Is it Time to force Raspbian password change on initial login

[pageauc]

I think it is about time to force changing the default Raspbian login password on initial setup. Currently there is just a warning message. This would ensure better security.

What are your thoughts.

[wh7qq]

While changing the default password is an excellent idea for all internet-connected devices (not just RPis), many RPis will never be connected to the internet and are not a security problem. To require such a change on installation would probably create a lot of problems of folks who buy just one RPi and just one uSD card and haven't a clue of what to do when they can't use the RPi because of password problems. If you restrict your proposed blanket requirement to activating the NICs, then it might be a good idea. The RPi was created as a learning tool. That should not be made more difficult to achieve.

[DougieLawson]

I think it is about time to force changing the default Raspbian login password on initial setup. Currently there is just a warning message. This would ensure better security.

What are your thoughts.

They should ditch the pi userid and raspberry password. Get Raspbian to do an "out of the box" process that asks for your prefered userid and demands you set a non-trivial password. The OOB program can set-up that user as "admin" (in the wheel group) and give it sudo access.

The current design was probably OK five years ago. The "your password is still set to 'raspberry'" piece is an ugly hack. The time to change is with Buster.

[n67]

Dougie is certainly right in theory, but I think a lot of the ecosystem that has built up in and around Raspbian depends on (i.e., assumes that) the user name being 'pi'. I know many people do delete the 'pi' account and put in their own username, sometimes successfully, oftentimes not so.

My own view is that there shouldn't be a password for 'pi' at all. Since the default and most common usage pattern for Raspbian is to boot directly into the desktop, there's no need for a password.

If/when the user sets up ssh - or wants to login in via a virtual console (/dev/tty[1-6]), they can set a password then.

[Imperf3kt]

The last time I did a fresh install (about a month ago) I was forced to set a new password before I could configure network settings. In fact, I was forced to do a few set-up things before the Pi rebooted.

What you want has already been implemented.

While changing the default password is an excellent idea for all internet-connected devices (not just RPis), many RPis will never be connected to the internet and are not a security problem. To require such a change on installation would probably create a lot of problems of folks who buy just one RPi and just one uSD card and haven't a clue of what to do when they can't use the RPi because of password problems. If you restrict your proposed blanket requirement to activating the NICs, then it might be a good idea. The RPi was created as a learning tool. That should not be made more difficult to achieve.

This is very bad logic.
"The Pi is a learning tool"
"Don't force people to learn basic security practices"

If anything it should be made harder, so people have to learn the basics, not take them for granted.

[MrEngman]

Setting up a new SD card yesterday with the latest Rasbian image, 2018-10-09-raspbian-stretch, and just got the message to replace the default raspberry password as normal.

No sign of being forced to set a new password.

[pageauc]

Yes I believe it is time to enforce good security standards and practices to protect users from themselves. Two factor authentication option could also be included. After seeing the state of routers and various other devices it is time to review current situation.

Also part of the learning process should be to educate users as to security risks. RPI's are not always sitting on a local secure home network. They can also be used in JAMS, non home projects, schools, public events and such.

[epoch1970]

This would ensure better security.

I don't think so. People tend to reuse the same pass (and ID) for everything.
The current warning protects RPF, actually.

Forcing users to select login and password wouldn't achieve more but it would make headless install more challenging.
I like 2FA, usability can be much better.

[pageauc]

Possible Scenario

It is about protecting the SD card. If a user leaves the default login/password and transports RPI to a public event it would be easy to pop the SD card out of an unattended RPI and pop in a temporary replacement. Compromise the original SD and replace or remotely update users project(s) so user would be unaware of change. When the RPI is on the home network it could pretty much own the local network/devices. Any discovered Personal data could then be sent anywhere in the world.

I am sure there are other easier scenarios including remote attacks.

[hippy]

What are your thoughts.

My thoughts are "I don't need security". I'd be perfectly happy with auto-login, no username, no password, and no need to type "sudo" for anything, on all my Pi.

Of course; for people who need security it's a different story.

[wh7qq]

I see a lot of "Nanny State", "protect the idiots from themselves" thinking here. All my RPis , x86 boxes, routers and the like, connect to the net and all have changed passwords but for the user that uses her RPi to run a totally autonomous vehicle around on the floor or flash a few LEDs on and off, where is the need? I brush and floss twice daily, get vaccinations and don't indulge in unprotected sex either but it isn't for everybody.

What I really don't like, and one of the many reasons I use Linux is not having someone "who knows better" telling me what I must do, like upgrading on their schedule or replacing my hardware on their schedule. I don't like the Gov. telling me what I can or can't ingest (usually based on their ability to tax), read, see or participate in. Clean up your own house and protect yourself from the careless or malicious as best you can...that's a survival skill for life. Much like not swinging your arms too close to the next guy's nose...also a survival skill.

[Paeryn]

Possible Scenario

It is about protecting the SD card. If a user leaves the default login/password and transports RPI to a public event it would be easy to pop the SD card out of an unattended RPI and pop in a temporary replacement. Compromise the original SD and replace or remotely update users project(s) so user would be unaware of change. When the RPI is on the home network it could pretty much own the local network/devices. Any discovered Personal data could then be sent anywhere in the world.

I am sure there are other easier scenarios including remote attacks.

Not a very good scenario as the user password is totally ineffective in this case regardless of what it is set to.

If somebody swipes the SD card, as soon as they put it into a card reader on their own PC / RPi they will have root access to it. It doesn't matter what password the user had set because it's not needed for root to make any changes (nor would anything check, the user ids the files belong to would be mapped to the users on the host).

[Heater]

wh7qq,

I don't like the Gov. telling me...

So you won't like the news that it will be illegal to sell Raspberry Pi in California after 2020 unless every one comes with a unique username and password and “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,”

https://techcrunch.com/2018/10/05/calif ... ccounter=1

Now I guess selling plain Pi boards with no OS cannot be subject to this law, after all it's just a "brick" without and OS. But selling complete working kits might be an issue.

[bensimmo]

Leave it as is, anything else hinders anything in schools or general groups of educator setups.
The number of children that forget things and even teachers after a few weeks away, when they are only slightly complicated passwords, is too much.

It is perfectly fine, if a person is told they may wish to change the password to aid security and they choose not to, then so be it. Thier choice. Perhaps some RPF Education projects on security would be an idea. (I've not specifically seen any beyond the RPT made one, which are not quite the same as the RPF style)
and then a link to it from the desktop, advice to change prompt.

If it was enforced, then a way/instruction to reset it from a PC/Tablet would be needed.

As a side, leaving it unchanged inside your own network and thinking it is safe is a poor assumption.
You then have to assume your PC, smart TV, old Android phone, IoT toaster and WiFi light bulbs are secure. If one of them has a breach, they can then attack internally and if prgrammed to seak out a Pi they can login to your Pi and gain the power of it.
That is a very specific target though.

[DougieLawson]

Leave it as is, anything else hinders anything in schools or general groups of educator setups.
The number of children that forget things and even teachers after a few weeks away, when they are only slightly complicated passwords, is too much.

Oh don't we love the head in the sand option.

Revert it to the standard DebIan way, then give folks an optional package to change it back to the pile of insecure junk we've got now (for schools who can rely on their machines never appearing on the public internet as a server).

[epoch1970]

Now I guess selling plain Pi boards with no OS cannot be subject to this law, after all it's just a "brick" without and OS. But selling complete working kits might be an issue.

The link in the link: https://leginfo.legislature.ca.gov/face ... 20180SB327
IANAL, but reading TITLE 1.81.26., Security of Connected Devices, art. 1798.91.04, subsection (b) I understand the law applies to devices "equipped with a means for authentication outside a local area network".
Which is not the case for a "non-cloud" device like Pi or OS like Raspbian.
In any circumstance, I think art. 1798.91.06. puts RPF and 1/3 parties out of the scope of that law.

If a future Pi is a cloud-enabled device (or RPF releases a cloud OS), I think that law would fully apply. But I have no doubt RPF would design a proper registration/provisioning mechanism then.

[hippy]

So you won't like the news that it will be illegal to sell Raspberry Pi in California after 2020 unless every one comes with a unique username and password and “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,”

My emphasis there. Reading the legislation; that 'and' is actually an 'or' -

https://leginfo.legislature.ca.gov/face ... SB32791CHP

A username and/or password unique to each device could be achieved by using the serial number of the device, for either or both.

The intent of the legislation is that no device should be open for access unless it has a unique username and/or password by default or the user has set either themselves.

For the Pi that would mean it could not default to the "pi" / "raspberry" pair or, if it did, it must not enable networking or bluetooth until that was altered or the user explicitly accepted the risks of using those.

The most obvious and practical option would be to keep "pi" as the default username and make the default password the serial number. Then ask the user if they want to keep things as they are or (1) change the default "pi" username, and/or, (2) keep the default serial number password, use a randomly generated password, or enter their own.

Doing all that should be trivial. It would however require a change to the production lines around the world so each Pi serial number is actually unique rather than randomly generated. That shouldn't be too hard either.

[tpyo kingg]

I'd say it is very much time to require Raspbian to change the password on the default account upon initial login. One reason I see for that is part of learning to adminsiter a system is learning to take care of basic security, a wide range of activities which includes managing passwords. Whatever the choice, be sure to provide at least a hint as to why and maybe a link to a more thorough discussion to explain why. With so many excellent, detailed guides it becomes all too easy and conventient to blindy follow along and end up cargo culting instead of understanding what is going on and why.

It might be even better to eliminate the default account altogether and make it closer to the regular Debian installation process where a default user is chosen during setup. However, that would be more difficult to set up in a generic image like is used now, not to mention the havock it would wreak with the many tutorials and guides.

[n67]

It might be even better to eliminate the default account altogether and make it closer to the regular Debian installation process where a default user is chosen during setup. However, that would be more difficult to set up in a generic image like is used now, not to mention the havock it would wreak with the many tutorials and guides.

To re-iterate once again:

There is a need for a default username (pi). Yes, I know that this is not the Debian way - or, for that matter, the Linux way or even the Unix way - but it is the Pi Way.

But there is no reason - zip, zero, nada - to have a default password. That's the part that should be eliminated.

Again, since the default and most common use case for Raspbian is to boot directly into the desktop with no password prompting (and, no, this does not depend on the "system" knowing what the password is), there simply is no need for a password on shipment.

Note: I suppose this does mean that if you install Raspbian Lite - where you will need to login on a virtual console - then there will need to be a mechanism to set a password there. That's easily dealt with - and is a minority case in any event. The easiest thing would just be to have it autologin on tty1 - as is frequently the case already with Raspbian distros.

[bensimmo]

Leave it as is, anything else hinders anything in schools or general groups of educator setups.
The number of children that forget things and even teachers after a few weeks away, when they are only slightly complicated passwords, is too much.

Oh don't we love the head in the sand option.

Revert it to the standard DebIan way, then give folks an optional package to change it back to the pile of insecure junk we've got now (for schools who can rely on their machines never appearing on the public internet as a server).

Not head in the sand
Let people take responsibility for changing the password one told they can and should.
Leave it easy for everyone else.

[hippy]

Again, since the default and most common use case for Raspbian is to boot directly into the desktop with no password prompting ... there simply is no need for a password on shipment.

Many would disagree with that and it won't be the case if California passes its proposed law or anyone introduces the same or similar if the Pi is to be sold in those places.

[n67]

Again, since the default and most common use case for Raspbian is to boot directly into the desktop with no password prompting ... there simply is no need for a password on shipment.

Many would disagree with that and it won't be the case if California passes its proposed law or anyone introduces the same or similar if the Pi is to be sold in those places.

What part do you disagree with?

Oh, and, BTW, I just realized that there may be confusion here as to what I mean when I say "no password".

To many users, "no password" means "I can login just by hitting Enter when it prompts for password".

But I think technical users understand that what is meant is that there is no password - meaning you can type anything you like at the password prompt and it won't let you in. In the same sense that there is no password for the root account (by default - i.e., "as shipped").

[hippy]

What part do you disagree with?

The part where you said "there simply is no need for a password on shipment".

Though it appears you may not have meant what I thought you meant by "no password". To me that meant the complete absence of a password, that one doesn't need to provide a password to gain access.

But I think technical users understand that what is meant...

I guess I'm not a technical user.

[Milliways]

Leave it as is, anything else hinders anything in schools or general groups of educator setups.
The number of children that forget things and even teachers after a few weeks away, when they are only slightly complicated passwords, is too much.

Oh don't we love the head in the sand option.

Revert it to the standard DebIan way, then give folks an optional package to change it back to the pile of insecure junk we've got now (for schools who can rely on their machines never appearing on the public internet as a server).

There are a number of interesting views on security expressed. As always it depends on the circumstances.

The Raspberry Pi is a totally different animal to a conventional computer - principally due to the ease with which the OS (on SD Card or otherwise) can be removed/replaced, so the security considerations are different.

The first thing I do on any new installation (which is infrequent) is to change the password. (This is now required to access ssh.)

On Raspbian I keep user pi (adding others as needed). While it is not difficult to create a new user with the same capabilities as pi, this is far from obvious for a beginner. Maybe a script to create a user with full/restricted privileges would be a good idea.

One other thing I routinely do (which many would regard as a security breach) is install a standard set of ssh keys.
I have about 6 Pi and over a dozen SD Cards with different OS. It is only possible to interchange these if the Pi share keys - otherwise other platforms either object or refuse to connect. This is not a circumstance shared by most conventional computing platforms.

[wh7qq]

wh7qq,

I don't like the Gov. telling me...

So you won't like the news that it will be illegal to sell Raspberry Pi in California after 2020 unless every one comes with a unique username and password and “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,”

One of many reasons why I no longer live in Kalifornica. Like cancer warnings on roasted coffee and other pathetic jokes. Even motherboards come with Prop 65 warnings. Don't know about you but I don't suck on my mobo (ouch!) or even try to smoke it. How can they possibly allow automobiles to be sold in that state?

Running anything online without proper authentication is like running and playing with a loaded ".45" on the I405 but so is using Facebook. Still, there are lots of reasons for using an RPi that don't require net connection. I suppose the great minds in Kalifornica are most concerned about the proliferation of net connected "smart" things like refrigerators, TVs, toasters, toilets and heaven knows what else those fertile minds will conjur. Still, when folks use passwords like "12345678" and "abcdefgh", "What does it matter?" Forcing passwords ls buying into a never ending chain of tail chasing...next will require "good" passwords and so on ad nauseum. It will never end.