The Raspberry Pi OS has been updated. To make it more difficult for attackers to identify and hack Internet-exposed Raspberry Pi devices with default credentials, Bullseye has eliminated the default ‘pi’ user. Starting with this release, you’ll be requested to register an account by selecting a username and password before downloading the OS (before this change, the OS installer would only ask for a custom password).
You can’t skip this step since the setup wizard will be run when the device is initially booted (before, you could press Cancel to use the default pi/raspberry credentials). While you may still use the login ‘pi’ and the password ‘raspberry,’ you will be advised that this is not a good decision.
“We are not getting rid of the ‘pi’ user on existing installs. We are not stopping anyone from entering ‘pi’ and ‘raspberry’ as the username and password on a new install,” as stated by Simon Long, Senior Principal Engineer at Raspberry Pi. “All we are doing is making it easy for people who care about security to not have a default ‘pi’ user – which is something people have been requesting for some time now.”
Users of the Raspberry Pi OS Lite image will be prompted to establish a new account through command line text prompts when booting the image for the first time. Suppose you wish to use the Raspberry Pi without a display. In that case, you may create a user before booting into the OS by entering a username and password in the Settings dialog before making the image or adding a username:encrypted-password pair to the boot partition through a userconf file.
This update has no impact on existing installations. Users may still change their credentials to anything other than the default by upgrading their current image and performing the sudo rename-user command. According to Long, this isn’t much of a flaw – knowing a legitimate user name won’t assist much if someone wanted to hack into your system; they’d also need to know your password, and you’d have to have authorized remote access in the first place.
However, it might make a brute-force attack significantly more straightforward. As a result, several nations enact legislation prohibiting any Internet-connected device from having default login credentials. For example, the United Kingdom seeks to implement new regulations requiring IoT devices to stop providing default usernames and passwords. In its place, requiring consumers to pick bespoke credentials that are “not resettable to any universal factory default value.”
