---
title: Do Not Use Default Credentials
impact: CRITICAL
impactDescription: prevents trivial compromise via known credentials
tags: credentials, default, passwords, configuration, security, php
---

## Do Not Use Default Credentials

Default credentials (e.g., `admin/admin`, `root/root`) are publicly known and are the first thing attackers or automated bots try when probing a system. Using them in any environment (even staging) exposes the system to trivial compromise.

**Incorrect (default or hardcoded credentials):**

```php
// Application config with defaults
return [
    'db' => [
        'username' => 'root',
        'password' => 'root', // Default!
    ],
    'admin' => [
        'user' => 'admin',
        'password' => 'admin' // Default!
    ]
];

// Docker Compose Example with defaults
// POSTGRES_PASSWORD: password
```

**Correct (externalized and unique credentials):**

```php
// Use environment variables or Secrets Manager
return [
    'db' => [
        'username' => getenv('DB_USERNAME'),
        'password' => getenv('DB_PASSWORD'),
    ],
];

// Validation during application boot (e.g. in Laravel AppServiceProvider)
if (config('app.env') === 'production') {
    $pass = config('database.connections.mysql.password');
    $defaults = ['admin', 'password', 'root', '123456'];
    
    if (in_array(strtolower($pass), $defaults)) {
        throw new \RuntimeException('Production is using default/weak credentials. Deployment blocked.');
    }
}
```

**Never use common defaults:**
- `admin / admin`
- `root / root`
- `guest / guest`
- `postgres / postgres`
- `admin / 123456`
- Any empty passwords in networked environments.

**Tools:** Gitleaks, TruffleHog, OWASP ZAP (to check for default admin pages), SonarQube