The latest Raspberry Pi OS release no longer creates a default “pi” account, requiring users to set up custom accounts instead. This “pi” user, used to perform brute-force attack.
The new law enforcement in few countries forbidding the use of default accounts users will be required to create an account when booting a newly-flashed Raspberry Pi OS image.
The new security change means that users will have to use the wizard to configure settings, install software updates, and create a new user account to log into the desktop. Earlier the wizard is optional.
The wizard is largely unchanged from before, but it now requires users to set up a username and a password, instead of just asking for a new password. It also allows users to create a “pi” account if they need it, but it will warn that doing so is unwise.
The Raspberry Pi OS Lite image doesn’t have the wizard, but it will still require the creation of a new user account. For those who run Raspberry Pi headless, images with a user account can be preconfigured in the Raspberry Pi Imager tool.
The latest Raspberry Pi OS update also allows users with existing installations to rename the “pi” account, by typing a rename command in the terminal window. This will trigger a device reboot “into a cut-down version of the first-boot wizard,” allowing for users to change their usernames and passwords.
Most Raspberry Pi software should handle the home directory rename without issues, some code with a hardcoded path to the /home/pi directory may require further changes to work correctly.