Jump to content
  • Raspberry Pi removes default user to hinder brute-force attacks


    Karlston

    • 775 views
    • 3 minutes
     Share


    • 775 views
    • 3 minutes

    An update to Raspberry Pi OS Bullseye has removed the default 'pi' user to make it harder for attackers to find and compromise Internet-exposed Raspberry Pi devices using default credentials.

     

    Starting with this latest release, when installing the OS, you will first be prompted to create an account by choosing a username and password (before this change, the OS installer would only ask for a custom password).

     

    You can no longer skip this step since the setup wizard will be launched when first booting the device (previously, you could hit Cancel to use the default pi/raspberry credentials).

     

    While you can still choose to use a 'pi' username and 'raspberry' as your password, you will be warned that it's not a wise choice.

     

    "We are not getting rid of the 'pi' user on existing installs. We are not stopping anyone from entering 'pi' and 'raspberry' as the username and password on a new install," said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.

     

    "All we are doing is making it easy for people who care about security to not have a default 'pi' user – which is something people have been requesting for some time now."

     

    Raspberry_Pi_OS_user_account.png

    Raspberry Pi OS account creation wizard (Raspberry Pi )

     

    When booting the image for the first time, Raspberry Pi OS Lite image users will also be asked to create a new account via command line text prompts.

     

    If you want to run Raspberry Pi headless, you can create the user before booting into the OS by setting a username and a password via the Settings dialog before writing the image or adding a userconf file to the boot partition containing a username:encrypted-password pair.

     

    Existing installations are not affected by this change. However, users can still switch to non-default credentials by updating their existing image and running the sudo rename-user command.

     

    "This isn't that much of a weakness – just knowing a valid user name doesn't really help much if someone wants to hack into your system; they would also need to know your password, and you'd need to have enabled some form of remote access in the first place," Long explained.

     

    "But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."

     

    For instance, the UK wants to enforce new regulations asking that IoT devices no longer come with default usernames and passwords but, instead ask customers to choose custom credentials, "not resettable to any universal factory default value."

     

     

    Raspberry Pi removes default user to hinder brute-force attacks


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...