Heater
Posts: 9986
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 2:59 am

One aspect of the security thing that has not been mentioned here is that it's not all always about the bad guys getting access to your network and your data exactly.

A growing problem has been the bad guys being able to use your machines as a means to attack others or do miscreant things on the net. You may suffer no harm at all and not even notice. For example the famous "bot nets" created from millions of net connected cameras, https://motherboard.vice.com/en_us/arti ... rian-krebs

The subtlety here is that security of your machines is not required to protect you from the bad guys but to protect the global network from you!

lgalex
Posts: 26
Joined: Mon Sep 17, 2018 1:06 pm

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 4:33 am

I may be fairly new to Linux and the Raspberry Pi, but I don't understand what is such a problem with this.

It used to be that Raspbian had a default password for everyone and that was it... You had to know it was important to change it. Maybe not a good idea.

But it changed a while ago, and ssh got disabled by default with a warning if turned on with default password. Better...

But a few weeks ago, it got a LOT better and new installs now do ask for a new password by default. It may not FORCE you to do it, you can cancel, but it is there like it should be. I get the feeling that some people still don't know about this because it's only a few weeks old and you only see it on new installs.
wh7qq wrote: Still, when folks use passwords like "12345678" and "abcdefgh", "What does it matter?" Forcing passwords ls buying into a never ending chain of tail chasing...next will require "good" passwords and so on ad nauseum. It will never end.
Even if forced, people can indeed use bad passwords and it really never ends.


Would it be better to be like Debian or any modern OS, maybe yes, but I really don't see the problem with the new versions that ask you for a new password. (maybe there are more serious security problems, like using a 6 months old version of the world's most used browser by default... :roll: )

hippy
Posts: 3890
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 9:22 am

lgalex wrote:
Mon Oct 15, 2018 4:33 am
I really don't see the problem with the new versions that ask you for a new password.
The problem is that it doesn't force a new password to be chosen and allowing a common default can have adverse consequences for everyone else in the wider community.

The proposed Californian law, and the recommendation of security advisers, is to protect users and the wider community from situations which can have adverse effects, which the current mechanism doesn't.

wh7qq
Posts: 1124
Joined: Thu Oct 09, 2014 2:50 am

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 6:14 pm

A more reasoned approach would be to make it a requirement for activation of network connections of any kind but leave the other functions of the RPi intact for users who don't need network connection. The RPi is, after all, a general purpose device.

Still, the whole thing smacks of the FCC requiring all router manufacturers to lock up their Linux based operating systems to prevent loading open source firmware. I made the mistake of updating my router to the mfgrs latest and now I can't even revert to his earlier versions, let alone any open source firmware. I am building up an x86/Linux based router now and it is a big PITA.

Of course, the safest thing might be to require a course in internet security before giving anyone a license to use the internet. Or is it? We train and test drivers but still have highway mayhem and deaths. We extensively train and license medical doctors but still have way too many injuries and deaths from malpractice and errors.

As for the larger community, going on line, much like living, has serious risks. The biggest is the development of botnets based on infecting many of the IoT devices that are becoming more and more popular. The perpetrators of this kind of malicious nonsense are clever folks and they will, if they have not already, find a way around passwords and user names. So is the next step to require encryption of user names and/or passwords? Where will it end? At some point, you have to balance security with usability.

As a society, we have somehow come to the point where we expect protection from all risks, to be wrapped in a protective cocoon from birth. It is really frightening. At some point, the cocoon will feel like a straight jacket. Maybe that has already occurred.
Last edited by wh7qq on Mon Oct 15, 2018 7:31 pm, edited 1 time in total.

hippy
Posts: 3890
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 6:24 pm

wh7qq wrote:
Mon Oct 15, 2018 6:14 pm
Achtung!! Ve haf our vays to make you conform. Seig Heil!
The primary purpose of government, local or national, is to act in the best interests of the people it represents and to keep them safe from harm. Enacting laws, imposing rules and regulations, is the way which governments have always done this.

wh7qq
Posts: 1124
Joined: Thu Oct 09, 2014 2:50 am

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 7:40 pm

hippy wrote:
Mon Oct 15, 2018 6:24 pm
The primary purpose of government, local or national, is to act in the best interests of the people it represents and to keep them safe from harm. Enacting laws, imposing rules and regulations, is the way which governments have always done this.
And who will protect us from the governments? History has shown them to be quite capable of enacting laws and regulations for purely political purposes. An "incorruptible politician" is oxymoronic. The public that elects these folks are subject to all forms of manipulation by the politicians, the media, and large and powerful vested interests. The very folks that enact and implement these regulations justify their continued existence with finding new things to regulate. It never ends...unless we end it.

User avatar
Imperf3kt
Posts: 1376
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 7:57 pm

Since you claim a password is a bubble wrapped cocoon, then I presume you don't use one? Otherwise I find your complaints extremely hypocritical and offensive.
Stop plugging your fan directly into the GPIO 5v
https://www.electronics-tutorials.ws/power/transient-suppression.html

n67
Posts: 839
Joined: Mon Oct 30, 2017 4:55 pm

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 8:31 pm

(This thread is going down the tubes, real fast)

Anyway, to get somewhat back on topic - as I've said so many times, the solution - and it so obvious that I don't understand why it hasn't been implemented yet - is to ship Rasbian with no password on the "pi" account. That is, in the file /etc/shadow, every line should have the second field be an asterisk. Currently, every line except one is an asterisk.

I invite each and everyone to do the following test - which I recently did. Change the second field of /etc/shadow to an asterisk, reboot your system, and see if anything breaks. For me, nothing did.
That is, everything works just as it did on the desktop. All of my ssh logins continue to work as before.

Note: There are several ways to effect this change. I did it the old-fashioned way - using "vipw -s" - but I think there is some kind of "lock" feature built into the "passwd" program. You could do it that way if you prefer.
"L'enfer, c'est les autres"

If a post offends you, just put that poster on your foes list, and be done with it (and with them).

To do otherwise, risks being banned.

fbe
Posts: 347
Joined: Thu Aug 17, 2017 9:08 pm

Re: Is it Time to force Raspbian password change on initial login

Mon Oct 15, 2018 9:00 pm

n67 wrote:
Mon Oct 15, 2018 8:31 pm
I invite each and everyone to do the following test - which I recently did. Change the second field of /etc/shadow to an asterisk, reboot your system, and see if anything breaks. For me, nothing did.
That is, everything works just as it did on the desktop. All of my ssh logins continue to work as before.
Autologin to Desktop or CLI should work out of the box, but ssh login will require your public key in /home/pi/.ssh/authorized_keys. A new or modified hack would be needed for headless setup.

n67
Posts: 839
Joined: Mon Oct 30, 2017 4:55 pm

Re: Is it Time to force Raspbian password change on initial login

Tue Oct 16, 2018 12:11 am

Yes.

The basic assumption is that if you are far enough down the learning curve to be messing around with advanced topics such as either "headless" setup or "Raspbian Lite", then you're going to be able to do what's necessary to get it working. I.e., you'll figure it out.

That said, I have already suggested, some time back, that the "drop a file called ssh or ssh.txt into /boot" hack could be updated to have the contents of that file (as of now, the contents is unused/irrelevant) be the new password for the 'pi' account.

This is, by no means, the only way that an experienced user could setup a usable password for 'pi', but it is one that fits in with the existing model.
"L'enfer, c'est les autres"

If a post offends you, just put that poster on your foes list, and be done with it (and with them).

To do otherwise, risks being banned.

User avatar
Imperf3kt
Posts: 1376
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Is it Time to force Raspbian password change on initial login

Tue Oct 16, 2018 1:24 am

The problem there is that those experienced users, write about their "cool project", and along comes Mr. Noob, with no idea what he is doing or the risks associated with it, just blindly copying and pasting what the guide says to.
Stop plugging your fan directly into the GPIO 5v
https://www.electronics-tutorials.ws/power/transient-suppression.html

wh7qq
Posts: 1124
Joined: Thu Oct 09, 2014 2:50 am

Re: Is it Time to force Raspbian password change on initial login

Tue Oct 16, 2018 2:50 am

Imperf3kt wrote:
Mon Oct 15, 2018 7:57 pm
Since you claim a password is a bubble wrapped cocoon, then I presume you don't use one? Otherwise I find your complaints extremely hypocritical and offensive.
My post was never a "complaint". It is a statement of philosophical and technical position regarding mandated usage requirements in response to a suggestion of increased required security measures. Earlier in the thread, in response to the OP, I mentioned that all my RPis and anything else of my online devices have new passwords. "All my RPis , x86 boxes, routers and the like, connect to the net and all have changed passwords..." Later on I add, "Running anything online without proper authentication is like running and playing with a loaded ".45" on the I405 but so is using Facebook." which he ignored. Both types of activity have well documented risks and hazards.


Somehow that was transmogrified to "Since you claim a password is a bubble wrapped cocoon, then I presume you don't use one? Otherwise I find your complaints extremely hypocritical and offensive." If a poster is going to launch a personal and insult laden attack on another poster for a position, it behoves one to actually read the posts in question even if a logical response escapes you at the time. Furthermore, presumptions are much like assumptions: not necessarily based on reality with sometimes embarrassing results.

User avatar
Imperf3kt
Posts: 1376
Joined: Tue Jun 20, 2017 12:16 am
Location: Australia

Re: Is it Time to force Raspbian password change on initial login

Tue Oct 16, 2018 6:45 am

Yes, sorry, I must apologize
I didn't read all of your posts, I stopped after reading about the cocoon. It angered me, it seemed as if you were insulting everyone who uses a password.
Stop plugging your fan directly into the GPIO 5v
https://www.electronics-tutorials.ws/power/transient-suppression.html

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 20712
Joined: Sat Jul 30, 2011 7:41 pm

Re: Is it Time to force Raspbian password change on initial login

Tue Oct 16, 2018 7:33 am

Enough I think. I'll have a chat in office to see what people think on this subject.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 20712
Joined: Sat Jul 30, 2011 7:41 pm

Re: Is it Time to force Raspbian password change on initial login

Tue Oct 16, 2018 1:42 pm

So, had a chat.

Consensus is that we are generally happy with the middle of the road approach we have right now whereby running Raspiconfig prompts you to enter a new password. This gives up a happy medium between security, and the needs of the classroom, where you don't want to be spending half the lesson sorting out all the random passwords pupils have been entering.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Please direct all questions to the forum, I do not do support via PM.

Return to “Raspbian”