---
title: Avoid Default Credentials
impact: CRITICAL
impactDescription: prevents easy access for attackers through well-known defaults
tags: security, credentials, authentication, hardcoded
---

## Avoid Default Credentials

Never use default passwords or hardcoded administrative credentials in production. Ensure every environment has unique, strong credentials.

**Incorrect (default values in code):**

```ruby
ADMIN_PASSWORD = "admin" # Default password
```

**Correct (randomized or environment-specific):**

```ruby
# Use Rails credentials
ADMIN_PASSWORD = Rails.application.credentials.admin_password

# Or use ENV with a fail-safe check
raise "Set ADMIN_PASSWORD" if Rails.env.production? && ENV['ADMIN_PASSWORD'].blank?
```

**Tools:** Manual Review, Security audits
---