diff --git a/CHANGELOG.md b/CHANGELOG.md
index 399ab0c4c..cd80eecbb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 ### Fixed
 - user_utils.PsiTurkAuthorization should not allow empty username or password! (#492)
+- aws env vars AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are now preferred over anything
+  set in a config file somewhere (#496)
+- Dashboard will refuse to start if `secret_key` is missing or if no valid mturk credentials (#497)
 
 ### Added
 - Add custom MTurk qualification support (#493)
diff --git a/psiturk/dashboard/__init__.py b/psiturk/dashboard/__init__.py
index 8a1d52694..db2d86f59 100644
--- a/psiturk/dashboard/__init__.py
+++ b/psiturk/dashboard/__init__.py
@@ -32,6 +32,17 @@
 
 
 def init_app(app):
+    if not app.config.get('LOGIN_DISABLED'):
+        # this dashboard requires a valid mturk connection -- try for one here
+        try:
+            _ = services_manager.amt_services_wrapper  # may throw error if aws keys not set
+        except NoMturkConnectionError:
+            raise Exception((
+                'Dashboard requested, but no valid mturk credentials found. '
+                'Either disable the dashboard in config, or set valid mturk credentials -- '
+                'see https://psiturk.readthedocs.io/en/latest/amt_setup.html#aws-credentials . '
+                '\nRefusing to start.'
+                ))
     login_manager.init_app(app)
 
 
@@ -44,16 +55,22 @@ def __init__(self, username=''):
 def load_user(username):
     return DashboardUser(username=username)
 
+def is_static_resource_call():
+    return str(request.endpoint) == 'dashboard.static'
+
+def is_login_route():
+    return str(request.url_rule) == '/dashboard/login'
 
 def login_required(view):
     @wraps(view)
     def wrapped_view(*args, **kwargs):
-        if app.login_manager._login_disabled:  # for unit testing
-            return view(*args, **kwargs)
-        is_logged_in = current_user.get_id() is not None
-        is_static_resource_call = str(request.endpoint) == 'dashboard.static'
-        is_login_route = str(request.url_rule) == '/dashboard/login'
-        if not (is_static_resource_call or is_login_route or is_logged_in):
+        if current_user.is_authenticated:
+            pass
+        elif app.config.get('LOGIN_DISABLED'):  # for unit testing
+            pass
+        elif is_static_resource_call() or is_login_route():
+            pass
+        else:
             return login_manager.unauthorized()
         return view(*args, **kwargs)
 
@@ -75,9 +92,11 @@ def wrapped_view(**kwargs):
                 app.logger.debug('I set services manager mode to {}'.format(services_manager.mode))
             return view(**kwargs)
         except Exception as e:
-            message = e.message if hasattr(e, 'message') else str(e)
-            flash(message, 'danger')
-            return redirect(url_for('.index'))
+            if not is_login_route() and not is_static_resource_call():
+                message = e.message if hasattr(e, 'message') else str(e)
+                flash(message, 'danger')
+
+                return redirect(url_for('.login'))
 
     return wrapped_view
 
@@ -159,9 +178,6 @@ def login():
         password = request.form['password']
 
         try:
-            if 'example' in username or 'example' in password:
-                raise Exception(
-                    'Default username-password not permitted! Change them in your config file.')
             if not myauth.check_auth(username, password):
                 raise Exception('Incorrect username or password')
 
diff --git a/psiturk/user_utils.py b/psiturk/user_utils.py
index 284760474..039e4fba6 100644
--- a/psiturk/user_utils.py
+++ b/psiturk/user_utils.py
@@ -33,10 +33,11 @@ class PsiTurkAuthorization(object):
     """ Authorize route """
 
     def __init__(self, config):
-        username = config.get('Server Parameters', 'login_username')
-        password = config.get('Server Parameters', 'login_pw')
-        if not username or not password:
-            raise PsiturkException(message='Secure route specified, but login_username or login_pw not set! Set them in config.txt')
+        username   = config.get('Server Parameters', 'login_username')
+        password   = config.get('Server Parameters', 'login_pw')
+        secret_key = config.get('Server Parameters', 'secret_key')
+        if not username or not password or not secret_key:
+            raise PsiturkException(message='Secure route specified, but at least one of `login_username`, `login_pw`, and `secret_key` not set in config! Set them and try again.')
         self.queryname = username
         self.querypw = password
 
diff --git a/tests/conftest.py b/tests/conftest.py
index 3dd16e64f..2f3ec3dfc 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -47,6 +47,7 @@ def experiment_dir(tmpdir, bork_aws_environ, edit_config_file):
     os.environ['PSITURK_AD_URL_DOMAIN'] = 'example.com'
     os.environ['PSITURK_LOGIN_USERNAME'] = 'foo'
     os.environ['PSITURK_LOGIN_PW'] = 'bar'
+    os.environ['PSITURK_SECRET_KEY'] = 'baz'
 
     # the setup script already chdirs into here,
     # although I don't like that it does that