Type: Feature Request
Affects Version/s: 6.2.2 CE GA3 , 6.2.10 EE GA1
Fix Version/s: None
Liferay has historically used "email@example.com/test" as the default username/password. If you bypass the Setup Wizard using portal properties, it will use those as the default password.
Even if you go through Setup Wizard, and use the defaults, it should force you to change it, but it does not (see
Since this password is well known, I suspect a lot of people use it when setting up Liferay in a public-facing situation, and I don't think it's a very secure thing to do.
So this ticket requests that the password never be set by Liferay:
1. Liferay or anything it installs should never listen on any non-loopback TCP ports until properly configured with an admin username/password. This includes the ports that the app server listens on (e.g. Tomcat on port 8005 and 8009)
2. Liferay should never set the password to "test". The only way this password should ever be set is if the user explicitly types it in either in the setup wizard or some other mechanism.
3. If setup wizard is bypassed, it should still force you to do a password reset (and by virtue of #1, the only person who can do this is someone with OS-level access to the machine). If you don't reset the password, it should not be possible to login until it's done.
This is known as "secure by default" and prevents attacks on fresh installations before an admin has a chance to configure it properly.