Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Raspberry Pi Removes Default User to Improve Security

In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.

In an attempt to improve security, the latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead.

The “pi” user, which has been present in all Raspberry Pi installations since the beginning, does make it easier to conduct brute-force attacks (it is usually paired with the password “raspberry”), even if some don’t necessarily see it as a security weakness.

With the latest change – which is also prompted by new legislation in some countries forbidding the use of default accounts – users will be required to create an account when booting a newly-flashed Raspberry Pi OS image.

“This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” Raspberry Pi senior principal software engineer Simon Long explains.

The Raspberry Pi setup wizard that has been around for several years has been optional until now, but the new security change means that users will have to use the wizard to configure settings, install software updates, and create a new user account to log into the desktop.

The wizard is largely unchanged from before, but it now requires users to set up a username and a password, instead of just asking for a new password. It also allows users to create a “pi” account if they need it, but it will warn that doing so is unwise.

[ READ: QNAP Urges Users to Secure Devices Against Brute-Force Attacks ]

The Raspberry Pi OS Lite image doesn’t have the wizard, but it will still require the creation of a new user account. For those who run Raspberry Pi headless, images with a user account can be preconfigured in the Raspberry Pi Imager tool.

The latest Raspberry Pi OS update also allows users with existing installations to rename the “pi” account, by typing a rename command in the terminal window. This will trigger a device reboot “into a cut-down version of the first-boot wizard,” allowing for users to change their usernames and passwords.

“Once you have entered a new username and password, you will be prompted to restart, and your Raspberry Pi will reboot to the desktop, with your existing user (and your home directory) renamed, but no other changes,” Long explains.

He also warns that, while most Raspberry Pi software should handle the home directory rename without issues, some code with a hardcoded path to the /home/pi directory may require further changes to work correctly.

He also explains that the process of renaming the “pi” user account will not work over a VNC connection, because it involves temporarily creating and logging in as a different user. Thus, only local users will be able to perform the renaming operation.

Related: Microsoft Ups Office Protections With Improved Blocking of Macros

Related: Dark Hash Collisions: New Service Confidentially Finds Leaked Passwords

Related: Enterprise Credentials Publicly Exposed by Cybercriminals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.