diff --git a/README.md b/README.md
index 3cd640e..7c75ee9 100644
--- a/README.md
+++ b/README.md
@@ -76,8 +76,7 @@ These are the knobs most operators actually touch — all shown commented out in
 |----------|---------|-------------|
 | `MEDIARIP__ADMIN__ENABLED` | `true` | Enable admin panel |
 | `MEDIARIP__ADMIN__USERNAME` | `admin` | Admin username |
-| `MEDIARIP__ADMIN__PASSWORD` | _(empty)_ | Admin password (plaintext — hashed on startup, never stored) |
-| `MEDIARIP__ADMIN__PASSWORD_HASH` | _(empty)_ | Bcrypt hash (alternative to plaintext — for advanced users) |
+| `MEDIARIP__ADMIN__PASSWORD` | _(empty)_ | Admin password (hashed on startup, never stored as plaintext) |
 
 #### Purge
 
@@ -169,7 +168,7 @@ For production with TLS, use the included Caddy reverse proxy:
 ```bash
 cp docker-compose.example.yml docker-compose.yml
 cp .env.example .env
-# Edit .env with your domain and admin password hash
+# Edit .env with your domain and admin password
 docker compose up -d
 ```
 
diff --git a/backend/app/core/config.py b/backend/app/core/config.py
index b88edea..f158016 100644
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -98,7 +98,7 @@ class AdminConfig(BaseModel):
     enabled: bool = True
     username: str = "admin"
     password: str = ""       # Plaintext — hashed on startup, never stored
-    password_hash: str = ""  # Bcrypt hash — set directly or derived from password
+    password_hash: str = ""  # Internal — set by app on startup or first-run wizard
 
 
 # ---------------------------------------------------------------------------