“Pi” is no more: Raspberry Pi OS is dropping a long-standing user account for security reasons
Since its launch, the Raspberry Pi OS (and most operating systems based on it) comes with a default “pi”user account, making it easy for the Pi to boot up and get started without having to plug the device into a monitor or go through a multi-step setup process. But as of today, this is changing – new installs of the Raspberry Pi OS remove this user account by default for both security and regulatory reasons.
Raspberry Pi Foundation Software Engineer Simon Long explains the train of thought in this blog post.
“[The ‘pi’ user account] has the potential to make a brute-force attack a little easier, and in response to this, some countries are now introducing legislation to prevent any device connected to the Internet from using default login credentials,”he writes..
This step will improve the security of the Pi operating system. In the past, even if you assigned a good password to the “pi”account, attackers could reasonably assume that most Raspberry Pi boards use the “pi”username. Many Pi OS-based operating systems also come with the “pi”user account enabled by default and completely passwordless, requiring extra steps to assign a password account in the first place.
On the other hand, this change may break some programs and scripts, especially those hardcoded to use the “pi”user account and home folder. Well-behaved software will use variables instead of hard-coded folder names, so they will work the same no matter which user account is used. But the popularity of the Pi among indie and hobby developers means you’re likely to run into problems here and there. It’s also possible that distributions based on the Pi OS may continue to use the “pi”account, choosing not to follow the Pi Foundation’s example of implementing new security practices.
Removing the default user account required several other changes to the OS and its tools. Like most other operating systems, the Raspberry Pi OS now boots into a special setup mode on first startup instead of running the setup wizard as an application in a normal desktop environment. And this setup wizard now prompts you to create a username and password instead of just assigning a password to the default “pi”user account. To simplify setup, the wizard can now pair a Bluetooth keyboard and mouse without first connecting a USB accessory.
Many Pi software distributions run headless, without any monitor attached, and the Pi Imager tool allows for this as well. You can create a username and password before writing your operating system to the SD card, which will allow Pi OS to bypass the setup wizard and boot directly to the desktop or command line, as it currently does. Creating a text file on the SD card’s boot partition with an encrypted password will achieve the same result.
The new version of the Pi OS doesn’t include many new features, but does include experimental support for the Wayland display server protocol, which could replace many (but not all) features of the old X Window System and “probably be the future of desktop Linux,”Long writes. But most people can and should ignore Wayland on the Pi OS for now, as it’s explicitly labeled “experimental”and “there are a lot of features not yet supported by Wayland.”
Leave a Reply