---
title: No Default or Static Admin Accounts
impact: CRITICAL
impactDescription: prevents easy administrative access through well-known or static credentials
tags: security, authorization, credentials, admin
---

## No Default or Static Admin Accounts

Avoid creating default users or admin accounts with hardcoded passwords in seeds or initial configuration.

**Incorrect (default seed):**

```ruby
# db/seeds.rb
User.create!(email: "admin@example.com", password: "password", admin: true)
```

**Correct (env-driven seed):**

```ruby
User.find_or_create_by!(email: ENV['INITIAL_ADMIN_EMAIL']) do |u|
  u.password = ENV['INITIAL_ADMIN_PASSWORD']
  u.admin = true
end
```

**Tools:** Manual Review
---