Connect with us

Hi, what are you looking for?


Identity & Access

Raspberry Pi Removes Default User to Improve Security

In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.

In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.

The “pi” user, which has been present in all Raspberry Pi installations since the beginning, does make it easier to conduct brute-force attacks (it is usually paired with the password “raspberry”), even if some don’t necessarily see it as a security weakness.

With the latest change – which is also prompted by new legislation in some countries forbidding the use of default accounts – users will be required to create an account when booting a newly-flashed Raspberry Pi OS image.

“This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” Raspberry Pi senior principal software engineer Simon Long explains.

The Raspberry Pi setup wizard that has been around for several years has been optional until now, but the new security change means that users will have to use the wizard to configure settings, install software updates, and create a new user account to log into the desktop.

The wizard is largely unchanged from before, but it now requires users to set up a username and a password, instead of just asking for a new password. It also allows users to create a “pi” account if they need it, but it will warn that doing so is unwise.

[ READ: QNAP Urges Users to Secure Devices Against Brute-Force Attacks ]

Advertisement. Scroll to continue reading.

The Raspberry Pi OS Lite image doesn’t have the wizard, but it will still require the creation of a new user account. For those who run Raspberry Pi headless, images with a user account can be preconfigured in the Raspberry Pi Imager tool.

The latest Raspberry Pi OS update also allows users with existing installations to rename the “pi” account, by typing a rename command in the terminal window. This will trigger a device reboot “into a cut-down version of the first-boot wizard,” allowing for users to change their usernames and passwords.

“Once you have entered a new username and password, you will be prompted to restart, and your Raspberry Pi will reboot to the desktop, with your existing user (and your home directory) renamed, but no other changes,” Long explains.

He also warns that, while most Raspberry Pi software should handle the home directory rename without issues, some code with a hardcoded path to the /home/pi directory may require further changes to work correctly.

He also explains that the process of renaming the “pi” user account will not work over a VNC connection, because it involves temporarily creating and logging in as a different user. Thus, only local users will be able to perform the renaming operation.

Related: Microsoft Ups Office Protections With Improved Blocking of Macros

Related: Dark Hash Collisions: New Service Confidentially Finds Leaked Passwords

Related: Enterprise Credentials Publicly Exposed by Cybercriminals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.