phpMyAdmin
phpMyAdmin Projectdatabase3 credentials
Config Authentication MySQL Credentials
phpmyadmin / config-auth-credentials
phpMyAdmin supports config authentication, where the MySQL username and password are stored in config.inc.php. phpMyAdmin documents config auth as the mode where username and password are stored in config.inc.php.
Looks like
pattern\$cfg\['Servers'\]\[\$i\]\['password'\]\s*=\s*'[^'\r\n]*'Location
config.inc.phpphpMyAdmin server connection settings and authentication mode
PMA_USER, PMA_PASSWORD, PMA_HOST, PMA_CONTROLUSER, PMA_CONTROLPASSDocker/Kubernetes secrets, cloud secret managers, and hosting control panel secrets
accidentally committed config.inc.php files, Docker Compose files, and examples
webroot backups and container images containing phpMyAdmin configuration
setup output and container environment dumps
Notes
Config authentication embeds a reusable MySQL credential in phpMyAdmin configuration and should not be exposed to clients or repositories.
blowfish_secret
phpmyadmin / blowfish-secret
phpMyAdmin cookie authentication uses blowfish_secret in configuration to encrypt cookies. phpMyAdmin setup documentation shows setting $cfg['blowfish_secret'] to random bytes.
Looks like
pattern\$cfg\['blowfish_secret'\]\s*=\s*[^;\r\n]+;Location
config.inc.phpphpMyAdmin cookie encryption secret
PMA_BLOWFISH_SECRETdeployment secrets and cloud secret managers
committed config.inc.php files and backups
container images or webroot archives containing config.inc.php
Notes
The blowfish secret is not a database password, but it protects phpMyAdmin cookie authentication state.
Control User Password
phpmyadmin / control-user-password
phpMyAdmin can use a control user for phpMyAdmin configuration storage. phpMyAdmin setup documentation defines PMA_CONTROLUSER and PMA_CONTROLPASS for the configuration storage database user.
Location
config.inc.phpcontroluser and controlpass settings for phpMyAdmin configuration storage
PMA_CONTROLUSER, PMA_CONTROLPASScontainer secrets, vault entries, and platform config variables
Docker Compose files and accidentally committed config
Notes
The control user should have only the privileges required for phpMyAdmin configuration storage.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.