lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache CouchDB

Apache Software Foundationdatabase2 credentials

Credentials2 documented
01

Server Administrator Password

apache-couchdb / admin-password

CouchDB requires an admin account to start. CouchDB documents that server administrators and passwords are stored in the last [admins] section found when loading ini files, not in the _users database.

user definedsecretusername/password

Looks like

pattern
pattern

CouchDB [admins] ini context; lines under this section assign administrator passwords or password hashes

^\[admins\]$|^\s*[^;#\s=]+\s*=\s*[^\r\n]+

Location

config file
local.ini, local.d/*.ini

CouchDB ini files containing the [admins] section

environment
COUCHDB_USER, COUCHDB_PASSWORD
secret store

container secrets, Kubernetes Secrets, cloud secret managers, and deployment vaults

source code

Docker Compose files, Helm values, tests, and accidentally committed local.ini files

logs

startup errors, setup logs, and provisioning traces that reveal admin configuration

public interface
tcp/5984

CouchDB HTTP API and Fauxton login endpoint

Notes

There is no universal CouchDB admin password. CouchDB installations must set administrator credentials or the server refuses to start in supported versions.

02

_users Database Password

apache-couchdb / user-database-password

CouchDB stores regular users separately from server administrators in the _users database. Users authenticate to CouchDB HTTP APIs with mechanisms such as cookie, JWT, proxy, or default authentication handlers.

user definedsecretusername/password

Location

database
_users

CouchDB users database containing user documents and password material

http header
Authorization

Basic or Bearer authentication accepted by configured CouchDB auth handlers

config file

application config, replication config, .env files, and deployment manifests

secret store

password vaults, CI/CD variables, and cloud secret managers

source code

replication scripts, application clients, tests, and committed URLs

logs

HTTP access logs, replication errors, and client debug output

Notes

User password blast radius depends on database membership, roles, and configured authentication handlers.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.