Security News > 2022 > April > Raspberry Pi removes default user to hinder brute-force attacks
An update to Raspberry Pi OS Bullseye has removed the default 'pi' user to make it harder for attackers to find and compromise Internet-exposed Raspberry Pi devices using default credentials.
You can no longer skip this step since the setup wizard will be launched when first booting the device.
When booting the image for the first time, Raspberry Pi OS Lite image users will also be asked to create a new account via command line text prompts.
Users can still switch to non-default credentials by updating their existing image and running the sudo rename-user command.
It could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."
The UK wants to enforce new regulations asking that IoT devices no longer come with default usernames and passwords but, instead ask customers to choose custom credentials, "Not resettable to any universal factory default value."