lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Nextcloud

Nextcloudcollaboration4 credentials

Credentials4 documented
01

Instance Secret / Password Salt

nextcloud / config-secret-and-salt

Nextcloud config.php contains instance-specific values including passwordsalt and secret. Nextcloud documents these configuration parameters alongside database and server settings.

generated on installsecretsecret value

Looks like

pattern
pattern

Nextcloud config.php passwordsalt or secret entry

'(?:passwordsalt|secret)'\s*=>\s*'[^']+'\s*[,;]

Location

config file
config/config.php

Nextcloud instance configuration containing secret and passwordsalt

secret store

deployment vaults, Kubernetes Secrets, and cloud secret managers

source code

committed config.php files, Helm values, and backups

artifact

instance backups and container images containing config.php

Notes

These values are not user passwords, but they are instance secret material used by Nextcloud security mechanisms.

02

Database Credentials

nextcloud / database-credentials

Nextcloud config.php stores database settings such as dbtype, dbhost, dbname, dbuser, and dbpassword. These credentials connect the application to its database.

user definedsecretusername/password

Looks like

pattern
pattern

Nextcloud config.php database password entry

'dbpassword'\s*=>\s*'[^']+'\s*[,;]

Location

config file
config/config.php

Nextcloud database connection configuration

environment
MYSQL_PASSWORD, POSTGRES_PASSWORD, NEXTCLOUD_DB_PASSWORD, DATABASE_URL
secret store

Docker/Kubernetes secrets, cloud secret managers, and database password vaults

source code

committed config.php files, Docker Compose files, Helm values, and tests

artifact

backups and container images containing config.php

logs

installer logs and database connection troubleshooting output

Notes

Database access can expose files metadata, user records, app passwords, shares, tokens, and application configuration.

03

User Password / App Password

nextcloud / user-password-app-password

Nextcloud users authenticate to the web UI and can use app passwords for clients. Nextcloud user management documentation covers creating users, resetting passwords, and resetting a lost admin password.

user definedsecretusername/password

Location

database

Nextcloud database tables storing user, session, and app-password verifier data

public interface
/login, WebDAV, OCS APIs

Nextcloud login, sync, and API endpoints

config file

client sync config, app integration config, and local credential caches

secret store

password managers, CI/CD variables, and cloud secret managers

source code

integration scripts, tests, and accidentally committed client configs

logs

web server logs, sync client logs, and authentication troubleshooting output

Notes

App passwords should be revoked independently from the user's main password if exposed.

04

External Service / Preview API Secret

nextcloud / external-service-secret

Nextcloud configuration can contain additional service secrets such as preview_imaginary_key and Redis credentials. These protect integrations used by the server.

user definedsecretsecret value

Location

config file
config/config.php

Nextcloud external service credentials and integration keys

environment
REDIS_HOST_PASSWORD, NEXTCLOUD_IMAGINARY_KEY
secret store

deployment vaults, Kubernetes Secrets, and cloud secret managers

source code

committed config files and deployment manifests

Notes

External service secrets may grant access to cache, preview, mail, object storage, or directory services connected to Nextcloud.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.