You effectivey can not limit getPassword function to owner
Summary
having an external view function which is only callable by the owner does not make much sense, as the variable is effectively public in contract storage, this deterrent does nothing practically speaking.
Vulnerability Details
Even though this getter function is only callable by the owner, the password is public and easily retrievable from the contracts storage.
Impact
This gives the false sense that only the owner can retrieve the password, when in reality it is only a mild deterrent
Recommendations
One has to reconsider the purpose of this smart contract. It is not possible to store a password securely and privately on chain, in such a way that only the owner can see or retrieve it, without off chain encryption/secret schemas.
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.