Having Jenkins not require authentication by default is a security issue.
Ideally, on startup Jenkins would check for configured administrator credentials, and refeuse to start if they don't exist, rather than just starting in "fully open" mode, or having default credentials.

It's assumed that this is not a small work effort.

This will require more fleshing out, but something like:

• option for the command line/ winstone container to set some admin credentials prior to startup.
• How to handle this in the various OS packages
• How to handle under alternate containers such as Tomcat, glassfish, weblogic, websphere, etc.