lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache Kafka

Apache Software Foundationmiddleware3 credentials

Credentials3 documented
01

SASL PLAIN / SCRAM Password

apache-kafka / sasl-plain-scram-password

Kafka supports SASL authentication mechanisms including PLAIN and SCRAM. Broker and client JAAS configuration often contains usernames and passwords for inter-broker, producer, consumer, and admin authentication.

user definedsecretusername/password

Looks like

pattern
pattern

Kafka JAAS login module containing username or password options

org\.apache\.kafka\.common\.security\.(?:plain|scram)\.[A-Za-z]+LoginModule\s+required[^;]*(?:username|password)=\"[^\"\r\n]+\"

Location

config file
server.properties, client.properties, jaas.conf, kafka_server_jaas.conf

Kafka broker and client SASL/JAAS configuration

environment
KAFKA_OPTS, KAFKA_SASL_USERNAME, KAFKA_SASL_PASSWORD, SASL_JAAS_CONFIG
secret store

Kubernetes Secrets, cloud secret managers, CI/CD variables, and Kafka platform secrets

source code

deployment manifests, Helm values, integration tests, and committed client configs

logs

broker startup logs, client debug output, and CI traces

public interface
Kafka broker listeners

Notes

Kafka user/password semantics depend on the SASL mechanism and backing identity store. SCRAM credentials may be stored in Kafka metadata.

02

SSL Keystore / Truststore Password

apache-kafka / ssl-keystore-password

Kafka TLS configuration uses keystore and truststore locations and passwords for brokers and clients. These protect private keys and trust material used for encrypted and mutual TLS connections.

user definedsecretpassword

Looks like

pattern
pattern

Kafka server.properties or client.properties SSL store password

ssl\.(?:key|trust)store\.password\s*=\s*[^\r\n]+
pattern

Kafka private key password setting

ssl\.key\.password\s*=\s*[^\r\n]+

Location

config file
server.properties, client.properties, connect-distributed.properties

Kafka broker, client, and Kafka Connect TLS configuration

secret store

Java keystores, Kubernetes Secrets, cloud secret managers, and deployment vaults

source code

committed client configs, Helm values, and container build contexts

image

broker or client images containing keystores and config files

logs

startup logs and SSL troubleshooting output

Notes

Keystore passwords may unlock broker or client private keys used for TLS authentication.

03

Kafka Connect Connector Secret

apache-kafka / connect-connector-secret

Kafka Connect connector configurations frequently include passwords, tokens, and API keys for source and sink systems. These connector secrets are separate from Kafka broker authentication but are stored in Kafka Connect configuration and offsets/status workflows.

user definedsecretsecret value

Location

config file

connector JSON/properties files, connect-distributed.properties, and worker config

http response

Kafka Connect REST API responses containing connector configs when secrets are not masked

secret store

ConfigProvider backends, Kubernetes Secrets, cloud secret managers, and CI/CD variables

source code

connector repositories, tests, and committed connector definitions

logs

connector task logs and REST API traces

Notes

Connector secrets can grant access to databases, cloud stores, queues, and SaaS systems even when Kafka itself is not compromised.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.