lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Grafana

Grafana Labsmonitoring4 credentials2 default credentials

Credentials4 documented
01

Default Admin Login

grafana / default-admin

Grafana ships with a default admin user for first sign-in. Grafana documents the default username and password as admin/admin unless changed through configuration or packaging.

static defaultsecretusername/password

Default credentials

admin:admin

Location

public interface
/login

Grafana web UI, default port 3000

config file
grafana.ini

[security] admin_user and admin_password override defaults

environment
GF_SECURITY_ADMIN_USER, GF_SECURITY_ADMIN_PASSWORD
secret store

Helm/Kubernetes Secrets, Docker secrets, CI/CD variables

Notes

The first-login password-change prompt is not a substitute for changing the default before exposure. Admin access can read dashboards, data source configuration, and other stored integration secrets.

02

kube-prometheus-stack Default Admin

grafana / kube-prometheus-stack-admin

The kube-prometheus-stack Helm chart deploys Grafana with a chart-level admin password override commonly set to prom-operator.

static defaultsecretusername/password

Default credentials

admin:prom-operator

Location

public interface
/login

Grafana web UI deployed by kube-prometheus-stack

config file
values.yaml

grafana.adminPassword

secret store

Kubernetes Secret rendered by the Helm release

Notes

This is a distribution-specific Grafana credential, not Grafana upstream's own default. It belongs in the Grafana entry because security engineers searching for Grafana defaults expect to find it there.

03

Local User / Administrator Password

grafana / local-user-admin-password

Grafana local users authenticate with username/email and password unless an external identity provider is used. Admin users are operator-created or bootstrapped from the initial admin account.

user definedsecretusername/password

Location

public interface
/login
database

Grafana user table in the configured database; password hashes are stored server-side

config file
grafana.ini

auth and security settings affecting local login

secret store

password managers and identity-provider vaults

Notes

Local password blast radius depends on the user's organization role and Grafana permissions. Admin users can usually reach data source secrets and service account tokens.

04

Service Account Token

grafana / service-account-token

Grafana service account tokens are bearer tokens used by automation and integrations to call Grafana APIs with the permissions assigned to the service account.

generated on installsecrettoken

Looks like

example
example

Grafana service account token prefix used by current Grafana releases

glsa_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

http header
Authorization

Bearer token used by Grafana HTTP APIs

environment
GRAFANA_TOKEN, GRAFANA_AUTH, GF_SECURITY_ADMIN_API_KEY
secret store

CI/CD variables, Kubernetes Secrets, Terraform variables, cloud secret managers

source code

Terraform providers, dashboards-as-code tooling, automation scripts

config file

.env files, provisioning jobs, deployment manifests

Notes

Grafana deprecated legacy API keys in favor of service accounts and service account tokens. Scope and organization membership determine impact.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.