Updated Scope (per Jeff)
The hardcoded admin credentials (\Admin123!) are intentional for dev/initial-install workflows. This is a developer convenience feature, not a security vulnerability in the traditional sense.
What we want instead:
- Keep \Admin123!\ as the default seed password for development mode
- Keep the admin user seeding on first run
- Add a forced password reset mechanism on first production login
- Remove the password string from \ActivityEvent\ trace logging (no reason to log it)
- Detect environment (Development vs Production) and warn or block if default creds are still active in production
Revised priority: Downgraded from P0 to Medium this is a hardening enhancement, not a critical vulnerability.
Suggested Implementation
- Add a \MustChangePassword\ flag to the admin user on seed
- On login, if \MustChangePassword\ is true, redirect to a forced password change page
- In Production environment, log a warning at startup if the default admin password hasn't been changed
- Remove the password string from the ActivityEvent trace
Updated Scope (per Jeff)
The hardcoded admin credentials (\Admin123!) are intentional for dev/initial-install workflows. This is a developer convenience feature, not a security vulnerability in the traditional sense.
What we want instead:
Revised priority: Downgraded from P0 to Medium this is a hardening enhancement, not a critical vulnerability.
Suggested Implementation