Abolish Default Credentials

[moritztim]

A tool with this kind of access to the system and its network should not intentionally feature one of the Top 10 Infrastructure Security Risks¹.

Why?

• Until the the credentials are changed manually, anyone can look up or crack the credentials and log in.
• It's easy for the user to just not change the credentials at all, which is a common thing to do¹.
• The password "changeme", even if it wasn't known, takes <1 Second² to crack, which makes it vulnerable and a bad example to the user
• The login page gives a false sense of security until the credentials are changed.

Footnotes

1. https://owasp.org/www-project-top-10-infrastructure-security-risks/docs/2024/ISR07_2024-Insecure_Authentication_Methods_and_Default_Credentials ↩ ↩²

2. https://nordpass.com/most-common-passwords-list/ ↩

[OfficialMuffin]

I agree, an applications web interface that could be potentially open to the outside world either intentionally or by accident should be protected. A form to ask the user to change password on docker container startup should be developed.

[moritztim]

@OfficialMuffin

A form to ask the user to change password on docker container startup should be developed.

Currently, there is such a form after the first login, however it can be ignored with ease

[github-actions]

Issue is now considered stale. If you want to keep it open, please comment 👍