lolcreds

Public credential defaults and exposure patterns for authorized security testing.

PostgreSQL

PostgreSQL Global Development Groupdatabase3 credentials

Credentials3 documented
01

Database Role Password

postgresql / role-password

PostgreSQL supports password-based authentication methods including scram-sha-256 and md5. PostgreSQL documents managing role passwords with CREATE ROLE, ALTER ROLE, and psql \password, and stores password material for database users in the pg_authid system catalog.

user definedsecretusername/password

Looks like

pattern
pattern

SQL statement assigning a PostgreSQL role password; the password itself has no PostgreSQL-specific shape

CREATE\s+ROLE\s+\S+\s+WITH\s+LOGIN\s+PASSWORD\s+'[^'\r\n]+'
pattern

SQL statement changing a PostgreSQL role password

ALTER\s+ROLE\s+\S+\s+(?:WITH\s+)?PASSWORD\s+'[^'\r\n]+'

Location

database
pg_authid.rolpassword

PostgreSQL system catalog storing SCRAM or MD5 password verifier material for roles

config file

application config, .env files, connection strings, service files, and deployment manifests

environment
PGPASSWORD, PGUSER, PGDATABASE, DATABASE_URL, POSTGRES_PASSWORD
secret store

Kubernetes Secrets, cloud secret managers, CI/CD variables, and password vault entries

source code

application connection strings, migration scripts, tests, and accidentally committed configs

logs

failed connection traces, ORM debug logs, and CI output

public interface
tcp/5432

PostgreSQL client authentication endpoint governed by pg_hba.conf

Notes

There is no universal PostgreSQL default password. Packaged images or hosted services may generate or require per-install passwords; model those as distribution-specific credentials if documented.

02

libpq Password File Entry

postgresql / pgpass-file-entry

PostgreSQL libpq clients can read passwords from a password file instead of prompting interactively. PostgreSQL documents the password file as a client-side credential store used by libpq applications.

user definedsecretusername/password

Looks like

pattern
pattern

.pgpass host:port:database:user:password line; context identifies it as PostgreSQL

^[^:\r\n]*:[^:\r\n]*:[^:\r\n]*:[^:\r\n]*:[^\r\n]+$

Location

config file
~/.pgpass, %APPDATA%\postgresql\pgpass.conf

libpq password file used by psql and many PostgreSQL clients

environment
PGPASSFILE

environment variable overriding the password file location

secret store

workstation credential stores and deployment secrets that materialize .pgpass files

source code

accidentally committed .pgpass files, test fixtures, and container build contexts

logs

debug output showing connection parameters or generated password files

Notes

A .pgpass entry can grant database access anywhere the referenced host, port, database, and user are reachable.

03

Trust Authentication Rule

postgresql / pg-hba-trust-auth

PostgreSQL pg_hba.conf can use the trust authentication method, which allows anyone who can connect to the server to log in as any matching PostgreSQL user without a password. PostgreSQL documents this as an unconditional login method for matching clients.

user definedcontext dependentother

Looks like

pattern
pattern

pg_hba.conf trust authentication record; not a password but a credential-bypass condition

^(?:local|host)\s+\S+\s+\S+(?:\s+\S+\s+\S+)?\s+trust(?:\s|$)

Location

config file
pg_hba.conf

PostgreSQL host-based authentication configuration

source code

container images, Helm charts, local dev configs, and committed database setup files

image

container images or VM images containing insecure pg_hba.conf rules

Notes

Trust rules are not credentials, but they create passwordless access for matching connection sources and database users.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.