Raspberry Pi OS Ditches Longtime User Account For Security Reasons (arstechnica.com) 21
An anonymous reader quotes a report from Ars Technica: Since its launch, the Raspberry Pi OS (and most operating systems based on it) has shipped with a default "pi" user account, making it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process. But as of today, that's changing -- new installs of the Raspberry Pi OS are shedding that default user account for both security and regulatory reasons.
Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. "[The "pi" user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security.
Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username. Many Pi OS-based operating systems also ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place. The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder. "[T]he Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment," adds Ars. "And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account. To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."
The new version of the Pi OS also includes experimental support for the Wayland display server protocol, but Long says most people should ignore it for now since it's explicitly labeled as "experimental."
Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. "[The "pi" user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security.
Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username. Many Pi OS-based operating systems also ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place. The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder. "[T]he Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment," adds Ars. "And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account. To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."
The new version of the Pi OS also includes experimental support for the Wayland display server protocol, but Long says most people should ignore it for now since it's explicitly labeled as "experimental."
Soon ya’ll get the only post (Score:2)
and be the only one to read it
Re: (Score:2)
Belated congratulations.
Great! Next step: Buying a new one if you can (Score:2)
Re: (Score:2)
Only $209.99 on amazon for the 4gb version!
Re:Great! Next step: Buying a new one if you can (Score:4, Informative)
Thanks for the heads up. I bought a 4GB Raspberry Pi 4 kit a year ago for $99, since it was supposed to have graphics good enough to be a 1080i PVR frontend. Although it worked, the video was still pretty choppy. Moreover, websites like YouTube are almost unusable due to UI lag (my guess is that must run Javascript in interpreted mode). Although there was a lot of hype on its performance, my Pi 3 actually beat it on the old UnixBench CPU benchmarks. I eventually went back to using a real PC for the PVR frontend.
I just checked, and they seem to be asking $179 on eBay for these. I looks like I can get rid of this thing and net a tidy profit.
But just to increase security, maybe I'll change the account name on my other older Raspberry Pis from "pi" to "e".
Re: (Score:2)
I'll change the account name on my other older Raspberry Pis from "pi" to "e".
That's just irrational
Re: (Score:2)
I got mine to play around with openCV but the frame rate made it completely unusable. It works wonderfully for Klipper on my 3d printer, if it wasn't for that I would sell it on ebay.
Re: (Score:1)
The stupid thing is so many projects abandoning the pi3 and older platforms. I mean WTF, you can't even get a new pi of any kind.
It's these idiotic kids that buy the latest shiny thing and think everything else is worthless.
Or they jump on some stupid fad because they're too inexperienced and naive to realize what a waste of time it is. But they have so much energy and time to waste that they push through the problems and come up with ridiculously complex and convoluted solutions. Then we're all left with t
Re: (Score:3, Informative)
Agreed...there are so many projects that read a solitary input, and then toggle an output...with a ridiculous excess of processing power. The "could have done it with a 555" phenomenon. I bet 99.9% of Raspberry Pi's are using .1% of their power. (Well ok, maybe not that dramatic...but, ya know what I mean) Every version of Pi, it's been the same game emulator, adblocker, media server, "weather station", crappy laptop, smart mirror, relay toggling, etc. projects...few of, if any, need the latest greatest
Re: (Score:3)
Re: (Score:2)
Agreed...there are so many projects that read a solitary input, and then toggle an output...with a ridiculous excess of processing power. The "could have done it with a 555" phenomenon. I bet 99.9% of Raspberry Pi's are using .1% of their power. (Well ok, maybe not that dramatic...but, ya know what I mean)
For projects that don't do require significant horsepower or networking, you'd think people would just use an Arduino. They're a lot cheaper and more readily available (largely because a bunch of companies make clones).
Every version of Pi, it's been the same game emulator, adblocker, media server, "weather station", crappy laptop, smart mirror, relay toggling, etc. projects...few of, if any, need the latest greatest hardware. But yes...I do recognize that there are more "hardcore" uses for a Pi.
Pretty sure I qualify. I use them for NDI-based PTZ camera controllers [github.com]. Even the Raspberry Pi 4 has to request a low-quality proxy stream (720p, typically) from the camera, because only some 1080p sources work, and 4K sources are measured in seconds per frame. I would kill to have a Pi bo
Re: (Score:2)
Agreed...there are so many projects that read a solitary input, and then toggle an output...with a ridiculous excess of processing power. The "could have done it with a 555" phenomenon. I bet 99.9% of Raspberry Pi's are using .1% of their power.
I mean, sure, but I also don't really have any need for that $5 latte I buy every morning. Life is too short to quibble about whether you should put 10 hours into a project on a $35 device versus putting 12 hours into a version that will run on a $3.50 device. I just think it's neat that so many people are interested in buying these things for themselves or their kids or whatever that I can piggyback on their volume to get cheap toys for myself.
I mean, don't get me wrong, I have projects I've spun up on a
Re: (Score:2)
The stupid thing is so many projects abandoning the pi3 and older platforms.
Never use a Pi when an Arduino will do the job.
I mean WTF, you can't even get a new pi of any kind.
Actually, you can. You just have to pay through the nose. High prices are better than empty shelves.
Will it prohibit you from creating a pi account? (Score:2)
Will this be a thing in order to be backwards compatible?
Re: (Score:2)
I would think it would allow you to manually create an account named "pi" if you wanted. It just won't be a preconfigured account any longer in new OS installs.
If you are running old scripts or apps that assume the "pi" account is available then you can manually create it until the script or app is updated, then manually remove it as a security vulnerability.
No root? (Score:3)
Re:No root? (Score:5, Informative)
Dont need the Legislation, But is good. (Score:3)
At first I was rip routers, but actually it is even more convenient when they print their username and passwords on stickers they put on the back of devices. It was always hit or miss getting a default username and password for a router when you needed the router for internet to begin with.
Also, a randomly assigned password printed at the back of the device can theoretically be left as it is in most situations, and is orders above just leaving the default "admin":"" credentials.