diff --git a/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql b/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql
index 31207d5..cfe5a53 100644
--- a/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql
+++ b/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql
@@ -22,6 +22,12 @@ CREATE TABLE IF NOT EXISTS `dummy` (
   `id` int(11) DEFAULT NULL
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 
+-- Create a dedicated DB user for the web application (least privilege).
+-- Grant only the required privileges on the application database.
+CREATE USER IF NOT EXISTS 'passman_app'@'%' IDENTIFIED BY 'passman_app_pw';
+GRANT SELECT, INSERT, UPDATE, DELETE ON pwd_mgr.* TO 'passman_app'@'%';
+FLUSH PRIVILEGES;
+
 CREATE TABLE IF NOT EXISTS `login_users` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `username` varchar(20) NOT NULL,
@@ -31,7 +37,7 @@ CREATE TABLE IF NOT EXISTS `login_users` (
 ) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
 
 INSERT INTO `login_users` (`id`, `username`, `password`) VALUES
-	(1, 'u1', '$2y$10$L18u5/PyVkDgsce/DsUOQu0sKhTzh854Euhog3cVb1W4YAfgRzY8W'); /* php -r 'echo password_hash("p1", PASSWORD_DEFAULT), PHP_EOL;' */
+	(1, 'u1', '$2y$10$L18u5/PyVkDgsce/DsUOQu0sKhTzh854Euhog3cVb1W4YAfgRzY8W'); -- php -r 'echo password_hash("p1", PASSWORD_DEFAULT), PHP_EOL;'
 
 CREATE TABLE IF NOT EXISTS `notes` (
   `notesid` int(11) NOT NULL AUTO_INCREMENT,
diff --git a/passman-dev/docker-compose.yml b/passman-dev/docker-compose.yml
index 86b3924..440f18b 100644
--- a/passman-dev/docker-compose.yml
+++ b/passman-dev/docker-compose.yml
@@ -8,9 +8,9 @@ services:
       - ./php:/var/www/html
     environment:
       DB_HOST: db
-      DB_USER: root
-      DB_PASS: rootpass
       DB_NAME: pwd_mgr
+      DB_USER: passman_app
+      DB_PASS: passman_app_pw
     depends_on:
       - db
 
diff --git a/passman-dev/php/passman/config.php b/passman-dev/php/passman/config.php
index b3a2b33..1a9c17a 100644
--- a/passman-dev/php/passman/config.php
+++ b/passman-dev/php/passman/config.php
@@ -3,8 +3,8 @@
 // NOTE: In Docker, the DB host is the service name (e.g., "db"), not "localhost".
 
 $DB_HOST = getenv('DB_HOST') ?: 'db';
-$DB_USER = getenv('DB_USER') ?: 'root';
-$DB_PASS = getenv('DB_PASS') ?: 'rootpass';
+$DB_USER = getenv('DB_USER') ?: 'passman_app';
+$DB_PASS = getenv('DB_PASS') ?: 'passman_app_pw';
 $DB_NAME = getenv('DB_NAME') ?: 'pwd_mgr';
 
 // Create a DB connection.