lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Redis

Redisdatabase3 credentials1 default credential

Credentials3 documented
01

Default User Without Password

redis / default-user-nopass

Redis defaults to an enabled default user with nopass in ACL-enabled Redis versions, preserving legacy behavior where clients can run all commands without authenticating unless an administrator configures a password or ACLs.

static defaultsecretusername/password

Default credentials

default:(empty)

Location

public interface
redis://<host>:6379

Redis protocol listener; protected mode limits default exposure to loopback in default configuration

config file
redis.conf

default ACL user, protected-mode, bind, requirepass, and aclfile directives

Notes

This represents unauthenticated access, not a password. Redis protected mode reduces accidental exposure when no password is configured, but operators can disable protected mode or bind Redis to external interfaces.

02

requirepass Password

redis / requirepass-default-user-password

Redis legacy authentication uses the requirepass directive in redis.conf. Since Redis 6, requirepass is a compatibility layer that sets a password for the ACL default user.

user definedsecretpassword

Looks like

pattern
pattern

redis.conf directive; the value after requirepass is the password for the default user

^requirepass\s+[^\s#]+

Location

config file
redis.conf
environment
REDIS_PASSWORD, REDIS_URL
source code

Docker Compose files, Helm values, app configs, committed .env files

secret store

Kubernetes Secrets, CI/CD variables, cloud secret managers

logs

command histories, container logs, and connection errors containing AUTH strings

Notes

Redis warns that this password is stored in clear text inside redis.conf and should be long because Redis can process many authentication attempts per second.

03

ACL User Password

redis / acl-user-password

Redis ACLs define users, passwords, key patterns, and command categories either directly in redis.conf or in an external aclfile. Clients authenticate with AUTH <username> <password>.

user definedsecretusername/password

Looks like

pattern
pattern

Redis ACL user rule; > stores a plaintext password to hash on load, while # stores a password hash

^user\s+\S+\s+.*(>|#)[^\s]+

Location

config file
redis.conf, users.acl

inline ACL users or external aclfile contents

environment
REDIS_USERNAME, REDIS_PASSWORD, REDIS_URL
secret store

Kubernetes Secrets, CI/CD variables, cloud secret managers

source code

app config, Docker Compose files, Helm values, connection strings

logs

CLI histories, driver debug logs, and failed AUTH traces

Notes

Redis ACL rules include both authentication material and authorization policy. The command context is needed to distinguish the username, plaintext password marker, password hash marker, and permissions.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.