Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Insecure Default Credentials
Beginner · 15 min

Insecure Default Credentials

Understand the risks of default credentials left in production and how to enforce secure configuration.

1 Default Credential Risks

Default credentials are pre-configured usernames and passwords shipped with software, devices, or services. When left unchanged in production, they are among the easiest vulnerabilities to exploit — default credential lists are publicly available and freely downloadable.

Common examples:

  • admin/admin or admin/password on routers, admin panels
  • MongoDB with no authentication in older default configs
  • Jenkins with no login required by default (older versions)
  • Database default users: MySQL root with empty password
  • IoT devices: camera feeds accessible with default login

Developer passwords in production:

# .env file committed to source control
DB_PASSWORD=password123
ADMIN_PASSWORD=dev-only-change-before-deploy  # Never changed!

Attackers scan internet-facing services with tools like Shodan and use default credential databases to gain access in seconds.

2 Credential Hygiene

Eliminate default credentials through forced password changes, environment-based configuration, and automated secret scanning.

Force password change on first login:

@app.route("/login", methods=["POST"])
def login():
    user = authenticate(request.json["username"], request.json["password"])
    if not user:
        return jsonify({"error": "Invalid credentials"}), 401
    if user.must_change_password:
        return jsonify({
            "redirect": "/change-password",
            "temp_token": generate_temp_token(user)
        }), 200
    return jsonify({"token": generate_token(user)})

Environment-based configuration:

import os

DB_PASSWORD = os.environ.get("DB_PASSWORD")
if not DB_PASSWORD:
    raise EnvironmentError("DB_PASSWORD not configured")

Pre-commit secret scanning:

# Install git-secrets or truffleHog
git secrets --install
git secrets --register-aws  # Add patterns for common secrets

Defense checklist:

  • Force password change for all default/admin accounts
  • Never commit credentials to source control
  • Use environment variables or secrets managers for all credentials
  • Run secret scanning in CI/CD pipelines
  • Scan git history for accidentally committed secrets

Knowledge Check

0/3 correct
Q1

Why are default credentials particularly dangerous on internet-facing services?

Q2

What is the most effective way to ensure developers do not use production passwords in development?

Q3

A developer accidentally committed an API key to a public GitHub repo. What should happen first?

Code Exercise

Require Environment Variables

The app has a hardcoded default database password. Refactor it to read from an environment variable and raise an error if not set.

python