保護DataHogo
Security Encyclopedia/Database Connections
criticalCWE-1392OWASP A07:2021

Default Database Credentials

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

How It Works

Default credentials are public knowledge. Every penetration tester and attacker script tries them first. When you initialize a database in a Docker container or cloud service and never change the default password, you're leaving the front door unlocked. Combine this with a publicly accessible database (ID 210) and you have an instant breach.

Vulnerable Code
// BAD: using default credentials in connection string
const pool = new Pool({
  host: 'db.example.com',
  user: 'postgres',     // default PostgreSQL user
  password: 'postgres', // default password — never acceptable in prod
  database: 'postgres'
});
Secure Code
// GOOD: credentials come from environment variables, never hardcoded
const pool = new Pool({
  connectionString: process.env.DATABASE_URL, // set a strong random password
});
// Generate strong password: openssl rand -base64 32

Real-World Example

The Mirai botnet variant in 2023 specifically scanned for databases with default credentials. IoT devices and cloud services with default mysql root:root or postgres:postgres credentials were compromised within minutes of being exposed to the internet.

How to Prevent It

  • Generate a strong random password (32+ characters) for every database during provisioning — never leave defaults
  • Use a secrets manager (AWS Secrets Manager, HashiCorp Vault) to store and rotate database credentials
  • In Docker Compose, always set POSTGRES_PASSWORD to a strong value in your .env file, never in docker-compose.yml directly
  • Audit your docker-compose files and Kubernetes manifests for hardcoded default passwords
  • Enable login auditing on your database to detect brute force attempts

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021

MongoDB Without Authentication

critical

Your MongoDB connection has no authentication credentials, allowing anyone who can reach the database port to read, modify, or delete all data.

CWE-306OWASP A07:2021