---
title: Avoid Default Admin/Root Accounts
impact: HIGH
impactDescription: prevents easy initial access by attackers
tags: admin, default-accounts, credentials, security
---

## Avoid Default Admin/Root Accounts

Default accounts with known credentials (e.g., admin/admin) are the first thing attackers check.

**Incorrect (default admin in seed):**

```go
// Seed script
db.Exec("INSERT INTO users (email, password, role) VALUES ('admin@example.com', 'admin123', 'admin')")
```

**Correct (secure initial setup):**

```go
// 1. Setup wizard on first run
func SetupHandler(w http.ResponseWriter, r *http.Request) {
    if adminExists() {
        http.Error(w, "Setup already done", 403)
        return
    }
    // Form to create first admin...
}

// 2. Or use environment variables for bootstrap
func BootstrapAdmin() {
    email := os.Getenv("INITIAL_ADMIN_EMAIL")
    pass := os.Getenv("INITIAL_ADMIN_PASSWORD")
    
    if pass == "" || len(pass) < 16 {
        log.Fatal("Secure INITIAL_ADMIN_PASSWORD required")
    }
    createAdmin(email, pass)
}
```

**Tools:** Security Audit, Configuration Review