lolcreds

Public credential defaults and exposure patterns for authorized security testing.

phpMyAdmin

phpMyAdmin Projectdatabase3 credentials

Credentials3 documented
01

Config Authentication MySQL Credentials

phpmyadmin / config-auth-credentials

phpMyAdmin supports config authentication, where the MySQL username and password are stored in config.inc.php. phpMyAdmin documents config auth as the mode where username and password are stored in config.inc.php.

user definedsecretusername/password

Looks like

pattern
pattern

phpMyAdmin config.inc.php server password setting

\$cfg\['Servers'\]\[\$i\]\['password'\]\s*=\s*'[^'\r\n]*'

Location

config file
config.inc.php

phpMyAdmin server connection settings and authentication mode

environment
PMA_USER, PMA_PASSWORD, PMA_HOST, PMA_CONTROLUSER, PMA_CONTROLPASS
secret store

Docker/Kubernetes secrets, cloud secret managers, and hosting control panel secrets

source code

accidentally committed config.inc.php files, Docker Compose files, and examples

artifact

webroot backups and container images containing phpMyAdmin configuration

logs

setup output and container environment dumps

Notes

Config authentication embeds a reusable MySQL credential in phpMyAdmin configuration and should not be exposed to clients or repositories.

02

blowfish_secret

phpmyadmin / blowfish-secret

phpMyAdmin cookie authentication uses blowfish_secret in configuration to encrypt cookies. phpMyAdmin setup documentation shows setting $cfg['blowfish_secret'] to random bytes.

generated on installsecretsecret value

Looks like

pattern
pattern

phpMyAdmin blowfish_secret configuration line

\$cfg\['blowfish_secret'\]\s*=\s*[^;\r\n]+;

Location

config file
config.inc.php

phpMyAdmin cookie encryption secret

environment
PMA_BLOWFISH_SECRET
secret store

deployment secrets and cloud secret managers

source code

committed config.inc.php files and backups

artifact

container images or webroot archives containing config.inc.php

Notes

The blowfish secret is not a database password, but it protects phpMyAdmin cookie authentication state.

03

Control User Password

phpmyadmin / control-user-password

phpMyAdmin can use a control user for phpMyAdmin configuration storage. phpMyAdmin setup documentation defines PMA_CONTROLUSER and PMA_CONTROLPASS for the configuration storage database user.

user definedsecretusername/password

Location

config file
config.inc.php

controluser and controlpass settings for phpMyAdmin configuration storage

environment
PMA_CONTROLUSER, PMA_CONTROLPASS
secret store

container secrets, vault entries, and platform config variables

source code

Docker Compose files and accidentally committed config

Notes

The control user should have only the privileges required for phpMyAdmin configuration storage.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.