Current Behavior

Problem:
The default administrator username and password ("admin"/"admin") for a new Dependency-Track instance are widely known. This presents a critical security vulnerability immediately after deployment, leaving new systems exposed until the password is manually changed.

Context:
Mandating the configuration or generation of a strong, temporary initial password is crucial for the security of new Dependency-Track deployments. This eliminates the immediate and significant risk associated with the well-known default credentials and ensures that all new instances start with a more secure footing, while still enforcing a password change upon first login.

Proposed Behavior

Solution:
Implement a mandatory mechanism to avoid the use of default credentials. This could be achieved by requiring one of the following:

1. Configuration-based Initial Password: Administrators must define a strong, temporary initial administrator password via configuration (e.g., an environment variable) prior to the first startup.
2. Automatic Password Generation: If no initial password is provided via configuration, the application should automatically generate a strong, temporary initial password upon the first startup and log it securely.

In either case, the system should require the administrator to change this temporary password upon their first login.

Alternatives Considered:
The current approach relies on administrators manually updating the default password post-deployment, which leaves a significant window of vulnerability.

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested