Grafana
Grafana Labsmonitoring4 credentials2 default credentials
Default Admin Login
grafana / default-admin
Grafana ships with a default admin user for first sign-in. Grafana documents the default username and password as admin/admin unless changed through configuration or packaging.
Default credentials
admin:adminLocation
/loginGrafana web UI, default port 3000
grafana.ini[security] admin_user and admin_password override defaults
GF_SECURITY_ADMIN_USER, GF_SECURITY_ADMIN_PASSWORDHelm/Kubernetes Secrets, Docker secrets, CI/CD variables
Notes
The first-login password-change prompt is not a substitute for changing the default before exposure. Admin access can read dashboards, data source configuration, and other stored integration secrets.
kube-prometheus-stack Default Admin
grafana / kube-prometheus-stack-admin
The kube-prometheus-stack Helm chart deploys Grafana with a chart-level admin password override commonly set to prom-operator.
Default credentials
admin:prom-operatorLocation
/loginGrafana web UI deployed by kube-prometheus-stack
values.yamlgrafana.adminPassword
Kubernetes Secret rendered by the Helm release
Notes
This is a distribution-specific Grafana credential, not Grafana upstream's own default. It belongs in the Grafana entry because security engineers searching for Grafana defaults expect to find it there.
Local User / Administrator Password
grafana / local-user-admin-password
Grafana local users authenticate with username/email and password unless an external identity provider is used. Admin users are operator-created or bootstrapped from the initial admin account.
Location
/loginGrafana user table in the configured database; password hashes are stored server-side
grafana.iniauth and security settings affecting local login
password managers and identity-provider vaults
Notes
Local password blast radius depends on the user's organization role and Grafana permissions. Admin users can usually reach data source secrets and service account tokens.
Service Account Token
grafana / service-account-token
Grafana service account tokens are bearer tokens used by automation and integrations to call Grafana APIs with the permissions assigned to the service account.
Looks like
exampleglsa_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
AuthorizationBearer token used by Grafana HTTP APIs
GRAFANA_TOKEN, GRAFANA_AUTH, GF_SECURITY_ADMIN_API_KEYCI/CD variables, Kubernetes Secrets, Terraform variables, cloud secret managers
Terraform providers, dashboards-as-code tooling, automation scripts
.env files, provisioning jobs, deployment manifests
Notes
Grafana deprecated legacy API keys in favor of service accounts and service account tokens. Scope and organization membership determine impact.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.