diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index cf9a48bb0..1a923a0c8 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -22,13 +22,18 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231
 
-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# Please read more about the 'iiab-admin' Linux user and group, which allow
+# you to log in to IIAB's Admin Console (http://box.lan/admin):
+# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
+# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
+# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
 iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
-# Linux user that has sudo access, for login to Admin Console http://box/admin
+# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
+# user that's a member of group sudo (or group below?) for Admin Console login:
 iiab_admin_user: iiab-admin
+iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
+iiab_admin_published_pwd: g0adm1n    # For live checks/alerts of published pwds
 # Password hash to be used if Ansible creates the above user:
 iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
 # Obtain a password hash - NEW MORE SECURE WAY: