diff --git a/changelogs/fragments/default_gipass2.yml b/changelogs/fragments/default_gipass2.yml
new file mode 100644
index 000000000..4a44438f0
--- /dev/null
+++ b/changelogs/fragments/default_gipass2.yml
@@ -0,0 +1,5 @@
+---
+breaking_changes:
+  - "oraswgi_install: Removed default password from default_gipass (oravirt#409)"
+security_fixes:
+  - "oraswgi_install: Removed default password from default_gipass (oravirt#409)"
diff --git a/roles/oraswgi_install/README.md b/roles/oraswgi_install/README.md
index 5c828320a..8f46fd00f 100644
--- a/roles/oraswgi_install/README.md
+++ b/roles/oraswgi_install/README.md
@@ -65,12 +65,16 @@ default_dbpass: '{% if item.0.oracle_db_passwd is defined %}{{ item.0.oracle_db_
 
 ### default_gipass
 
-Default password for Grid-Infrastructure.
+Default password for Grid-Infrastructure and ASM-Users.
+
+Important
+
+It is mandatory to set this variable in your inventory!
 
 #### Default value
 
 ```YAML
-default_gipass: "{{ oracle_password | default('') }}"
+default_gipass: ''
 ```
 
 ### endoracle_scan_port
diff --git a/roles/oraswgi_install/defaults/main.yml b/roles/oraswgi_install/defaults/main.yml
index 2267599fe..3b67c41ac 100644
--- a/roles/oraswgi_install/defaults/main.yml
+++ b/roles/oraswgi_install/defaults/main.yml
@@ -7,10 +7,13 @@
 gi_ignoreprereq: false
 
 # @var default_gipass:description: >
-# Default password for Grid-Infrastructure.
+# Default password for Grid-Infrastructure and ASM-Users.
 #
+# Important
+#
+# It is mandatory to set this variable in your inventory!
 # @end
-default_gipass: "{{ oracle_password | default('') }}"
+default_gipass: ""
 
 # The check for the old passwords are there for  backwards compatibility and only temporary, will be removed
 default_dbpass: "{% if item.0.oracle_db_passwd is defined %}{{ item.0.oracle_db_passwd }}{% else %}Oracle123{% endif %}"