As announced in a blog post (opens in new tab) from the Raspberry Pi Foundation, the operating system will no longer set “pi” as the default username at setup, thereby adding an additional layer of friction to potential password-stuffing attacks.Instead, users will be asked to create a custom username when a newly-flashed Raspberry Pi OS image is booted for the first time.
Raspberry Pi update
According to Simon Long, who heads up user experience at Raspberry Pi, the decision to change the default username system is a sensible one, based on a weighing up of risk and reward.
“Over the years, we have gradually ramped up the security of Raspberry Pi OS; not in response to particular threats, but more as a general precaution,” he explained. “There is always a balance to be struck, however, as security improvements usually carry a cost in terms of usability, and we have tried to keep the system as convenient to use as possible, while having an acceptable level of security.”
“Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system. But nonetheless, it could potentially make a brute-force attack slightly easier.”
Long also noted that some countries are beginning to introduce legislation that outlaws internet-connected devices with default login credentials. The arrival of the new system, then, will ensure Raspberry Pi doesn’t have to worry about falling foul of new rulings.
As part of the update, the organization has also introduced a mechanism for changing the username on existing installations, by typing “sudo rename-user” into a new terminal window. Doing so will reboot the device into a wizard that allows for a new username to be created, allowing existing customers to benefit from the security upgrade.
The new Raspberry Pi OS image is available now via the official download page.