Synology DSM
Synologynetwork4 credentials
DSM Administrator/User Password
synology-dsm / admin-user-password
Synology DSM uses local and directory users for web, SSH, SMB/NFS/AFP, package, and API access. Newer DSM disables or prompts configuration of the default admin account during setup.
Location
DSM web UI, SSH, SMB/AFP/NFS services, WebDAV, package UIs, and Synology APIs/etc/passwd, /etc/shadow, DSM account/config files, and package configs
DSM system/account databases and package user stores
password managers, Hyper Backup vaults, and directory services
DSM logs, auth logs, SMB logs, and package logs
Notes
No universal DSM admin password is modeled; setup creates or changes administrator credentials.
DSM API Session / SynoToken
synology-dsm / api-session-synotoken
DSM web/API sessions use cookies and SynoToken-style CSRF/session tokens for authenticated API calls.
Location
CookieDSM web/API session cookies such as id or syno session cookies
X-SYNO-TOKENSynology API/UI token used by authenticated requests
API client caches, automation scripts, and mobile app traces
reverse proxy, web access, and API debug logs
Package, Cloud, Backup, and Integration Secrets
synology-dsm / package-cloud-backup-secrets
DSM packages store secrets for Hyper Backup, Active Backup, Cloud Sync, LDAP/AD, SMTP, DDNS, Docker/Container Manager, surveillance cameras, and package-specific databases.
Location
DSM package configuration directories, /usr/syno/etc, Docker Compose projects, and service configs
DSM/package databases containing account, token, and integration settings
DSM internal credential store, Hyper Backup credentials, and external vaults
configuration backups, Hyper Backup sets, and support dumps
package logs and sync/backup debug output
DSM Certificate / SSH Private Key
synology-dsm / certificate-private-key
Synology appliances store TLS certificate private keys, SSH host/user keys, VPN keys, and package-generated key material.
Looks like
pattern-----BEGIN (RSA |EC |OPENSSH |ENCRYPTED |)PRIVATE KEY-----Location
DSM certificate directories, SSH key files, VPN package configs, and reverse proxy settings
certificate stores, backup vaults, and password managers
system configuration backups and support bundles
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.