<i>During the initial attack phase, cyber actors scan the internet for SonarQube instances exposed to the open Internet using the default port (9000) and a publicly accessible IP address. Cyber actors then use default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances.</i><p>Given how often this happens, not having a default password and forcing users to set it should be a standard practice these days. Relying on administrators of the instance doing the right thing obviously keeps failing, thus an option to do the wrong thing should be removed completely.