This is a bad security default to allow the first person on the Internet who happens across a server to set the password and doesn't fall under "secure by default". Install Jenkins to see how they handle it. They write a random GUID out ot a file on the server's hard drive and then challenge the un-authenticated web user to go open that file and paste the GUID into a form field before allowing them to create the first username/pass for the site. Of course, there is also an easy way to setup the default login from inside the server too if you just want to bypass the admin. (this is important for cloud deployments where the admin might not even get deployed).
Secondly, do not allow a web context to get a password set either. The server admin must create a default web context password or set one manually.
Basically, there needs to be no way that a hacker can set a password for a newly-installed Lucee server.