"Do not ship or deploy with any default credentials, particularly for admin users."
Though I wish OWASP published this guideline too. (they do state this is a top 10 venerability, and the HDIV scanner looks for this to fix)