lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Oracle DBMS

Oracledatabase4 credentials

Credentials4 documented
01

Database User Password

oracle-dbms / database-user-password

Oracle Database authenticates database users using information in the database itself and supports creating passwords with SQL statements that use the IDENTIFIED BY clause. Oracle documents password protections, profiles, and password management for database users.

user definedsecretusername/password

Looks like

pattern
pattern

Oracle CREATE USER statement assigning a database user password

CREATE\s+USER\s+\S+\s+IDENTIFIED\s+BY\s+"?[^";\r\n]+"?
pattern

Oracle ALTER USER statement changing a database user password

ALTER\s+USER\s+\S+\s+IDENTIFIED\s+BY\s+"?[^";\r\n]+"?

Location

database

Oracle data dictionary password verifier state for database users, visible only to privileged users

config file

application config, JDBC URLs, wallet setup files, .env files, and deployment manifests

environment
ORACLE_USER, ORACLE_PASSWORD, TNS_ADMIN, DATABASE_URL
secret store

Oracle Wallet, cloud secret managers, Kubernetes Secrets, and CI/CD variables

source code

application connection strings, SQL scripts, tests, and accidentally committed configs

logs

failed connection traces, JDBC debug logs, SQL*Plus command history, and CI output

public interface
tcp/1521

Oracle Net listener connection endpoint

Notes

Oracle user passwords are deployment-specific. Do not treat sample users or examples as universal defaults unless a specific image or installer explicitly ships them.

02

Secure External Password Store Wallet Credential

oracle-dbms / secure-external-password-store

Oracle Secure External Password Store (SEPS) is a client-side wallet used to store password credentials. Oracle documents SEPS as a secure external password store for client-side password credentials.

user definedsecretusername/password

Location

secret store
Oracle Wallet, cwallet.sso, ewallet.p12

client-side wallet files containing database connection credentials

config file
sqlnet.ora, tnsnames.ora

Oracle Net configuration that locates wallets and maps connect descriptors

environment
TNS_ADMIN, ORACLE_HOME
source code

accidentally committed wallet files, container build contexts, and deployment bundles

image

VM or container images containing wallet files

Notes

Wallet files can allow passwordless database access from clients that can read the wallet and reach the configured service.

03

Administrative Password File Credential

oracle-dbms / administrative-password-file

Oracle documents special protections for administrative user passwords, including password files. Administrative users such as SYSDBA can be authenticated by password files, operating system authentication, or other configured methods.

user definedsecretusername/password

Location

config file
orapw*, PWD*.ora

Oracle database password file used for administrative authentication

secret store

backup stores and infrastructure secrets containing database password files

image

database server images, backups, and cloned Oracle homes containing password files

logs

database creation logs and administrative scripts that print password file paths or passwords

Notes

Administrative password files are highly sensitive because they can enable privileged SYSDBA-style access depending on server configuration.

04

Net Service Connection Credential

oracle-dbms / net-service-connection-secret

Oracle Net local naming uses tnsnames.ora to map network service names to connect descriptors. Applications often pair these descriptors with username/password credentials in configuration files or wallets.

user definedsecretusername/password

Looks like

pattern
pattern

SQL*Plus-style username/password@connect_identifier string; context identifies Oracle credentials

[A-Za-z0-9_.$#]+/[^\s@]+@[^\s]+

Location

config file
tnsnames.ora, sqlnet.ora

Oracle Net service names and wallet configuration

environment
TNS_ADMIN, ORACLE_CONNECT_STRING
source code

SQL scripts, application configs, deployment scripts, and accidentally committed connect strings

logs

command history, connection errors, and debug traces

Notes

tnsnames.ora usually holds network descriptors rather than passwords, but it is important context for nearby Oracle credentials and wallets.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.