Raspberry Pi OS Ditches Longtime User Account For Security Reasons

An anonymous reader quotes a report from Ars Technica: Since its launch, the Raspberry Pi OS (and most operating systems based on it) has shipped with a default "pi" user account, making it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process. But as of today, that's changing -- new installs of the Raspberry Pi OS are shedding that default user account for both security and regulatory reasons. Raspberry Pi Foundation software engineer Simon Long explains the thinking in this blog post. "[The "pi" user account] could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security. Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username. Many Pi OS-based operating systems also ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place. The flip side is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder. "[T]he Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment," adds Ars. "And that setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account. To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first." The new version of the Pi OS also includes experimental support for the Wayland display server protocol, but Long says most people should ignore it for now since it's explicitly labeled as "experimental."

Read more of this story at Slashdot.