lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Redmine

Redminedevops3 credentials

Credentials3 documented
01

Database Credentials

redmine / database-credentials

Redmine installation requires database users for MySQL, PostgreSQL, SQL Server, or SQLite. Redmine docs show creating a database role/user and setting a password before configuring the application.

user definedsecretusername/password

Looks like

pattern
pattern

Redmine database.yml password field

password:\s*[^\r\n]+

Location

config file
config/database.yml

Redmine Rails database connection configuration

environment
REDMINE_DB_PASSWORD, DATABASE_URL
secret store

Docker/Kubernetes secrets, cloud secret managers, and database password vaults

source code

committed database.yml files, Docker Compose files, and tests

artifact

application backups and container images containing database.yml

logs

installer logs and database connection traces

Notes

Database access can expose Redmine users, password hashes, API keys, issues, projects, and plugin settings.

02

Rails Session Secret Token

redmine / secret-token

Redmine installation generates a random secret token used by Rails to encode cookies storing session data. Redmine documents generating it with bundle exec rake generate_secret_token and optionally storing it in config/secrets.yml.

generated on installsecretsecret value

Location

config file
config/initializers/secret_token.rb, config/secrets.yml

Redmine Rails session secret

environment
SECRET_KEY_BASE, REDMINE_SECRET_KEY_BASE
secret store

deployment vaults, Kubernetes Secrets, and cloud secret managers

source code

committed Rails config, examples, and backups

artifact

application backups and container images

Notes

Rotating the secret invalidates sessions and protects against tampering with stolen session cookie material.

03

REST API Key

redmine / api-key

Redmine REST API supports authentication with either regular login/password via HTTP Basic authentication or a per-user API key. Redmine documents passing the API key as key parameter, Basic username, or X-Redmine-API-Key header.

user definedsecretAPI key

Location

http header
X-Redmine-API-Key, Authorization

Redmine API key header or Basic authentication context

database

Redmine user account records containing API key state

environment
REDMINE_API_KEY
config file

integration config, .env files, and automation scripts

secret store

CI/CD variables, bot secrets, and cloud secret managers

source code

API scripts, tests, and committed clients

logs

API request logs and automation traces

Notes

API key permissions follow the owning Redmine user.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.