But bypassWordList might contain hard-coded credentials

from here

I care about application security as much as the next developer (maybe more) but this particular heuristic (and the false alarms it generates) drives me nuts.