The developers behind Raspberry Pi have enhanced security by forcing users to choose a new username and password on start-up.
Senior principal software engineer, Simon Long, explained in a blog post that previously, users were able to keep the default username “pi.” They were also able to bypass a setup wizard which requested users to choose a new password on start-up, which would leave them with the default option of “raspberry.”
This made it easier for attackers to guess or brute force such devices.
A honeypot-based study by Bulletproof published last month claimed the login combo of “pi” and “raspberry” was among the most popular used by malicious bots to try and access devices set up by the researchers.
If connected to a corporate network, Raspberry Pis could therefore represent a weak link in the cybersecurity chain.
“This is not surprising as our research shows that there are well over 200,000 machines on the internet running the standard Raspberry Pi OS making it a decent number of systems to compromise,” Bulletproof said at the time. “As the Raspberry Pi OS ships with default credentials (un:pi/pwd:raspberry) it’s low-hanging fruit for hackers. What this tells us is that even default passwords are not being changed.”
According to the new setup procedure, the default “pi” user is being removed, and customers will need to choose a new name on initial boot up. The start-up wizard will also be non-negotiable, forcing them to choose a new password before being able to use the device.
“The wizard itself is largely unchanged from before, with the key difference being that when you were previously prompted for a new password, you are now prompted for a user name and a password,” explained Long.
“If you really want to, you can set these to ‘pi’ and ‘raspberry’ as before – you will get a warning message that doing so is unwise, but it is your choice – some software might require the ‘pi’ user, so we aren’t being completely authoritarian about this. But we really would recommend choosing something else.”
There is separate advice for those running a headless setup.