This could be set as the default user for the container

Problem is that we DON'T want to have to worry too much about security - and we can't trust users not to reuse real passwords which could be exposed.

Adding SSL would help, but would have to be self-signed, which causes problems with iFrames, and in general the errors of "untrusted" cert isn't putting forward a great face.

Signed SSL is not an option - as these "labs" are meant to be created on demand, not run as a permanent service on a fixed IP.