Password is Not Private
Summary
Anyone can retrieve password.
Vulnerability Details
In blockchain, private does not means it is not readable by anyone. Private variables just like every other variable in a contract can easily be accesible via RPC methods, blockchain explorers etc. Hence it is not secure to put a private information like password into a blockchain thinking it will be only reachable by you. In contract getPassword() function is protected via require statement and only the owner of the password can get the password via this method. But as mentioned above, actually there is no need for such function to retrieve data from blockchain.
Impact
PasswordStore is not securely protecting your password, hence the contract is completely failing to promise its mission.
Tools Used
Manual Review
Recommendations
Never put private information into the blockchain :)
Lead Judging Commences
finding-anyone-can-read-storage
Private functions and state variables are only visible for the contract they are defined in and not in derived contracts. In this case private doesn't mean secret/confidential
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.