Managing access to your Raspberry Pi begins with understanding how username and password authentication works. Every installation of Raspberry Pi OS creates a default user account, typically named "pi", which serves as the standard entry point for initial configuration. This account, while convenient out of the box, represents one of the most common attack vectors if left unchanged, making credential management a critical security practice for any deployment.
Default Credentials and Initial Setup
The first time you boot a new Raspberry Pi, the setup process prompts you to configure the primary user credentials. The default username is "pi" and the initial password is set during the first boot sequence. It is essential to treat these default details as temporary, as they are widely known and frequently targeted by automated bots scanning the internet for vulnerable devices.
Creating Secure User Accounts
For daily operations, it is recommended to create a separate standard user account with limited privileges. You can add a new user with the command sudo adduser [username] , which initiates an interactive prompt for setting a strong password. This approach ensures that even if a script or application requires daily interaction, it does not necessitate using the administrative root or "pi" account, thereby adhering to the principle of least privilege.
Managing Password Policies
To maintain robust security, you should enforce complex passwords that include a mix of uppercase letters, numbers, and special characters. Utilizing the chage command allows you to set expiration dates for passwords, compelling regular updates. Additionally, installing packages like libpam-cracklib or libpam-passwdqc enables system-level enforcement of password strength, blocking weak or dictionary-based credentials from being set.
SSH Access and Key-Based Authentication
Secure Shell (SSH) is the primary method for remote access, but relying solely on username and password logins via SSH is discouraged. Generating an SSH key pair using ssh-keygen and placing the public key into ~/.ssh/authorized_keys provides a more secure alternative. This method combines cryptographic authentication with the disabling of password authentication, effectively mitigating brute-force attacks targeting your Raspberry Pi.
Configuring the SSH Service
After generating your keys, you must adjust the SSH daemon configuration to disable password authentication. Editing the /etc/ssh/ssh_config file and setting PasswordAuthentication no ensures that the system will only accept connections presenting a valid private key. This change significantly reduces the attack surface by eliminating the possibility of guessing passwords over the network.
Sudo Privileges and Permission Management
The "pi" user is typically configured with sudo privileges, allowing it to execute commands with administrative rights. When managing username and password configurations, it is vital to audit sudo permissions using visudo . Restricting sudo access to specific commands prevents accidental changes or malicious activity that could compromise the entire system integrity.
Conclusion and Best Practices
Securing your Raspberry Pi requires a proactive approach to credential management that evolves beyond the default setup. Disabling the "pi" account entirely, or at minimum ensuring it has a strong, unique password, is a non-negotiable step. Combining regular password rotation, SSH key authentication, and strict sudo rules creates a layered defense that protects your device from unauthorized access.
