A new update in the Bullseye operating system for Raspberry Pi has corrected one of the main vulnerabilities: the password and default user with which the device could be accessed with advanced permissions and without much effort, since nobody usually changes these passwords that come by default.
With more than 200,000 computers on the Internet running the Raspberry Pi OS for all sorts of projects, according to estimates, cybercriminals had a huge base to stick their noses into. Now, from Raspberry this has been updated, trying to improve security.
Goodbye default username
Until now, the Raspberry Pi OS came with default credentials (user: pi and password: raspberry) very easy for hackers. This made them easy targets for attackers, as Raspberry Pi devices are cheap, easy to set up, have benefits out of the box, and will most likely connect via VPN or WiFi. So much so that the combination of “pi” and “raspberry” came in eighth place in a recent security report of failed login attempts from firm Bulletproof.
raspberry pi
Although knowing a username by itself does not usually help much, it can help in the process of cyberattacks:
“Just knowing a valid username doesn’t really help much if someone wants to hack into your system; they would also need to know your password and you would need to have enabled some form of remote access in the first place,” explains Simon Long, senior engineer at Raspberry Pi Trading. “However, it could make a brute-force attack a bit easier, and in response to this, some countries are now introducing laws to prohibit any device connected to the internet from having default login credentials .”
The laws that Simon Long mentions are, for example, a proposal from the UK’s National Cyber Security Center (NCSC) that wants to do away with default device passwords as they are easy to guess and they want them to be one step closer to be prohibited.
New user and password creation wizard
The latest version of the Raspberry Pi OS removes the default “pi” username and a new wizard forces the user to create a username on first boot of a freshly flashed Raspberry Pi OS image, although they are aware of possible incompatibilities, especially at the beginning of the change.
Raspberry Pi Password
“This is in line with the way most operating systems work today, and while it can cause some issues where the software (and documentation) assumes the existence of the ‘pi’ user, it feels like a sensible change at this point.”
Raspberry Pi will still allow users to set the username to “pi” and the password to “raspberry”, but will issue a warning that choosing the default values is not advisable.
A good password for any device, in addition to being personalized and not using the one that comes by default, it is important that it be long and have letters (both uppercase and lowercase), numbers and other special symbols. All this always randomly and the password should never be repeated elsewhere , so as not to end up causing a domino effect if cybercriminals or hackers discover one of them.