This week, the Raspberry Pi OS Bullseye got an update. It would be just another update if it weren’t for a detail: the novelty removes the default user “pi” from the operating system. The reason? Simply decrease the chances of the Raspberry Pi being hacked.
This is not a change that greatly increases the system’s protections, but when it comes to digital security, every care is valid. So yes, there is a reasonable reason for this decision.
The Raspberry Pi’s goal (as an organization) is to make its devices accessible to both power users and laymen. To facilitate system configuration for the latter audience, the Raspberry Pi OS offers a default user conveniently called “pi”.
It doesn’t look like it, but this could be a problem. If a large number of users access the Raspberry Pi with accounts named “pi”, malware or a massive attack can be created to try to get into them using brute force (a large number of attempts) to discover the respective password the name of the user. user, the other necessary information is already known.
The logic here is similar to the guideline to change a router’s default username and password, for example, a strategy that lowers the chances of the device being compromised to capture user data, implement malicious DNS addresses, and so on.