lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Atlassian Crowd

Atlassianidentity6 credentials

Credentials6 documented
01

Database Password

atlassian-crowd / database-password

Crowd stores configuration in crowd.cfg.xml in the Crowd home directory. The file includes database connection properties such as the database username and password used by Crowd to connect to its relational database.

user definedsecretusername/password

Looks like

pattern
pattern

crowd.cfg.xml database credential pair; values are arbitrary operator-supplied strings

<property name="hibernate\.connection\.username">[^<]+</property>\s*<property name="hibernate\.connection\.password">[^<]*</property>
pattern

database password property in crowd.cfg.xml; the password itself has no Crowd-specific textual shape

<property name="hibernate\.connection\.password">[^<]*</property>

Location

config file
$CROWD_HOME/crowd.cfg.xml

Crowd home configuration file generated by the setup wizard

build artifact

Crowd home backups, migration bundles, snapshots, support exports

Notes

Crowd is an identity service. Database access can expose user directory configuration, application trust configuration, groups, memberships, and stored credential metadata for multiple Atlassian applications that depend on Crowd.

02

Local User / Administrator Password

atlassian-crowd / local-user-admin-password

Crowd internal-directory users, including administrators created during setup or by operators, authenticate with passwords stored in Crowd's database. External directories can delegate password verification to LDAP, Active Directory, or other directory connectors.

user definedsecretusername/password

Looks like

pattern
pattern

internal-directory password material in Crowd user tables; the value has no Crowd-specific textual prefix and is identified by table and column context

cwd_user.*credential
pattern

raw Basic-auth username:password form before Base64 encoding; request context identifies Crowd

[^\s:@]+:[^\s:]+

Location

database

Crowd internal directory tables, including cwd_user credential data

public interface
/crowd/console/login.action

Crowd administration console login

public interface

Crowd REST API and application authentication flows

source code

scripts and service integrations that embed Crowd usernames and passwords

Notes

There is no universal shipped Crowd administrator password. The setup flow or an operator creates administrator credentials. Users may be stored locally in Crowd or resolved from delegated directories, so the storage location depends on directory configuration.

03

Application Password

atlassian-crowd / application-password

Crowd applications authenticate to the Crowd framework as clients using an application name and password. Atlassian's application setup wizard explicitly asks for the password the application will use when it authenticates against Crowd.

user definedsecretusername/password

Looks like

pattern
pattern

application connector property used by Atlassian applications and custom clients; the password value is arbitrary

(application\.name|application\.password|crowd\.application\.name|crowd\.application\.password)\s*=\s*[^\r\n]+
pattern

application password element in exported or database-backed Crowd application configuration; surrounding application context is required

<password>[^<]*</password>

Location

database

Crowd application records and application password storage

config file

client application crowd.properties or equivalent connector config

source code

application deployment templates, containers, and automation repos

build artifact

application backups and Crowd database dumps

Notes

This is a service-to-service credential rather than a human login. A leaked application password can let a client impersonate a configured application to Crowd, subject to the application's remote-address and directory permissions.

04

LDAP / Directory Bind Password

atlassian-crowd / directory-bind-password

Crowd directory connectors can authenticate to LDAP, Active Directory, and other external directories using a bind account and password. The bind credential lets Crowd search or update the external directory according to connector permissions.

user definedsecretusername/password

Looks like

pattern
pattern

directory connector password field in Crowd configuration or database exports; exact values are arbitrary and identified by connector context

(ldap|directory|connector).*(password|credential)

Location

database

Crowd directory connector configuration records

config file

exported or templated directory connector configuration

build artifact

Crowd database backups, migration bundles, and support exports

Notes

Bind-account blast radius depends on the external directory. A read-only LDAP bind may expose account and group data; a privileged bind may support password changes or directory modification.

05

Personal Access Token

atlassian-crowd / personal-access-token

Newer Crowd Data Center versions support personal access tokens for users and scripts. Like other Atlassian Data Center PATs, they are bearer credentials used instead of embedding a username and password.

user definedsecrettoken

Looks like

pattern
pattern

no documented Crowd-specific token prefix; identify PATs by Bearer-token use against Crowd endpoints

Authorization:\s*Bearer\s+[^\s]+

Location

environment
CROWD_TOKEN, CROWD_PAT
source code

REST scripts, provisioning tools, directory sync automation

logs

HTTP client debug logs when Authorization headers are printed

secret store

CI/CD variables and service secret stores

Notes

A PAT carries the permissions of the creating user until expiration or revocation. If a Crowd PAT is not available in a deployed version, integrations typically fall back to username/password or application credentials.

06

pdkinstall Development Plugin

atlassian-crowd / pdkinstall-development-plugin

A Crowd security advisory describes CVE-2019-11580, where the pdkinstall development plugin was incorrectly enabled in Crowd and Crowd Data Center. The issue is a public backdoor-like administrative exposure, but it is not a literal shipped password.

undocumentedsecretother

Looks like

pattern
pattern

plugin name from the Crowd advisory; included as a backdoor marker rather than a token or password specimen

pdkinstall

Location

public interface

affected Crowd web application exposing the development plugin

Notes

Do not add a default username or password for this issue: the advisory and CVE document an incorrectly enabled development plugin, not a literal credential. It is included because it is a known public backdoor-style Crowd exposure relevant to credential and identity compromise triage.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.