DefaultCreds-cheat-sheet: Mining 3,711 Default Credentials for Security Testing

Hook

814 enterprise products ship with blank usernames, and 479 deploy with blank passwords. DefaultCreds-cheat-sheet catalogs these security disasters—and 2,418 other default credential combinations—into a single command-line query tool.

Context

Every penetration test begins the same way: reconnaissance. Before exploiting complex vulnerabilities, security professionals check the obvious—default credentials. The problem? Default passwords are scattered across vendor documentation, security advisories, and outdated forum posts. A tester might spend hours researching whether a Cisco router uses 'admin/admin' or 'cisco/cisco', whether an Apache Tomcat installation defaults to 'tomcat/s3cret' or something else entirely.

Historically, projects like changeme, routersploit, and SecLists maintained their own credential databases for specific purposes—automated scanning, exploitation frameworks, and wordlist generation respectively. But no single resource provided a searchable, unified view. DefaultCreds-cheat-sheet solves this by aggregating these disparate sources into a 3,711-entry CSV database with a Python CLI wrapper. It's not sexy infrastructure—it's a flat file and a search tool—but it addresses a genuine workflow friction point that security teams face daily. The tool serves both offensive operators hunting for initial access vectors and defensive teams auditing their infrastructure for unchanged defaults that violate OWASP WSTG-ATHN-02 testing requirements.

Technical Insight

The architecture is deliberately minimal: a CSV database (pass-db.csv) containing product names, vendors, usernames, passwords, and source attributions, wrapped by a Python CLI tool installable via pip. The simplicity is strategic—flat files are greppable, version-controllable, and don't require database infrastructure.

The tool provides three core operations: search, export, and update. Searching queries the CSV by product name or vendor, returning formatted results. Here's the basic usage:

# Install the tool
pip install defaultcreds-cheat-sheet

# Search for Cisco default credentials
creds search cisco

# Search with output to file
creds search tomcat -o tomcat_creds.txt

# Export all usernames and passwords as wordlists
creds export -u usernames.txt -p passwords.txt

Under the hood, the search operation is straightforward CSV parsing with case-insensitive matching. The export functionality is where the tool adds unexpected value—it generates deduplicated wordlists suitable for tools like Hydra or Burp Suite's Intruder. This bridges the gap between passive research and active credential stuffing:

# Generate wordlists for automated testing
creds export -u users.txt -p passwords.txt

# Use with Hydra for HTTP basic auth brute force
hydra -L users.txt -P passwords.txt http-get://target.com/admin

The update mechanism pulls fresh data from the GitHub repository, ensuring your local database stays current with community discoveries. The implementation supports proxy configuration for environments with restricted internet access—a practical consideration for SOC teams operating in segmented networks:

# Update database through corporate proxy
creds update --proxy http://proxy.corporate.com:8080

The dataset structure is intentionally flat but includes source attribution. Each entry traces back to its origin (changeme, routersploit, or SecLists), providing audit trails when you need to validate a credential's provenance. The CSV schema is simple:

product,username,password,source
Cisco Router,cisco,cisco,changeme
Apache Tomcat,tomcat,tomcat,routersploit
MongoDB,admin,,SecLists

This flat structure makes it trivial to extend with custom entries or integrate into automated scanning workflows. You could easily parse the CSV in any language—Python, Go, Rust—or import it into a SIEM for correlation with authentication logs to detect unchanged defaults in production environments.

One underappreciated feature: the dataset includes numerous blank username and password entries. These aren't errors—they represent products that ship with authentication entirely disabled or with empty password fields. The statistics are alarming: 814 entries with blank usernames, 479 with blank passwords. During penetration tests, these often represent the fastest path to unauthorized access, yet they're frequently overlooked because testers assume some credential is required.

Gotcha

The tool's primary limitation is inherent to its nature: credentials decay. Vendors patch products, release firmware updates, and change defaults in response to security incidents. A credential that worked in 2018 might fail against a 2024 firmware version. DefaultCreds-cheat-sheet provides no version-specific mapping—it's a broad net, not a precision instrument. If you're testing a Cisco ASA firewall, you'll get default credentials for Cisco products generally, but determining which apply to your specific ASA 5500-X running firmware 9.16 requires manual verification against vendor documentation.

The dataset also reflects coverage gaps. Niche industrial control systems, proprietary enterprise appliances, and custom OEM solutions are underrepresented. The tool aggregates from open-source projects maintained by volunteers; if a vendor's defaults aren't in changeme, routersploit, or SecLists, they won't appear here. Additionally, some products use context-dependent defaults—credentials that vary based on installation method, region, or license tier—information that a flat CSV can't effectively capture. This leads to false negatives during testing and false positives when credentials match the product name but not the specific variant you're targeting. Always treat results as starting points for investigation, not authoritative truth.

Verdict

Use if: You're conducting security assessments (pentesting, bug bounties, vulnerability scans) and need rapid reference to common default credentials across hundreds of products; you're a blue team auditing infrastructure and want a checklist of risky defaults to search for in your environment; you need to generate username/password wordlists for automated brute-force testing tools; or you prefer CLI tools that integrate into scripted workflows. Skip if: You need real-time validation that credentials work against specific product versions (use changeme for automated testing instead); you're targeting industrial control systems or niche vendors likely missing from open-source databases; you want automated exploitation capabilities rather than just credential references (routersploit or Metasploit are better choices); or you need legal/compliance documentation showing vendor-verified defaults for audit purposes (commercial databases like CIRT.net provide verified entries). This tool excels as a reconnaissance knowledge base and wordlist generator but shouldn't be your only verification step before production security decisions.