diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index e2912ecef..03d11ca75 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -30,22 +30,23 @@ disregard_network: False  # use cache or error out if cache does not exist
 
 # Users and Passwords
 
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+iiab_admin_user_install: True
+# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# Linux user that has sudo access, for login to Admin Console http://box/admin
 iiab_admin_user: iiab-admin
-# Obtain a password hash with:
+# Password hash to be used if Ansible creates the above user:
+iiab_admin_new_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# Obtain a password hash - NEW MORE SECURE WAY:
+#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
+# Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-iiab_admin_passw_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-admin_install: True
 
-# Set admin_install: False if you don't want iiab_admin_user & wheel group
-# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
-# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
-
-# If admin_install: False, set iiab_admin_user (above) to an existing Linux
-# user that has sudo access, so you can login to Admin Console http://box/admin
-
-# Languages
+# Languages (for Apache)
 default_language: en
-language_priority: en es
+language_priority: en es fr
 
 # Time Zone (php needs timezone to be set)
 local_tz: "{{ ansible_date_time.tz }}"