Raspberry Pi has made a change to its operating system Raspberry Pi OS that removes the default username and password.
Until now, the default username and password for the tiny computers has been respectively “pi” and “raspberry”, which made setting up a new Pi device simple but also potentially made the popular internet-connected devices easier for remote attackers to hack them through techniques like password spraying.
“Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” explains Simon Long, a senior engineer for Raspberry Pi Trading.
“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”
The UK for example plans to introduce new regulation that stop makers of Internet of Things (IoT) devices from shipping them to consumers with default usernames and passwords. The UK’s National Cyber Security Centre (NCSC) endorsed the Product Security and Telecommunications Infrastructure (PSTI) Bill because the pandemic increased people’s reliance on internet-connected devices.
Long says the latest release of Raspberry Pi OS removes the default “pi” username and a new wizard forces the user to create a username on the first boot of a newly-flashed Raspberry Pi OS image. But he also notes that not all existing documentation will align with the new process.
“This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” he notes.
It could nonetheless means a few changes for users when they’re setting up a new Raspberry Pi device because the wizard process is compulsory for a desktop setup.
“Working through the wizard is no longer optional, as this is how a user account is created; until you create a user account, you cannot log in to the desktop. So instead of running as an application in the desktop itself as before, the wizard now runs in a dedicated environment at first boot.”
The main difference is that previously users were prompted for a new password. Now users are prompted for a user name and a password.
Raspberry Pi still lets users set the username to “pi” and the password to “raspberry” but it will issue a warning that choosing the defaults is unwise.
“Some software might require the “pi” user, so we aren’t being completely authoritarian about this. But we really would recommend choosing something else,” says Long.
Raspberry Pi sales spiked at the beginning of the pandemic as consumers sought cheap home computing devices. But Raspberry Pi now faces supply constraints because of the global chip shortage. This week, Raspberry Pi chief Even Upton admitted resellers were out of stock.
“Demand for Raspberry Pi products increased sharply from the start of 2021 onwards, and supply constraints have prevented us from flexing up to meet this demand, with the result that we now have significant order backlogs for almost all products. In turn, our many resellers have their own backlogs, which they fulfil when they receive stock from us,” said Upton.