lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Elasticsearch

Elasticdatabase4 credentials

Credentials4 documented
01

elastic Built-in Superuser Password

elasticsearch / elastic-built-in-user

Elasticsearch includes built-in users for the Elastic Stack. The elastic user is a built-in superuser used to set other built-in user passwords and to bootstrap administrative access on self-managed clusters.

generated on installuser definedsecretusername/password

Default credentials

elastic:(empty)

Location

public interface
Elasticsearch HTTP API, Kibana login
config file

bootstrap password may be set in the Elasticsearch keystore as bootstrap.password

environment
ELASTIC_PASSWORD

commonly used by Docker and orchestration examples to set the initial elastic password

secret store

Kubernetes Secrets, Docker secrets, Elastic Cloud orchestration secrets, CI/CD variables

logs

initial startup/setup logs, installation notes, and bootstrap tooling output

Notes

The default block records the built-in username, not a static password. Elastic documents that built-in users cannot authenticate until their passwords have been set; if elastic has no password, a transient bootstrap password is used to run password-setup tooling.

02

Built-in Service User Passwords

elasticsearch / built-in-service-user-passwords

Elasticsearch built-in service users such as kibana_system, logstash_system, beats_system, apm_system, and remote_monitoring_user have fixed privileges and require operator-set passwords before use.

user definedsecretusername/password

Looks like

pattern
pattern

Elastic Stack component configuration that stores Elasticsearch usernames or passwords

(xpack\.[A-Za-z0-9_.-]+\.elasticsearch\.(username|password)|elasticsearch\.(username|password)):\s*[^\s]+

Location

config file

kibana.yml, logstash.yml, beats.yml, apm-server.yml, metricbeat.yml

environment
ELASTICSEARCH_USERNAME, ELASTICSEARCH_PASSWORD, KIBANA_PASSWORD
secret store

Kubernetes Secrets, Docker secrets, Elastic Cloud orchestration secrets

source code

Helm values, docker-compose.yml, Ansible inventories, committed stack configs

Notes

These accounts are not intended for human login. A leaked service-user password grants the component privileges assigned to that built-in user.

03

Elasticsearch API Key

elasticsearch / api-key

Elasticsearch API keys authenticate requests to Elasticsearch APIs. The create API key endpoint returns an id, api_key value, and an encoded representation for Authorization headers.

generated on installsecretAPI key

Looks like

pattern
pattern

HTTP Authorization value for Elasticsearch API key authentication

ApiKey\s+[A-Za-z0-9+/=_\-]+

Location

http header
Authorization

ApiKey authorization scheme

http response

create API key responses containing id, api_key, and encoded fields

environment
ELASTICSEARCH_API_KEY
config file

Beats, Logstash, agents, Elastic clients, and application config

secret store

Kubernetes Secrets, CI/CD variables, application secret stores

source code

ingestion scripts, notebooks, app config, committed examples

Notes

API key privileges are derived from the creating user and requested role descriptors. Treat encoded API key values as bearer credentials.

04

Service Account Token

elasticsearch / service-account-token

Elasticsearch service account tokens authenticate Elastic Stack services to Elasticsearch without using built-in user passwords. Tokens can be file-backed or index-backed depending on how they are created.

generated on installsecrettoken

Location

http header
Authorization

Bearer token for Elasticsearch service account authentication

config file

service_tokens file and Elastic component configuration

secret store

Kubernetes Secrets and orchestration-managed service token stores

environment

service token variables used by containers or Helm charts

Notes

Service account tokens are bearer secrets scoped to a service account. Rotate and invalidate tokens found in config backups or deployment logs.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.