Login Password: Bwapp
BWAPP stores passwords as MD5 (no salt). This is weak—attackers can use rainbow tables. Modern apps should use bcrypt, Argon2, or PBKDF2.
You likely have the security level set to "high." Go to http://localhost/bWAPP/portal.php (after login) and change the security level to "low" to prevent aggressive session timeouts. bwapp login password
Yes. Log in as bee, go to the "Change Password" section, or update the hash directly in the users table of the MySQL database. Remember that running install.php again will reset it to bug. BWAPP stores passwords as MD5 (no salt)
| Field | Default Value |
|-------|----------------|
| Login | bee |
| Password | bug | You likely have the security level set to "high
BWAPP can be installed in many ways; the credentials remain the same, but access URLs differ.
| Environment | Default URL | Login Credentials |
|--------------|---------------|--------------------|
| Native (XAMPP/WAMP) | http://localhost/bWAPP/login.php | bee / bug |
| Docker (Rauthan image) | http://localhost:8080/login.php | bee / bug |
| Metasploitable 2 | http://<VM_IP>/bWAPP/login.php | bee / bug |
| VulnHub machines | Check VM’s IP | bee / bug (unless noted) |
| Online demo | (No official demo) | N/A (self-host only) |
If you use Bee-Box (the official VMware image of BWAPP), the Linux VM login is root/bug, but the web app still uses bee/bug.