--- title: Avoid Default Admin/Root Accounts impact: HIGH impactDescription: prevents attackers from gaining initial administrative access via known credentials tags: admin, default-accounts, credentials, security, php --- ## Avoid Default Admin/Root Accounts Systems that ship with default administrative accounts (e.g., `admin@example.com` / `password`) are easily compromised. Attackers use automated tools to scan for these common credentials across the web. **Incorrect (hardcoded or weak default admin):** ```php // UserSeeder.php User::create([ 'email' => 'admin@company.com', 'password' => Hash::make('admin123'), // DEFAULT! 'is_admin' => true, ]); // Production code with "test" roles if ($user->email === 'admin@test.com') { // Grant full access } ``` **Correct (secure initial setup):** ```php // 1. Using Environment Variables for first run User::create([ 'name' => 'System Admin', 'email' => env('INITIAL_ADMIN_EMAIL', 'admin@example.com'), 'password' => Hash::make(env('INITIAL_ADMIN_PASSWORD')), // Must be set in .env 'is_admin' => true, ]); // 2. Ensuring the password is not a default in Production if (App::environment('production')) { $password = env('INITIAL_ADMIN_PASSWORD'); if ($password === 'admin' || $password === 'password' || strlen($password) < 12) { throw new \RuntimeException("A strong, non-default INITIAL_ADMIN_PASSWORD must be configured."); } } // 3. One-time Setup Screen public function installAdmin(Request $request) { if (User::where('is_admin', true)->exists()) { abort(403, "Admin already exists."); } // Validate and create admin... } ``` **Best Practices:** - **Dynamic Selection**: Do not hardcode "admin" as the username or email. Require the user to define it during installation. - **Force Reset**: If you must generate a default password, force the user to change it upon their first login. - **Notification**: Log and alert administrators when an administrative account is created or its password is changed. **Tools:** Laravel Seeders, Environment Validation, Security Audit