MongoDB
MongoDB, Inc.database3 credentials1 default credential
Unauthenticated Default Deployment
mongodb / unauthenticated-default
Self-managed MongoDB deployments do not require username/password authentication until access control is enabled. MongoDB security docs instruct administrators to enable access control and create users for authenticated deployments.
Default credentials
(empty):(empty)Location
mongodb://<host>:27017MongoDB wire protocol listener; modern packages usually bind locally unless reconfigured
mongod.confsecurity.authorization controls access control
Notes
This represents no authentication, not a password. Exposure depends on bindIp, firewalling, localhost exception behavior, and whether access control has been enabled.
SCRAM User Password
mongodb / scram-user-password
MongoDB users authenticate with usernames and passwords stored in the admin or application databases when access control is enabled. SCRAM is MongoDB's default challenge-response authentication mechanism for users.
Looks like
examplemongodb://username:XXXXXXXXXXXXXXXX@host:27017/adminLocation
application config, .env files, Kubernetes manifests, connection-string files
MONGODB_URI, MONGO_URI, MONGO_URL, MONGODB_URLMongoDB system users collection stores user credentials and roles
Kubernetes Secrets, CI/CD variables, cloud secret managers, Atlas app secrets
application code, notebooks, tests, committed connection strings
startup logs, driver debug logs, exception traces containing connection strings
Notes
Inline credentials in MongoDB URIs are common in application config and logs. Percent-encoding can obscure special characters in the password.
Internal Keyfile Authentication Secret
mongodb / internal-keyfile
MongoDB replica set and sharded cluster members can authenticate to each other with a shared keyfile. MongoDB documents that the keyfile contents are used as the shared password for internal membership authentication.
Looks like
pattern^[A-Za-z0-9+/=]{6,1024}$Location
mongod.confsecurity.keyFile points to the keyfile path
keyfile on each mongod host; permissions are part of deployment hardening
Kubernetes Secrets, Ansible Vault, cloud secret managers
replica set deployment bundles, host backups, automation tarballs
Notes
Any member with the correct keyfile can join the cluster trust boundary. MongoDB recommends X.509 for production internal authentication.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.