Default password is set in includes/config.php. Change it before this touches the public internet, because hackers also enjoy hoodies.
includes/config.php
