---
title: Do Not Use Default Credentials
impact: CRITICAL
impactDescription: prevents trivial compromise via known credentials
tags: credentials, default, passwords, configuration, security, csharp
---

## Do Not Use Default Credentials

Default credentials in configuration files or code allow attackers trivial access.

**Incorrect (hardcoded defaults):**

```json
// appsettings.json
{
  "ConnectionStrings": {
    "DefaultConnection": "Server=...;User Id=sa;Password=sa;" 
  }
}
```

**Correct (secure configuration):**

```csharp
// Use Environment Variables or User Secrets
// appsettings.json should use placeholders or be overridden
{
  "ConnectionStrings": {
    "DefaultConnection": "Server=...;User Id=${DB_USER};Password=${DB_PASS};"
  }
}

// Code validation
var password = configuration["DbPassword"];
if (password == "admin" || password == "password") 
{
    throw new SecurityException("Default credentials detected");
}
```

**Tools:** Secret Scanners, Configuration Validation