diff --git a/roles/bookstack/defaults/main.yml b/roles/bookstack/defaults/main.yml
index 152a6c2..3efbadb 100644
--- a/roles/bookstack/defaults/main.yml
+++ b/roles/bookstack/defaults/main.yml
@@ -38,9 +38,14 @@ bookstack_db_user: "bookstack"
 # REQUIRED SECRETS — empty defaults force `assert` to fail until set.
 # Provide via OpenBao lookup, Ansible Vault, or extra-vars.
 # Never commit real secrets to version control.
-bookstack_db_root_password: "txwmMJD9xTNz3Y73fPWSMPZTR2fEpfF5"
-bookstack_db_password: "DgLYFudJg324yLydLxS3vmgux9LQL9bb"
-bookstack_admin_password: "NE7TN7cTjCnLHJ2Y4xfiTp"
+#
+# Generate with:
+#   bookstack_db_root_password:  openssl rand -base64 32 | tr -d '/+='
+#   bookstack_db_password:       openssl rand -base64 32 | tr -d '/+='
+#   bookstack_admin_password:    openssl rand -base64 24 | tr -d '/+='
+bookstack_db_root_password: ""
+bookstack_db_password: ""
+bookstack_admin_password: ""
 bookstack_oidc_client_secret: ""
 
 # APP_KEY is generated automatically on first run and persisted on the host.