Raspberry Pi Removes Default User to Improve Security


In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.

The “pi” user, which has been present in all Raspberry Pi installations since the beginning, does make it easier to conduct brute-force attacks (it is usually paired with the password “raspberry”), even if some don’t necessarily see it as a security weakness.

With the latest change – which is also prompted by new legislation in some countries forbidding the use of default accounts – users will be required to create an account when booting a newly-flashed Raspberry Pi OS image.

“This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” Raspberry Pi senior principal software engineer Simon Long explains.

The Raspberry Pi setup wizard that has been around for several years has been optional until now, but the new security change means that users will have to use the wizard to configure settings, install software updates, and create a new user account to log into the desktop.

The wizard is largely unchanged from before, but it now requires users to set up a username and a password, instead of just asking for a new password. It also allows users to create a “pi” account if they need it, but it will warn that doing so is unwise.

[ READ: QNAP Urges Users to Secure Devices Against Brute-Force Attacks ]

The Raspberry Pi OS Lite image doesn’t have the wizard, but it will still require the creation of a new user account. For those who run Raspberry Pi headless, images with a user account can be preconfigured in the Raspberry Pi Imager tool.

The latest Raspberry Pi OS update also allows users with existing installations to rename the “pi” account, by typing a rename command in the terminal window. This will trigger a device reboot “into a cut-down version of the first-boot wizard,” allowing for users to change their usernames and passwords.

“Once you have entered a new username and password, you will be prompted to restart, and your Raspberry Pi will reboot to the desktop, with your existing user (and your home directory) renamed, but no other changes,” Long explains.

He also warns that, while most Raspberry Pi software should handle the home directory rename without issues, some code with a hardcoded path to the /home/pi directory may require further changes to work correctly.

He also explains that the process of renaming the “pi” user account will not work over a VNC connection, because it involves temporarily creating and logging in as a different user. Thus, only local users will be able to perform the renaming operation.

Related: Microsoft Ups Office Protections With Improved Blocking of Macros

Related: Dark Hash Collisions: New Service Confidentially Finds Leaked Passwords

Related: Enterprise Credentials Publicly Exposed by Cybercriminals

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published.