diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,19 @@
-## stable-4384
+## stable-4384(-1)
+
+**Important security note:** Previous releases included default passwords for
+system accounts, and users who didn't change them are at risk of getting
+the authentication system circumvented by an attacker using a system account
+with the default password. Please update and use the provided script
+(instructions on the README) to generate a strong password for each system
+account.
+
+Thanks joernchen for the security report.
+
+<hr/>
 
 Based on stable release 4384.
 
+* 768b6c4 security: fail to start if using the old default password
 * 1ffd472 security: add script to generate strong passwords
 * a015710 security: don't provide default passwords
 * aaec22d jigasi: fix typo in config
@@ -22,15 +34,6 @@ Based on stable release 4384.
 * ebb4536 doc: update CHANGELOG
 * 06c3a83 doc: fix references to running behind NAT in the README
 
-**Important security note: ** Previous releases included default passwords for
-system accounts, and users who didn't change them are at risk of getting
-the authentication system circumvented by an attacker using a system account
-with the default password. Please update and use the provided script
-(instructions on the README) to generate a strong password for each system
-account.
-
-Thanks joernchen for the security report.
-
 ## stable-4101-2
 
 Based on stable release 4101.

diff --git a/README.md b/README.md
@@ -59,7 +59,7 @@ This setup used to have default passwords for intetrnal accounts used across com
 secure by default these have been removed and the respective containers won't start without having a password set.
 
 Strong passwordds may be generated as follows: `./gen-passwords.sh`
-This will modify your `.env` file (a backup is saved in `.env.backup`) andd set strong passwords for each of the
+This will modify your `.env` file (a backup is saved in `.env.backup`) and set strong passwords for each of the
 require options. Passwords are  generated using `openssl rand -hex 16` .
 
 DO NOT reuse any of the passwords.

diff --git a/get-passwords.sh → gen-passwords.sh b/get-passwords.sh → gen-passwords.sh
@@ -11,7 +11,7 @@ JIGASI_XMPP_PASSWORD=`generatePassword`
 JIBRI_RECORDER_PASSWORD=`generatePassword`
 JIBRI_XMPP_PASSWORD=`generatePassword`
 
-sed -i ".bak" \
+sed -i.bak \
     -e "s#JICOFO_COMPONENT_SECRET=.*#JICOFO_COMPONENT_SECRET=${JICOFO_COMPONENT_SECRET}#g" \
     -e "s#JICOFO_AUTH_PASSWORD=.*#JICOFO_AUTH_PASSWORD=${JICOFO_AUTH_PASSWORD}#g" \
     -e "s#JVB_AUTH_PASSWORD=.*#JVB_AUTH_PASSWORD=${JVB_AUTH_PASSWORD}#g" \

diff --git a/jibri/rootfs/etc/cont-init.d/10-config b/jibri/rootfs/etc/cont-init.d/10-config
@@ -5,6 +5,18 @@ if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then
     exit 1
 fi
 
+OLD_JIBRI_RECORDER_PASSWORD=passw0rd
+if [[ "$JIBRI_RECORDER_PASSWORD" == "$OLD_JIBRI_RECORDER_PASSWORD" ]]; then
+    echo 'FATAL ERROR: Jibri recorder password must be changed, check the README'
+    exit 1
+fi
+
+OLD_JIBRI_XMPP_PASSWORD=passw0rd
+if [[ "$JIBRI_XMPP_PASSWORD" == "$OLD_JIBRI_XMPP_PASSWORD" ]]; then
+    echo 'FATAL ERROR: Jibri auth password must be changed, check the README'
+    exit 1
+fi
+
 # DISPLAY is necessary for start
 [ -z "${DISPLAY}" ] \
 && ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 )

diff --git a/jicofo/rootfs/etc/cont-init.d/10-config b/jicofo/rootfs/etc/cont-init.d/10-config
@@ -5,6 +5,18 @@ if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
     exit 1
 fi
 
+OLD_JICOFO_COMPONENT_SECRET=s3cr37
+if [[ "$JICOFO_COMPONENT_SECRET" == "$OLD_JICOFO_COMPONENT_SECRET" ]]; then
+    echo 'FATAL ERROR: Jicofo component secret must be changed, check the README'
+    exit 1
+fi
+
+OLD_JICOFO_AUTH_PASSWORD=passw0rd
+if [[ "$JICOFO_AUTH_PASSWORD" == "$OLD_JICOFO_AUTH_PASSWORD" ]]; then
+    echo 'FATAL ERROR: Jicofo auth password must be changed, check the README'
+    exit 1
+fi
+
 if [[ ! -f /config/sip-communicator.properties ]]; then
     tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
 fi

diff --git a/jigasi/rootfs/etc/cont-init.d/10-config b/jigasi/rootfs/etc/cont-init.d/10-config
@@ -5,6 +5,12 @@ if [[ -z $JIGASI_XMPP_PASSWORD ]]; then
     exit 1
 fi
 
+OLD_JIGASI_XMPP_PASSWORD=passw0rd
+if [[ "$JIGASI_XMPP_PASSWORD" == "$OLD_JIGASI_XMPP_PASSWORD" ]]; then
+    echo 'FATAL ERROR: Jigasi auth password must be changed, check the README'
+    exit 1
+fi
+
 if [[ ! -f /config/sip-communicator.properties ]]; then
     tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
 fi

diff --git a/jvb/rootfs/etc/cont-init.d/10-config b/jvb/rootfs/etc/cont-init.d/10-config
@@ -5,6 +5,12 @@ if [[ -z $JVB_AUTH_PASSWORD ]]; then
     exit 1
 fi
 
+OLD_JVB_AUTH_PASSWORD=passw0rd
+if [[ "$JVB_AUTH_PASSWORD" == "$OLD_JVB_AUTH_PASSWORD" ]]; then
+    echo 'FATAL ERROR: JVB auth password must be changed, check the README'
+    exit 1
+fi
+
 if [[ ! -f /config/sip-communicator.properties ]]; then
     tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
 fi

diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config
@@ -46,17 +46,38 @@ if [[ ! -f $PROSODY_CFG ]]; then
         exit 1
     fi
 
+    OLD_JVB_AUTH_PASSWORD=passw0rd
+    if [[ "$JVB_AUTH_PASSWORD" == "$OLD_JVB_AUTH_PASSWORD" ]]; then
+        echo 'FATAL ERROR: JVB auth password must be changed, check the README'
+        exit 1
+    fi
+
     prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD
 
     if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then
+        OLD_JIBRI_XMPP_PASSWORD=passw0rd
+        if [[ "$JIBRI_XMPP_PASSWORD" == "$OLD_JIBRI_XMPP_PASSWORD" ]]; then
+            echo 'FATAL ERROR: Jibri auth password must be changed, check the README'
+            exit 1
+        fi
         prosodyctl --config $PROSODY_CFG register $JIBRI_XMPP_USER $XMPP_AUTH_DOMAIN $JIBRI_XMPP_PASSWORD
     fi
 
     if [[ ! -z $JIBRI_RECORDER_USER ]] && [[ ! -z $JIBRI_RECORDER_PASSWORD ]]; then
+        OLD_JIBRI_RECORDER_PASSWORD=passw0rd
+        if [[ "$JIBRI_RECORDER_PASSWORD" == "$OLD_JIBRI_RECORDER_PASSWORD" ]]; then
+            echo 'FATAL ERROR: Jibri recorder password must be changed, check the README'
+            exit 1
+        fi
         prosodyctl --config $PROSODY_CFG register $JIBRI_RECORDER_USER $XMPP_RECORDER_DOMAIN $JIBRI_RECORDER_PASSWORD
     fi
 
     if [[ ! -z $JIGASI_XMPP_USER ]] && [[ ! -z $JIGASI_XMPP_PASSWORD ]]; then
+        OLD_JIGASI_XMPP_PASSWORD=passw0rd
+        if [[ "$JIGASI_XMPP_PASSWORD" == "$OLD_JIGASI_XMPP_PASSWORD" ]]; then
+            echo 'FATAL ERROR: Jigasi auth password must be changed, check the README'
+            exit 1
+        fi
         prosodyctl --config $PROSODY_CFG register $JIGASI_XMPP_USER $XMPP_AUTH_DOMAIN $JIGASI_XMPP_PASSWORD
     fi
 fi