Drupal
Drupal Associationcms3 credentials
Database Credentials
drupal / database-credentials
Drupal settings.php defines the $databases array used to connect to the site's database. Drupal's default.settings.php documents database, username, password, host, port, and driver fields in this array.
Looks like
pattern'password'\s*=>\s*'[^'\r\n]+'Location
sites/*/settings.phpDrupal site settings containing database connection arrays
DRUPAL_DATABASE_PASSWORD, DATABASE_URL, MYSQL_PASSWORD, POSTGRES_PASSWORDplatform secrets, Kubernetes Secrets, cloud secret managers, and CI/CD variables
accidentally committed settings.php files, local.settings.php, and deployment scripts
site backups, database dumps with config, and container images
installer logs, debug dumps, and CI output
Notes
Database access can expose Drupal users, password hashes, configuration, content, and secrets stored by contributed modules.
Hash Salt
drupal / hash-salt
Drupal settings.php contains $settings['hash_salt'], which is site-specific secret material used in hash generation. Drupal documents setting it in settings.php or reading it from an external file.
Looks like
pattern\$settings\['hash_salt'\]\s*=\s*'[^'\r\n]+'Location
sites/*/settings.phpDrupal hash_salt setting or file_get_contents reference
external salt files, platform secrets, and deployment vault entries
committed settings.php files and backups
site archives and container images containing settings.php or salt files
Notes
The salt is not a user password but is site secret material that should not be shared between environments or exposed in public repositories.
Administrator/User Password
drupal / administrator-password
Drupal user accounts authenticate to the web UI and APIs with user-defined passwords. The initial site maintenance account is created during installation and has administrative control over the site.
Location
Drupal user tables containing password hashes and account data
/user/login, /user/passwordDrupal login and password reset interfaces
provisioning scripts, local dev config, and test fixtures
Behat tests, install scripts, and accidentally committed credentials
web server logs, failed-login logs, and test output
Notes
There is no universal Drupal administrator password; it is chosen or generated during site installation.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.