Skip to content

Passwords

Passwords in XML

Obviously it is a bad idea to have passwords in cleartext in XML files. If you do, remember that some chars need to be escaped or avoided. Most Unicode characters are allowed directly (without escaping), assuming the file is encoded in UTF-8. For example:

  • Letters and numbers: A-Z, a-z, 0-9
  • Special characters: ä, ö, ü, ß, €, @, etc.
  • Whitespace and standard punctuation: ., ,, !, ?, _, -
  • Special Unicode characters like German umlauts (ä, ö, ü, ß), symbols (€, @), or similar characters generally do not need escaping if UTF-8 encoding is used.

The following five characters have special meanings in XML and must always be escaped:

Character Meaning Escaped version
< Less than <
> Greater than >
& Ampersand &
' Single quotation mark '
" Double quotation mark "

XML forbids control characters (0x00–0x1F) except for Tab (0x09), Linefeed (0x0A), and Carriage Return (0x0D).

Default Passwords

Passwords that are set by default or set if nothing else is configured:

Product Username Password Notes
3Com Switches admin admin Default for many older 3Com switches
Alpine Linux root (no password) No password, requires setup after boot
Android (ADB interface) root (no password) Root access is disabled in most builds
Apple Airport admin public Older versions of Apple Airport routers
Arch Linux root (no password) No password by default, requires manual setup
Aruba Networks admin admin Default login for Aruba switches and routers
Brocade Switches admin password Common on Brocade networking devices
Buffalo LinkStation NAS admin password Default for older Buffalo LinkStation models
Cisco Devices admin / cisco admin / cisco Common for Cisco routers and switches
Debian Live CD user live Default for live CD boot images
Dell iDRAC root calvin Remote management interface default
Docker (swarm root) root (no password) No password for Docker swarm by default
DrayTek Routers admin admin Default for DrayTek devices
Elasticsearch elastic changeme Default user/password for Elastic stack
Fedora Live CD liveuser (no password) Default for Fedora live images
Fortinet Firewall admin (no password) No password set on Fortinet devices
Foscam Cameras admin admin Default for some Foscam models
GitLab (Community Edition) root 5iveL!fe Default for GitLab after fresh installation
GlassFish Server admin adminadmin Default login for GlassFish administration
Grafana admin admin Default admin login for Grafana
HP iLO Administrator Label-specific Password found on device label
Hikvision IP Cameras admin 12345 Default for many Hikvision IP cameras
Huawei Routers admin admin / (no password) Default for some Huawei devices
JBoss (WildFly default) admin admin WildFly default admin credentials
Jenkins (Docker image) admin admin Default for Jenkins Docker containers
Juniper Networks root (no password) Root user with no password by default
Kali Linux (2020 and newer) kali kali Default for newer versions of Kali Linux
Kali Linux (2020 and older) root toor Default for older versions of Kali Linux
Linksys Routers admin admin Standard default for many Linksys models
MikroTik RouterOS admin (no password) No password by default on MikroTik devices
MongoDB (default install) (no username) (no password) No password by default, requires manual config
MySQL root (empty) No password set by default on installation
Nagios (initial install) nagiosadmin nagios Default for Nagios web UI
Netgear Routers admin password Popular default for home Netgear routers
Nvidia Jetson (Developer Kit) nvidia nvidia Default for Nvidia Jetson Developer Kits
OpenVPN Access Server openvpn openvpn Default admin account for OpenVPN AS
OpenWrt (default image) root (no password) No password by default on OpenWrt
Oracle Database system manager Common default for Oracle DB installations
Palo Alto Firewalls admin admin Default for Palo Alto Networks firewalls
phpMyAdmin admin (no password) No password by default for phpMyAdmin
PostgreSQL (initial install) postgres (no password) No password by default
Prometheus (no login) N/A N/A Prometheus has no default login interface
QNAP NAS admin admin Default on QNAP NAS systems
Raspberry Pi (Raspbian) pi raspberry Default for Raspbian OS on Raspberry Pi
Redis (older versions) (no username) (empty) No password by default, needs manual config
Redis (no username) (no password) Default config has no password
RHEL (cloud instances) ec2-user (no password) No password, uses SSH keys for access
Samsung Smart TV admin 00000000 Default for some Samsung smart TVs
SonicWall Firewall admin password Default for SonicWall devices
SonarQube admin admin Default credentials for SonarQube web interface
Sonatype Nexus admin admin123 Default login for Nexus Repository Manager
Supermicro IPMI ADMIN ADMIN Default for Supermicro IPMI systems
Synology NAS admin admin Default for older Synology NAS devices
TP-Link Routers admin admin Common for TP-Link products
Tomcat (default web manager) admin admin Default Tomcat manager credentials
TrendNet Routers admin admin Default for TrendNet routers
Ubiquiti UniFi ubnt ubnt Default for UniFi access points
Ubuntu (cloud instances) ubuntu (no password) Default for cloud images, uses SSH keys
Vagrant Boxes (default user) vagrant vagrant Default user/password for many Vagrant boxes
WordPress (first login) admin admin Default for some WordPress quick installs
XAMPP (MySQL / phpMyAdmin) root (no password) No password set for MySQL in XAMPP
Xerox Printers admin 1111 Default for Xerox multifunction printers
Yealink IP Phones admin admin Default for Yealink VoIP phones
Zabbix Admin zabbix Default admin credentials for Zabbix monitoring
Zoom Room Controllers admin 1234 Default for Zoom Room controllers