The 2nd step of the Drupal installation pre-fills the Database username field with root. This encourages use of the root account, a violation of the principle of least privilege.

Marking as critical because principle of least privilege is a fundamental security practice.

Comments

brianV’s picture

brianV commented

HEAD doesn't do this.

Are you sure this isn't some saved password information in your browser?

aren cambre’s picture

aren cambre commented
Status: Active » Closed (works as designed)

Just tried again with a different browser, and you're correct. Sorry!