diff --git a/Readme.markdown b/Readme.markdown
index 121fc67..af27e95 100644
--- a/Readme.markdown
+++ b/Readme.markdown
@@ -20,19 +20,23 @@ This is a test app for trying new things in Mojolicious.
 * fix travis hack after travis upgrades default mongodb version to 2.6
 * ~~register new user~~
 * ~~prevent register dupe username~~
-* prevent bots with captcha or something ( how to automate tests then? ) ~~secret phrase in source code~~
+* ~~prevent bots with captcha or something ( how to automate tests then? )~~
+* ~~script to create default admin user~~
+* get default admin user/pass from ENV instead of hardcoded
 * ~~make authentication more secure ( bcrypt )~~
-* more tests for authentication, registration
+* ~~more tests for authentication, registration~~
 * ~~add authorization ( logged in user can see some things, but not others )~~
 * tests for authorization
 * ~~user can create document objects into mongo~~
-* fix default admin user kludge
 * roles: ~~admin~~, ~~guest~~, author, reader?
+* scripts: setup new db, 
 * more templates/routes: ~~home~~, ~~user~~, user/:username, "posts" ...
+* bootstrap, bower
 * Dockerfile; add mongodb setup? fixtures?
 
 ## Credits
 
+* http://12factor.net/
 * https://github.com/benvanstaveren/Mojolicious-Plugin-Authentication
 * https://github.com/byterock/mojolicious-plugin-authorization
 * https://github.com/Bivee/mojolicious-project-base
diff --git a/cpanfile b/cpanfile
index 0d6e7f8..2bfd13f 100644
--- a/cpanfile
+++ b/cpanfile
@@ -4,3 +4,4 @@ requires 'Mojolicious::Commands';
 requires 'Mango';
 requires 'Mojolicious::Plugin::Bcrypt';
 requires 'Mojolicious::Plugin::Authorization';
+requires 'Crypt::Eksblowfish::Bcrypt';
diff --git a/lib/Lrrr.pm b/lib/Lrrr.pm
index e7f3229..7b099ec 100644
--- a/lib/Lrrr.pm
+++ b/lib/Lrrr.pm
@@ -31,10 +31,6 @@ sub startup {
       user_role  => sub { return Lrrr::Authorization->user_role(@_) }
   });
 
-  # hmm, how to get rid of this:
-  # default admin user:
-  $self->mango->db->collection('users')->insert({ username => 'hermes', password => $self->bcrypt('conrad'), role => 'admin' });
-
   # Router
   my $r = $self->routes;
 
diff --git a/script/create_default_admin_user.pl b/script/create_default_admin_user.pl
new file mode 100755
index 0000000..9c8563b
--- /dev/null
+++ b/script/create_default_admin_user.pl
@@ -0,0 +1,43 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+
+
+# this section must correspond with Mojolicios::Plugin::Bcrypt
+# ############################################################
+use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);
+sub _salt {
+  my $num = 999999;
+  my $cr = crypt( rand($num), rand($num) ) . crypt( rand($num), rand($num) );
+  en_base64( substr( $cr, 4, 16 ) );
+}
+
+my $cost = sprintf( '%02d', 6 );
+my $settings = join( '$', '$2a', $cost, _salt() );
+# ############################################################
+
+
+use Mango;
+my $mongo_uri = $ENV{'MONGOLAB_URI'};
+my $mango = Mango->new($mongo_uri);
+
+# change this to get from ENV instead?
+my $username = "hermes";
+my $password = "conrad";
+
+# insert admin user
+my $doc = $mango->db->collection('users')->find_one( { username => $username } );
+if ( $doc ) {
+  print $username . " already exists!\n";
+} else {
+  my $oid = $mango->db->collection('users')->insert( { username => $username, password => bcrypt($password,$settings), role => 'admin' } );
+  print "inserted ".$username." with oid: " . $oid . "\n";
+}
+
+# list existing admin users
+my $c = $mango->db->collection('users')->find( { role => 'admin' } );
+print "existing admins:\n";
+while ( my $doc = $c->next ){
+    print $doc->{username} . "\n";
+}
diff --git a/t/register.t b/t/register.t
index 5703394..67071c0 100644
--- a/t/register.t
+++ b/t/register.t
@@ -9,13 +9,20 @@ my $t = Test::Mojo->new('Lrrr');
 my $collection = $t->app->mango->db->collection('users');
 
 # test get page ok
+$t->get_ok('/register')->status_is(200)->content_like(qr/you must be logged in as admin/i);
 
 # test register bad
 $t->post_ok('/register' => form =>  { u => 'bender', p => 'rodriguez' })->status_is(200)->content_like(qr/must be logged in as admin/i);
 
+# add admin user
+my $oid = $collection->insert( { username => 'hermes', password => $t->app->bcrypt('conrad'), role => 'admin' } );
+
 # login as admin
 $t->post_ok('/login' => form =>  { u => 'hermes', p => 'conrad' })->status_is(200)->content_like(qr/ok/i);
 
+# test get page as admin
+$t->get_ok('/register')->status_is(200)->content_like(qr/register a new user/i);
+
 # test register name already taken
 $t->post_ok('/register' => form =>  { u => 'hermes', p => 'conrad', role => 'robot' })->status_is(200)->content_like(qr/username taken/i);
 
@@ -25,4 +32,7 @@ $t->post_ok('/register' => form =>  { u => 'bender', p => 'rodriguez', role => '
 # get rid of new user bender
 $collection->remove( { username => 'bender' } );
 
+# get rid of admin user hermes
+$collection->remove( { username => 'hermes' } );
+
 done_testing();