Example files and README docs are copied verbatim by developers setting up new environments. A .env.example containing a real-looking API key format like sk_test_51abc... trains developers to paste real keys into that pattern, and anyone who clones the repo might assume the example value is valid and try it. CWE-798 (Use of Hard-coded Credentials) and CWE-521 (Weak Password Requirements) both apply when examples provide credential values that normalize insecure patterns. OWASP A07 includes authentication failures caused by weak credential templates. An example with password: 'password' signals to every developer that weak passwords are acceptable.
Low because default or weak passwords in examples cannot be exploited directly but normalize insecure credential choices and increase the likelihood that developers reuse them in real deployments.
Replace every credential-like value in example files and documentation with an unmistakably fake placeholder. The placeholder must be obviously non-functional — not a realistic-format key that someone might try to use.
# .env.example — correct
DATABASE_URL=postgresql://YOUR_DB_USER:YOUR_DB_PASSWORD@localhost/YOUR_DB_NAME
STRIPE_SECRET_KEY=sk_test_YOUR_STRIPE_KEY_HERE
OPENAI_API_KEY=YOUR_OPENAI_API_KEY
JWT_SECRET=YOUR_STRONG_RANDOM_SECRET_HERE
Acceptable placeholders: YOUR_X_HERE, CHANGEME, xxx_placeholder. Unacceptable: password, 12345, test, sk_test_51abc1234 (real-format). Audit every .env.example, docker-compose.yml, and README code block that contains a credential field.
ID: environment-security.environment-isolation.no-default-passwords
Severity: low
What to look for: Check example files (.env.example, .env.local.example, README), configuration files, and documentation for any default passwords, weak passwords, or hardcoded credentials. Look for patterns like password: 'password', api_key: 'test_key', or default_secret: '12345'.
Pass criteria: Count all example/documentation files containing credential-like values. 100% of example files and documentation must use clearly obvious placeholder values like YOUR_API_KEY_HERE, CHANGEME, xxx_placeholder, or similar. No weak or real credentials in examples.
Fail criteria: Example files or docs include weak passwords (password, test, admin) or placeholder values that look real (e.g., sk_test_1234... from actual production-like format).
Skip (N/A) when: Never — examples should always use clear placeholders.
Detail on fail: ".env.example contains default password 'password'" or "README shows real-looking API key example".
Remediation: Update example files with clear placeholders:
# .env.example
DATABASE_URL=postgresql://user:password@localhost/dbname # NO!
# Correct:
DATABASE_URL=YOUR_DATABASE_URL_HERE
STRIPE_SECRET_KEY=sk_test_YOUR_STRIPE_KEY
API_KEY=YOUR_API_KEY_HERE