Hardcoded passwords are always wrong - they are equivalent to implanting a global backdoor and hoping no one will find it.