Raspberry Pi has made a change to its Raspberry Pi OS that removes the default username and password.
Until now, the default username and password for small computers have been “pi” and “raspberry” respectively, which made setting up a new Pi device simpler, but also made popular Internet-connected devices easier. of hacking for remote attackers. techniques such as password spraying.
“Until now, all installations of the Raspberry Pi OS have had a default user named ‘pi’. This isn’t a huge weakness – just knowing a valid username doesn’t really help much if someone wants to hack into your system – they’d also need to know your password, and you would have to have enabled some form of remote access in the first place”, explains Simon Long, Senior Engineer at Raspberry Pi Trading.
As well: Where to buy hard-to-find Raspberry Pi boards and alternatives
“However, it could make a brute force attack a bit easier and in response to this, some countries are now introducing laws to prohibit any device connected to the internet from having default login credentials.”
The UK, for example, plans to introduce a new regulation that would prevent manufacturers of Internet of Things (IoT) devices from shipping them to consumers with default usernames and passwords. The UK’s National Cyber Security Center (NCSC) backed the Product Security and Telecommunications Infrastructure Bill (PSTI) because the pandemic increased people’s reliance on internet-connected devices.
Long says that the latest version of the Raspberry Pi OS removes the default “pi” username and a new wizard forces the user to create a username on first boot of a freshly flashed Raspberry Pi OS image. But he also points out that not all existing documentation will align with the new process.
“This is in line with the way most operating systems work today, and while it can cause some issues where the software (and documentation) assumes the existence of the ‘pi’ user, it feels like a sensible change at the moment. ”, he points out.
However, it might mean some changes for users when setting up a new Raspberry Pi device because the wizard process is required for a desktop setup.
“Working through the wizard is no longer optional, as that’s how you create a user account; until you create a user account, you can’t log in to the desktop. So instead of running as an application on the desktop as before, the wizard now runs in a dedicated environment on first boot”.
The main difference is that previously users were prompted for a new password. Users are now prompted for a username and password.
Raspberry Pi still allows users to set the username to “pi” and the password to “raspberry”, but will issue a warning that choosing the defaults is not advisable.
“Some software may require the ‘pi’ user, so we’re not being completely authoritative on that. But we’d really recommend choosing something else,” says Long.
Raspberry Pi sales soared at the start of the pandemic as consumers sought out cheap home computing devices. But the Raspberry Pi now faces supply constraints due to global chip shortages. This week, Raspberry Pi boss Even Upton admitted that resellers were out of stock.
“Demand for Raspberry Pi products increased sharply from early 2021 onwards, and supply constraints have prevented us from adapting to meet this demand, with the result that we now have a significant backlog of orders for almost all products. In turn, our many resellers have their own backorders, which they fill when they receive our stock,” Upton said.