Raspberry Pi removes default user to hinder brute-force attacks

An update to Raspberry Pi OS Bullseye has removed the default ‘pi’ user to make it harder for attackers to find and compromise Internet-exposed Raspberry Pi devices using default credentials.

Starting with this latest release, when installing the OS, you will first be prompted to create an account by choosing a username and password (before this change, the OS installer would only ask for a custom password).

You can no longer skip this step since the setup wizard will be launched when first booting the device (previously, you could hit Cancel to use the default pi/raspberry credentials).

While you can still choose to use a ‘pi’ username and ‘raspberry’ as your password, you will be warned that it’s not a wise choice.

“We are not getting rid of the ‘pi’ user on existing installs. We are not stopping anyone from entering ‘pi’ and ‘raspberry’ as the username and password on a new install,” said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.

“All we are doing is making it easy for people who care about security to not have a default ‘pi’ user – which is something people have been requesting for some time now.”

When booting the image for the first time, Raspberry Pi OS Lite image users will also be asked to create a new account via command line text prompts.

If you want to run Raspberry Pi headless, you can create the user before booting into the OS by setting a username and a password via the Settings dialog before writing the image or adding a userconf file to the boot partition containing a username:encrypted-password pair.

Existing installations are not affected by this change. However, users can still switch to non-default credentials by updating their existing image and running the sudo rename-user command.

“This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” Long explained.

“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”

For instance, the UK wants to enforce new regulations asking that IoT devices no longer come with default usernames and passwords but, instead ask customers to choose custom credentials, “not resettable to any universal factory default value.”