Redis
Redisdatabase3 credentials1 default credential
Default User Without Password
redis / default-user-nopass
Redis defaults to an enabled default user with nopass in ACL-enabled Redis versions, preserving legacy behavior where clients can run all commands without authenticating unless an administrator configures a password or ACLs.
Default credentials
default:(empty)Location
redis://<host>:6379Redis protocol listener; protected mode limits default exposure to loopback in default configuration
redis.confdefault ACL user, protected-mode, bind, requirepass, and aclfile directives
Notes
This represents unauthenticated access, not a password. Redis protected mode reduces accidental exposure when no password is configured, but operators can disable protected mode or bind Redis to external interfaces.
requirepass Password
redis / requirepass-default-user-password
Redis legacy authentication uses the requirepass directive in redis.conf. Since Redis 6, requirepass is a compatibility layer that sets a password for the ACL default user.
Looks like
pattern^requirepass\s+[^\s#]+Location
redis.confREDIS_PASSWORD, REDIS_URLDocker Compose files, Helm values, app configs, committed .env files
Kubernetes Secrets, CI/CD variables, cloud secret managers
command histories, container logs, and connection errors containing AUTH strings
Notes
Redis warns that this password is stored in clear text inside redis.conf and should be long because Redis can process many authentication attempts per second.
ACL User Password
redis / acl-user-password
Redis ACLs define users, passwords, key patterns, and command categories either directly in redis.conf or in an external aclfile. Clients authenticate with AUTH <username> <password>.
Looks like
pattern^user\s+\S+\s+.*(>|#)[^\s]+Location
redis.conf, users.aclinline ACL users or external aclfile contents
REDIS_USERNAME, REDIS_PASSWORD, REDIS_URLKubernetes Secrets, CI/CD variables, cloud secret managers
app config, Docker Compose files, Helm values, connection strings
CLI histories, driver debug logs, and failed AUTH traces
Notes
Redis ACL rules include both authentication material and authorization policy. The command context is needed to distinguish the username, plaintext password marker, password hash marker, and permissions.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.