lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache Cassandra

Apache Software Foundationdatabase3 credentials

Credentials3 documented
01

PasswordAuthenticator Role Password

apache-cassandra / password-authenticator-role

Cassandra can authenticate users with PasswordAuthenticator, which relies on username/password pairs. Cassandra documents that PasswordAuthenticator stores usernames and hashed passwords in the system_auth.roles table.

user definedsecretusername/password

Looks like

pattern
pattern

Cassandra CQL role password assignment; the password itself has no Cassandra-specific shape

CREATE\s+ROLE\s+\S+\s+WITH\s+PASSWORD\s*=\s*'[^'\r\n]+'
pattern

Cassandra CQL role password change statement

ALTER\s+ROLE\s+\S+\s+WITH\s+PASSWORD\s*=\s*'[^'\r\n]+'

Location

database
system_auth.roles

Cassandra system_auth table storing role names and hashed passwords

config file

application config, cassandra driver config, .env files, and deployment manifests

environment
CASSANDRA_USERNAME, CASSANDRA_PASSWORD
secret store

Kubernetes Secrets, cloud secret managers, CI/CD variables, and password vault entries

source code

application connection config, migration scripts, tests, and accidentally committed credentials

logs

failed authentication traces, driver debug logs, and CI output

public interface
tcp/9042

Cassandra native transport login endpoint

Notes

Cassandra does not have to use password authentication; AllowAllAuthenticator disables authentication. Role password exposure matters when PasswordAuthenticator is enabled.

02

AllowAllAuthenticator / AllowAllAuthorizer Configuration

apache-cassandra / cassandra-yaml-auth-disabled

Cassandra configuration supports authenticator and authorizer backends. Cassandra documents AllowAllAuthenticator as performing no checks and AllowAllAuthorizer as allowing any action to any user.

user definedcontext dependentother

Looks like

pattern
pattern

cassandra.yaml setting that disables authentication checks

authenticator:\s*(?:AllowAllAuthenticator|org\.apache\.cassandra\.auth\.AllowAllAuthenticator)
pattern

cassandra.yaml setting that disables authorization checks

authorizer:\s*(?:AllowAllAuthorizer|org\.apache\.cassandra\.auth\.AllowAllAuthorizer)

Location

config file
cassandra.yaml

Cassandra server configuration controlling authentication and authorization backends

source code

Helm charts, container images, Ansible roles, and committed Cassandra configs

image

VM or container images containing insecure cassandra.yaml settings

Notes

These settings are not credentials, but they create unauthenticated or over-permissive database access for reachable clients.

03

TLS Keystore / Truststore Password

apache-cassandra / tls-keystore-password

Cassandra supports node-to-node and client encryption using Java keystores and truststores. Cassandra configuration references keystores, truststores, and their passwords for encrypted transport.

user definedsecretpassword

Looks like

pattern
pattern

Cassandra YAML keystore or truststore password assignment

(?:keystore_password|truststore_password):\s*[^\s]+

Location

config file
cassandra.yaml

server_encryption_options and client_encryption_options keystore/truststore passwords

secret store

Kubernetes Secrets, Java keystore stores, cloud secret managers, and deployment vaults

source code

Helm values, Docker Compose files, Ansible inventories, and committed TLS config

logs

startup logs and troubleshooting output that include TLS option dumps

Notes

Keystore and truststore passwords protect private keys and trust material used by Cassandra transport security.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.