[Mg6yDfjp5U]

Do you know of any resources describing this as a developer responsibility/best practice? I agree with you, but I'm looking for some independent resource that I can show to Business to convey to them the importance of this.

(Most resources I'm finding are only describing the importance of remembering to change the default password, rather than designing a system without a default password to begin with.)

[bob1029]

Look at some practical implementations. E.g. Jenkins CI. When you first install it (the latest versions), it does not use default admin/admin credentials. What it does is produce a random password string that you have to go find on disk to perform the initial setup. At no point could someone without direct access to the machine get in before you are able to lock the door.

[isbvhodnvemrwvn]

While this practice is OK, I am not sure if Jenkins with its billions of trivial vulnerabilities in every other plugin is a poster child for security.

https://www.jenkins.io/security/advisories/

[JosephRedfern]

Which is totally irrelevant in the context of this discussion (which is on default passwords).

[tlarkworthy]

https://hdivsecurity.com/owasp-broken-authentication

"Do not ship or deploy with any default credentials, particularly for admin users."

Though I wish OWASP published this guideline too. (they do state this is a top 10 venerability, and the HDIV scanner looks for this to fix)