Default credentials

Every BoothIQ kiosk ships with two default admin accounts. They have fixed default passwords and are flagged for forced password change on first sign-in.

Warning
Change both immediately. Don't open the booth to customers with the defaults in place.

The defaults

  • admin / admin123. Master access (full admin)
  • user / user123. User access (sales and basic credit operations only)

Both accounts:

  • Are created by BoothIQ during initial database setup
  • Are flagged with PINSetupRequired = true (the first sign-in will route you to PIN setup after the password change)
  • Are flagged as needing a password change on first sign-in
  • Can be deleted or disabled later by a Master user

What happens on first sign-in

When you sign in with either default account for the first time:

  1. The booth recognizes the account is using the default password.
  2. Instead of going to the dashboard, it routes you to the Forced Password Change screen.
  3. You set a new password.
  4. It then routes you to PIN Setup.
  5. You set a recovery PIN.
  6. Then you land on the dashboard.

You only get this forced flow once per account. After that, sign-ins go straight to the dashboard.

Where to change them

In the Settings tab → Security & Users card → Change My Password form. You can also use the same form to change your password later (after the initial forced change).

For full instructions, see First login and password.

What you should do (in order)

  1. Sign in to admin as admin / admin123.
  2. Change the admin password to something strong.
  3. Set up a recovery PIN for the admin account.
  4. Sign out (Exit Admin button).
  5. Sign in as user / user123.
  6. Change the user password.
  7. Set up a recovery PIN for the user account.
  8. Sign out.

Then store both passwords (and both PINs) in a password manager.

What if I don't need the user account?

If you have no use for a User-level account (e.g. you're a one-person operation and don't have staff who need limited access), you can either:

  • Change the user password to something strong (recommended. Leaves the account available if you ever need it)
  • Disable the user account in the User Management section (Settings tab). Master access required to do this

Don't leave user / user123 in place. The default password is the same on every BoothIQ booth and is the first thing an attacker would try.

Other default values to know

For reference, a few other things that ship with default values:

  • Operation mode. Coin Operated. Change in Settings tab
  • Save photos. (varies by version). Change in Settings → Photo Storage
  • Show logo on prints. Off until you upload a logo. Change in Settings → Business Information
  • Hardware watchdog. On. Change in Settings → Hardware Error Screen
  • Sync from cloud. Off. Change in Settings → Business Information
  • Cloud API URL (manual registration). http://127.0.0.1:8000 (development default). Change in Cloud Sync tab → Manual Registration

You don't need to change every default. Most are sensible. But the admin passwords are non-negotiable.

Why are the defaults documented?

Because pretending they don't exist isn't security. It's security theater. The default credentials are in:

  • This doc set
  • The BoothIQ source code
  • Public installer materials
  • Support team materials

Anyone who wants to find them can. The actual security comes from forcing a change on first login and tracking which booths still have default passwords so they can be flagged.

How to verify defaults have been changed

There's no built-in "show me which booths have default passwords" report on the kiosk. But you can verify your specific booth by:

  1. Trying to sign in as admin / admin123. If it works, the password hasn't been changed. Change it immediately.
  2. Trying to sign in as user / user123. Same check.
  3. Confirming neither account routes you to a Forced Password Change screen. Meaning both accounts are using changed passwords.

For a managed fleet, your cloud dashboard may have a "booths still using defaults" alert. Check there.