criticalAuthentication

Default Admin Credentials in Production

What Is This Vulnerability?

Default credentials exist when applications, databases, or admin panels ship with factory-set usernames and passwords (like admin/admin or root/password) that are not changed before deployment to production. Attackers routinely test for these well-known credentials as one of the first steps in any attack, gaining instant administrative access.

Why It Happens

Development environments use simple credentials for convenience. When applications are deployed to production without a proper configuration checklist, these defaults remain. Docker images, database installations, and admin dashboards often come with preset passwords. Teams assume someone else will change them, or the credentials get baked into infrastructure-as-code templates.

Example Code

Vulnerableconfig/admin.ts
const adminConfig = {
  username: "admin",
  password: "admin123",
  database: {
    host: "localhost",
    user: "root",
    password: "password",
  },
};

app.post("/admin/login", (req, res) => {
  if (req.body.username === adminConfig.username &&
      req.body.password === adminConfig.password) {
    req.session.isAdmin = true;
    res.redirect("/admin/dashboard");
  } else {
    res.status(401).send("Invalid credentials");
  }
});
Fixedroutes/admin.ts
import bcrypt from "bcrypt";

app.post("/admin/login", async (req, res) => {
  const { username, password } = req.body;
  const admin = await db.query(
    "SELECT * FROM admins WHERE username = $1",
    [username]
  );

  if (!admin.rows[0]) return res.status(401).send("Invalid credentials");

  const valid = await bcrypt.compare(password, admin.rows[0].password_hash);
  if (!valid) return res.status(401).send("Invalid credentials");

  req.session.isAdmin = true;
  req.session.adminId = admin.rows[0].id;
  res.redirect("/admin/dashboard");
});

// Setup script forces password change on first login
// Database credentials come from environment variables

How Hackers Exploit It

Attackers maintain lists of default credentials for common software (databases, routers, CMS platforms, admin panels). Automated scanners like Hydra or custom scripts test these credentials against discovered services. Cloud-exposed databases with default passwords are typically compromised within hours of being deployed. Once in, attackers have full administrative control.

How to Fix It

Never hardcode credentials in source code. Use environment variables for all secrets and require them to be set before the application starts. Force password changes on first login for admin accounts. Implement account lockout after failed attempts. Use a secrets manager (like AWS Secrets Manager or Vault) for production credentials. Add deployment checks that reject default values.

Frequently Asked Questions

How quickly are default credentials exploited in the wild?
Internet-facing services with default credentials are typically discovered and exploited within hours. Automated botnets continuously scan common ports and test known default username/password combinations. Honeypot studies show that SSH and database services with defaults are compromised in under 24 hours on average.
How do I check for default credentials in my infrastructure?
Run a credential audit as part of your deployment pipeline. Check environment variables against a list of known defaults (admin, password, root, 123456). Use tools like Trivy or custom scripts that scan Docker images and configuration files for hardcoded credentials before deployment.
Should I use a secrets manager instead of environment variables?
For production systems, a secrets manager like HashiCorp Vault, AWS Secrets Manager, or Doppler provides better security than plain environment variables. They offer encryption at rest, access auditing, automatic rotation, and fine-grained access control. Environment variables are acceptable for simpler setups but lack these features.

Related Security Topics

Insecure Direct Object Reference (IDOR)

Learn about insecure direct object reference (idor) and how to fix it.

Session Fixation Attacks

Learn about session fixation attacks and how to fix it.

Weak Password Hashing (MD5/SHA1)

Learn about weak password hashing (md5/sha1) and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by default admin credentials in production.