---
title: Avoid Default Admin/Root Accounts
impact: HIGH
impactDescription: prevents easy initial access by attackers
tags: admin, default-accounts, credentials, security, csharp
---

## Avoid Default Admin/Root Accounts

Do not seed default admin accounts with known passwords.

**Incorrect:**

```csharp
// Seeding
if (!users.Any())
{
    userManager.CreateAsync(new User("admin"), "Admin123!"); 
}
```

**Correct:**

```csharp
// Require setup via UI or CLI, or use random password printed to logs on first startup
var pwd = GenerateRandomPassword();
logger.LogInformation("Generated Admin Password: {Pwd}", pwd);
userManager.CreateAsync(new User("admin"), pwd);
```

**Tools:** Manual Review