Sheepdog wrote: ↑
Mon Aug 06, 2018 12:00 am
New to Pi and Linux generally... old to computers.
4 Aug 2018 I put Raspbian 9 (Stretch) on a Pi 3 B (ver 1.2), and did apt update, apt upgrade.
In the GUI, I can change "the" password... without having to authenticate myself with the OLD password. Seems a bit of "back-door" for bad guys! (At no stage in hours of work at the GUI have I been asked for my password... not even when booting in from a no-power state.)
In the CLI, when I use passwd, the "old password" that works there is whatever I've made the password with the GUI, or by previous use of CLI.... I do HAVE a password... on some things, anyway... and know how to change it. But changing it with passwd in the CLI is the only time I have to GIVE the password to do anything!
By default Raspbian auto boots to the pi user. You can change that behavior to require password on boot by using the GUI config tool or sudo raspi-config. Do that if you don't trust who might have physical access to your RPi.
From CLI using sudo passwd pi
will allow password change without entering the old password.
By default the root password is not set but can be set using sudo passwd
However there is no point as long as sudo is unlocked.
IMO changing the password is all that is needed for most users running behind a router.
If running a server of some sort with open ports then use more extreme measures like deleting user pi, lockdown sudo etc.
Unless specified otherwise my response is based on the latest and fully updated Raspbian Stretch w/ Desktop OS.