---
title: Avoid Default Admin/Root Accounts
impact: HIGH
impactDescription: prevents easy initial compromise via well-known default administrative credentials
tags: admin, default-accounts, credentials, security, kotlin
---

## Avoid Default Admin/Root Accounts

Applications that ship with default administrative accounts (e.g., `admin/password`) are prime targets for automated attacks. Attackers scan for these default login paths and credentials as their first step in a system breach.

**Incorrect (default admin in seeds or config):**

```kotlin
// Database migration/seed creating a default admin
fun seedDatabase() {
    val adminExists = repository.existsByRole("ADMIN")
    if (!adminExists) {
        val root = User(email = "admin@example.com", password = passwordEncoder.encode("admin123"), role = "ADMIN")
        repository.save(root)
    }
}
```

**Correct (secure initial setup):**

```kotlin
// 1. Initial setup wizard approach
@PostMapping("/api/initial-setup")
fun setupAdmin(@RequestBody request: AdminSetupRequest): ResponseEntity<Any> {
    if (userService.hasAnyAdmin()) {
        return ResponseEntity.status(403).body("Setup already completed")
    }
    
    // Validate password complexity
    if (request.password.length < 16) {
        return ResponseEntity.badRequest().body("Initial admin password must be at least 16 characters")
    }

    userService.createAdmin(request.email, request.password)
    return ResponseEntity.ok("Admin account created successfully")
}

// 2. Environment-based initial credentials
val initialAdminPass = System.getenv("INITIAL_ADMIN_PASSWORD")
if (initialAdminPass.isNullOrBlank() || initialAdminPass.length < 12) {
    throw IllegalStateException("A strong INITIAL_ADMIN_PASSWORD must be provided via environment variables")
}
```

**Security Best Practices:**
- Never hardcode administrative credentials in logic or configuration files.
- Force an administrative password change on first login if a temporary password is provided.
- Avoid obvious usernames like `admin`, `root`, `administrator`, or `sysadmin`.
- Use Multi-Factor Authentication (MFA) for all administrative access.

**Tools:** Security Audit, Penetration Testing, CI/CD configuration checks.
