Broken Authentication - Default Credentials Challenge

Making a post just to clarify an issue I experienced in the “Broken Authentication” Module. The Default Credentials page in the Login Bruteforcing segment of the module has a challenge that requires you to use default credentials to log in via a web form.

DO NOT use scada-pass.csv located here SecLists/Passwords/Default-Credentials at master · danielmiessler/SecLists · GitHub. I spent hours on this challenge when it turns out this file does not have the username you need to complete the challenge. The only place I could find that does is this website SCADA Default Password List (


Had the same problem. Username is valid, but password is not, so I couldn’t test the python script from this module

ya, do not use that list. Google it and found this one useful


Cheers I was there and tried all kind of manipulation of text in the csv file - good to know thnaks for sharing.

Yes thanks. Some of the questions are quite frustrating where the lesson tells you to use certain things, but then the end question requires something completely different.

A very usual way on HTB… sometimes challenging… sometimes very frustrating

Thank you for sharing this valuable information and warning about the challenge in the “Broken Authentication” module. It’s essential for others to be aware that the file scada-pass.csv from the SecLists repository does not contain the necessary username for completing the challenge. Instead, the correct username can be found on the website SCADA Default Password List

1 Like

Instead of going the brute force route, I’d recommend just give Google a try. I personally spent around 30-40 minutes searching through SecLists and various other lists.

1 Like

Username and password is contained in scadapass.csv and is already in the format of username:password.

One can use this list to solve this in a efficient way

Hope this helps

1 Like