPersistent, false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-1a", isPersistent, false);
 
             // Assert
             Assert.True(result.Succeeded);
@@ -770,14 +770,14 @@ public async Task PasswordSignInFailsWithWrongPassword()
             var manager = SetupUserManager(user);
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).ReturnsAsync(false).Verifiable();
-            manager.Setup(m => m.CheckPasswordAsync(user, "bogus")).ReturnsAsync(false).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-bogus1")).ReturnsAsync(false).Verifiable();
             var context = new Mock<HttpContext>();
             var logger = new TestLogger<SignInManager<PocoUser>>();
             var helper = SetupSignInManager(manager.Object, context.Object, logger);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "bogus", false, false);
-            var checkResult = await helper.CheckPasswordSignInAsync(user, "bogus", false);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-bogus1", false, false);
+            var checkResult = await helper.CheckPasswordSignInAsync(user, "[PLACEHOLDER]-bogus1", false);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -792,12 +792,12 @@ public async Task PasswordSignInFailsWithUnknownUser()
         {
             // Setup
             var manager = MockHelpers.MockUserManager<PocoUser>();
-            manager.Setup(m => m.FindByNameAsync("bogus")).ReturnsAsync(default(PocoUser)).Verifiable();
+            manager.Setup(m => m.FindByNameAsync("unknown-username")).ReturnsAsync(default(PocoUser)).Verifiable();
             var context = new Mock<HttpContext>();
             var helper = SetupSignInManager(manager.Object, context.Object);
 
             // Act
-            var result = await helper.PasswordSignInAsync("bogus", "bogus", false, false);
+            var result = await helper.PasswordSignInAsync("unknown-username", "[PLACEHOLDER]-bogus1", false, false);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -819,12 +819,12 @@ public async Task PasswordSignInFailsWithWrongPasswordCanAccessFailedAndLockout(
             }).Verifiable();
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).Returns(() => Task.FromResult(lockedout));
-            manager.Setup(m => m.CheckPasswordAsync(user, "bogus")).ReturnsAsync(false).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-bogus1")).ReturnsAsync(false).Verifiable();
             var context = new Mock<HttpContext>();
             var helper = SetupSignInManager(manager.Object, context.Object);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user.UserName, "bogus", false, true);
+            var result = await helper.PasswordSignInAsync(user.UserName, "[PLACEHOLDER]-bogus1", false, true);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -846,12 +846,12 @@ public async Task CheckPasswordSignInFailsWithWrongPasswordCanAccessFailedAndLoc
             }).Verifiable();
             manager.Setup(m => m.SupportsUserLockout).Returns(true).Verifiable();
             manager.Setup(m => m.IsLockedOutAsync(user)).Returns(() => Task.FromResult(lockedout));
-            manager.Setup(m => m.CheckPasswordAsync(user, "bogus")).ReturnsAsync(false).Verifiable();
+            manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-bogus1")).ReturnsAsync(false).Verifiable();
             var context = new Mock<HttpContext>();
             var helper = SetupSignInManager(manager.Object, context.Object);
 
             // Act
-            var result = await helper.CheckPasswordSignInAsync(user, "bogus", true);
+            var result = await helper.CheckPasswordSignInAsync(user, "[PLACEHOLDER]-bogus1", true);
 
             // Assert
             Assert.False(result.Succeeded);
@@ -870,13 +870,13 @@ public async Task CanRequireConfirmedEmailForPasswordSignIn(bool confirmed)
             manager.Setup(m => m.IsEmailConfirmedAsync(user)).ReturnsAsync(confirmed).Verifiable();
             if (confirmed)
             {
-                manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+                manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
             }
             var context = new DefaultHttpContext();
             var auth = MockAuth(context);
             if (confirmed)
             {
-                manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+                manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
                 SetupSignIn(context, auth, user.Id, isPersistent: null, loginProvider: null, amr: "pwd");
             }
             var identityOptions = new IdentityOptions();
@@ -885,7 +885,7 @@ public async Task CanRequireConfirmedEmailForPasswordSignIn(bool confirmed)
             var helper = SetupSignInManager(manager.Object, context, logger, identityOptions);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user, "password", false, false);
+            var result = await helper.PasswordSignInAsync(user, "[PLACEHOLDER]-1a", false, false);
 
             // Assert
 
@@ -930,7 +930,7 @@ public async Task CanRequireConfirmedPhoneNumberForPasswordSignIn(bool confirmed
             var auth = MockAuth(context);
             if (confirmed)
             {
-                manager.Setup(m => m.CheckPasswordAsync(user, "password")).ReturnsAsync(true).Verifiable();
+                manager.Setup(m => m.CheckPasswordAsync(user, "[PLACEHOLDER]-1a")).ReturnsAsync(true).Verifiable();
                 SetupSignIn(context, auth, user.Id, isPersistent: null, loginProvider: null, amr: "pwd");
             }
 
@@ -940,7 +940,7 @@ public async Task CanRequireConfirmedPhoneNumberForPasswordSignIn(bool confirmed
             var helper = SetupSignInManager(manager.Object, context, logger, identityOptions);
 
             // Act
-            var result = await helper.PasswordSignInAsync(user, "password", false, false);
+            var result = await helper.PasswordSignInAsync(user, "[PLACEHOLDER]-1a", false, false);
 
             // Assert
             Assert.Equal(confirmed, result.Succeeded);
diff --git a/src/Identity/test/InMemory.Test/ControllerTest.cs b/src/Identity/test/InMemory.Test/ControllerTest.cs
index 302abbbad914..d986139db5a2 100644
--- a/src/Identity/test/InMemory.Test/ControllerTest.cs
+++ b/src/Identity/test/InMemory.Test/ControllerTest.cs
@@ -46,7 +46,7 @@ public async Task VerifyAccountControllerSignIn(bool isPersistent)
             {
                 UserName = "Yolo"
             };
-            const string password = "Yol0Sw@g!";
+            const string password = "[PLACEHOLDER]-1a";
             var userManager = app.ApplicationServices.GetRequiredService<UserManager<PocoUser>>();
             var signInManager = app.ApplicationServices.GetRequiredService<SignInManager<PocoUser>>();
 
diff --git a/src/Identity/test/InMemory.Test/FunctionalTest.cs b/src/Identity/test/InMemory.Test/FunctionalTest.cs
index 56a07d761ed4..b651e656c7b3 100644
--- a/src/Identity/test/InMemory.Test/FunctionalTest.cs
+++ b/src/Identity/test/InMemory.Test/FunctionalTest.cs
@@ -26,7 +26,7 @@ namespace Microsoft.AspNetCore.Identity.InMemory
 {
     public class FunctionalTest
     {
-        const string TestPassword = "1qaz!QAZ";
+        const string TestPassword = "[PLACEHOLDER]-1a";
 
         [Fact]
         public async Task CanChangePasswordOptions()