lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Drupal

Drupal Associationcms3 credentials

Credentials3 documented
01

Database Credentials

drupal / database-credentials

Drupal settings.php defines the $databases array used to connect to the site's database. Drupal's default.settings.php documents database, username, password, host, port, and driver fields in this array.

user definedsecretusername/password

Looks like

pattern
pattern

Drupal settings.php database password array entry

'password'\s*=>\s*'[^'\r\n]+'

Location

config file
sites/*/settings.php

Drupal site settings containing database connection arrays

environment
DRUPAL_DATABASE_PASSWORD, DATABASE_URL, MYSQL_PASSWORD, POSTGRES_PASSWORD
secret store

platform secrets, Kubernetes Secrets, cloud secret managers, and CI/CD variables

source code

accidentally committed settings.php files, local.settings.php, and deployment scripts

artifact

site backups, database dumps with config, and container images

logs

installer logs, debug dumps, and CI output

Notes

Database access can expose Drupal users, password hashes, configuration, content, and secrets stored by contributed modules.

02

Hash Salt

drupal / hash-salt

Drupal settings.php contains $settings['hash_salt'], which is site-specific secret material used in hash generation. Drupal documents setting it in settings.php or reading it from an external file.

generated on installsecretsecret value

Looks like

pattern
pattern

Drupal settings.php hash_salt assignment

\$settings\['hash_salt'\]\s*=\s*'[^'\r\n]+'

Location

config file
sites/*/settings.php

Drupal hash_salt setting or file_get_contents reference

secret store

external salt files, platform secrets, and deployment vault entries

source code

committed settings.php files and backups

artifact

site archives and container images containing settings.php or salt files

Notes

The salt is not a user password but is site secret material that should not be shared between environments or exposed in public repositories.

03

Administrator/User Password

drupal / administrator-password

Drupal user accounts authenticate to the web UI and APIs with user-defined passwords. The initial site maintenance account is created during installation and has administrative control over the site.

user definedsecretusername/password

Location

database

Drupal user tables containing password hashes and account data

public interface
/user/login, /user/password

Drupal login and password reset interfaces

config file

provisioning scripts, local dev config, and test fixtures

source code

Behat tests, install scripts, and accidentally committed credentials

logs

web server logs, failed-login logs, and test output

Notes

There is no universal Drupal administrator password; it is chosen or generated during site installation.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.