---
title: Do Not Use Default Credentials
impact: CRITICAL
impactDescription: prevents trivial unauthorized access via publicly known default accounts
tags: credentials, default, passwords, configuration, security, kotlin
---

## Do Not Use Default Credentials

Default credentials (e.g., `admin/admin`, `root/root`) are the first thing an attacker or automated bot will try. Using them effectively leaves your system wide open.

**Incorrect (default or common credentials in config):**

```kotlin
// application.properties
spring.datasource.username=postgres
spring.datasource.password=postgres # DEFAULT!

// Hardcoded in code
val defaultAdminUser = "admin"
val defaultAdminPass = "admin" // CRITICAL!
```

**Correct (environment-based secrets):**

```kotlin
// In application.properties, use environment variables
// spring.datasource.password=${DB_PASSWORD}

// In Kotlin code, ensure no fallback to defaults
val dbPassword = System.getenv("DB_PASSWORD") ?: throw IllegalStateException("DB_PASSWORD must be provided")

// For development, use a local, git-ignored file (e.g., .env)
// Never commit these to version control.
```

**Commonly Blocked Defaults:**
- `admin / admin`
- `root / root` or `root / <empty>`
- `postgres / postgres`
- `sa / <empty>` (Common for SQL Server)
- `guest / guest`

**Security Best Practices:**
- Force users to change default passwords on first login.
- Disable default system accounts if not strictly needed.
- Use CI/CD to scan for common password patterns in configuration files.

**Tools:** Gitleaks, CI/CD Secret Scanning, Manual Review, SonarQube
