I think it is about time to force changing the default Raspbian login password on initial setup. Currently there is just a warning message. This would ensure better security.
What are your thoughts.
They should ditch the pi userid and raspberry password. Get Raspbian to do an "out of the box" process that asks for your prefered userid and demands you set a non-trivial password. The OOB program can set-up that user as "admin" (in the wheel group) and give it sudo access.
This is very bad logic.wh7qq wrote: ↑Sat Oct 13, 2018 7:39 pmWhile changing the default password is an excellent idea for all internet-connected devices (not just RPis), many RPis will never be connected to the internet and are not a security problem. To require such a change on installation would probably create a lot of problems of folks who buy just one RPi and just one uSD card and haven't a clue of what to do when they can't use the RPi because of password problems. If you restrict your proposed blanket requirement to activating the NICs, then it might be a good idea. The RPi was created as a learning tool. That should not be made more difficult to achieve.
I don't think so. People tend to reuse the same pass (and ID) for everything.
Not a very good scenario as the user password is totally ineffective in this case regardless of what it is set to.pageauc wrote: ↑Sat Oct 13, 2018 9:20 pmPossible Scenario
It is about protecting the SD card. If a user leaves the default login/password and transports RPI to a public event it would be easy to pop the SD card out of an unattended RPI and pop in a temporary replacement. Compromise the original SD and replace or remotely update users project(s) so user would be unaware of change. When the RPI is on the home network it could pretty much own the local network/devices. Any discovered Personal data could then be sent anywhere in the world.
I am sure there are other easier scenarios including remote attacks.
So you won't like the news that it will be illegal to sell Raspberry Pi in California after 2020 unless every one comes with a unique username and password and “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,”I don't like the Gov. telling me...
Oh don't we love the head in the sand option.
The link in the link: https://leginfo.legislature.ca.gov/face ... 20180SB327
My emphasis there. Reading the legislation; that 'and' is actually an 'or' -Heater wrote: ↑Sun Oct 14, 2018 8:53 amSo you won't like the news that it will be illegal to sell Raspberry Pi in California after 2020 unless every one comes with a unique username and password and “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,”
To re-iterate once again:It might be even better to eliminate the default account altogether and make it closer to the regular Debian installation process where a default user is chosen during setup. However, that would be more difficult to set up in a generic image like is used now, not to mention the havock it would wreak with the many tutorials and guides.
Not head in the sandDougieLawson wrote: ↑Sun Oct 14, 2018 9:08 amOh don't we love the head in the sand option.
Revert it to the standard DebIan way, then give folks an optional package to change it back to the pile of insecure junk we've got now (for schools who can rely on their machines never appearing on the public internet as a server).
Many would disagree with that and it won't be the case if California passes its proposed law or anyone introduces the same or similar if the Pi is to be sold in those places.
What part do you disagree with?
The part where you said "there simply is no need for a password on shipment".
I guess I'm not a technical user.
There are a number of interesting views on security expressed. As always it depends on the circumstances.DougieLawson wrote: ↑Sun Oct 14, 2018 9:08 amOh don't we love the head in the sand option.
Revert it to the standard DebIan way, then give folks an optional package to change it back to the pile of insecure junk we've got now (for schools who can rely on their machines never appearing on the public internet as a server).
One of many reasons why I no longer live in Kalifornica. Like cancer warnings on roasted coffee and other pathetic jokes. Even motherboards come with Prop 65 warnings. Don't know about you but I don't suck on my mobo (ouch!) or even try to smoke it. How can they possibly allow automobiles to be sold in that state?Heater wrote: ↑Sun Oct 14, 2018 8:53 amwh7qq,So you won't like the news that it will be illegal to sell Raspberry Pi in California after 2020 unless every one comes with a unique username and password and “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,”I don't like the Gov. telling me...