lolcreds

Public credential defaults and exposure patterns for authorized security testing.

MongoDB

MongoDB, Inc.database3 credentials1 default credential

Credentials3 documented
01

Unauthenticated Default Deployment

mongodb / unauthenticated-default

Self-managed MongoDB deployments do not require username/password authentication until access control is enabled. MongoDB security docs instruct administrators to enable access control and create users for authenticated deployments.

static defaultsecretusername/password

Default credentials

(empty):(empty)

Location

public interface
mongodb://<host>:27017

MongoDB wire protocol listener; modern packages usually bind locally unless reconfigured

config file
mongod.conf

security.authorization controls access control

Notes

This represents no authentication, not a password. Exposure depends on bindIp, firewalling, localhost exception behavior, and whether access control has been enabled.

02

SCRAM User Password

mongodb / scram-user-password

MongoDB users authenticate with usernames and passwords stored in the admin or application databases when access control is enabled. SCRAM is MongoDB's default challenge-response authentication mechanism for users.

user definedsecretusername/password

Looks like

example
example

MongoDB connection string containing inline username and password

mongodb://username:XXXXXXXXXXXXXXXX@host:27017/admin

Location

config file

application config, .env files, Kubernetes manifests, connection-string files

environment
MONGODB_URI, MONGO_URI, MONGO_URL, MONGODB_URL
database

MongoDB system users collection stores user credentials and roles

secret store

Kubernetes Secrets, CI/CD variables, cloud secret managers, Atlas app secrets

source code

application code, notebooks, tests, committed connection strings

logs

startup logs, driver debug logs, exception traces containing connection strings

Notes

Inline credentials in MongoDB URIs are common in application config and logs. Percent-encoding can obscure special characters in the password.

03

Internal Keyfile Authentication Secret

mongodb / internal-keyfile

MongoDB replica set and sharded cluster members can authenticate to each other with a shared keyfile. MongoDB documents that the keyfile contents are used as the shared password for internal membership authentication.

user definedsecretsecret value

Looks like

pattern
pattern

keyfile content is a 6-1024 character shared secret; identify by keyFile configuration context to avoid false positives

^[A-Za-z0-9+/=]{6,1024}$

Location

config file
mongod.conf

security.keyFile points to the keyfile path

config file

keyfile on each mongod host; permissions are part of deployment hardening

secret store

Kubernetes Secrets, Ansible Vault, cloud secret managers

artifact

replica set deployment bundles, host backups, automation tarballs

Notes

Any member with the correct keyfile can join the cluster trust boundary. MongoDB recommends X.509 for production internal authentication.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.