Third party cookies may be stored when visiting this site. Please see the cookie information.

Penguin Fortress YouTube Channel

Do default usernames make it easy for hackers?

This is a transcript for a video linked here: understanding usernames and how attackers may use them to attack your system.

Video transcript - Raspberry Pi default username

00:00:00.640 --> 00:00:07.360

raspberry pi has removed the default pi username

this has been added as a new security feature

00:00:08.080 --> 00:00:16.000

but it also has the risk of breaking numerous

programs and tutorials is it worth the change

00:00:16.000 --> 00:00:22.160

before i explain the pros and cons i'll just say

that i've had a raspberry pi which is configured

00:00:22.160 --> 00:00:27.600

as a server and is directly connected to the

internet on that computer i already changed

00:00:27.600 --> 00:00:33.440

the username and that was several years ago in

that case the existing pi username is still there

00:00:33.440 --> 00:00:40.640

but it's been disabled while security was a

consideration it was really more about consistency

00:00:40.640 --> 00:00:46.000

i've implemented other steps to secure the server

beyond the normal username password combination

00:00:47.200 --> 00:00:54.880

a bit of a background the default username for

the raspberry pi has always been pi not only that

00:00:55.440 --> 00:01:01.360

but the default password is raspberry in the past

that meant if you had your raspberry pi connected

00:01:01.360 --> 00:01:06.400

to the internet during setup you could end up in

a position where someone could log in remotely to

00:01:06.400 --> 00:01:13.440

the computer using the default credentials there

was not much incentive to change your password

00:01:14.240 --> 00:01:20.720

and that was a very big risk fortunately that was

fixed some time ago by having it prompt to change

00:01:20.720 --> 00:01:26.400

the password during first run that was a big

change and a significant improvement in security

00:01:27.760 --> 00:01:31.200

the change this time is not

as significant in terms of the

00:01:31.200 --> 00:01:36.240

additional security provides but it will have

a significant change to how some programs work

00:01:36.880 --> 00:01:44.560

and some tutorials so how big a risk is having

a default username is the password secure enough

00:01:45.680 --> 00:01:51.520

as with many things in security it depends

it depends how exposed your raspberry pi is

00:01:52.320 --> 00:01:56.960

it depends what kind of attack is likely to

happen and it depends how good your password is

00:01:58.320 --> 00:02:03.280

this is going to get a bit technical now if you

just want to get the implications for software or

00:02:03.280 --> 00:02:08.800

want to see how to configure a new username during

install you can skip this chapter and move to the

00:02:08.800 --> 00:02:14.400

practical applications still here we can now

look at some of the risks of the password-based

00:02:14.400 --> 00:02:19.520

authentication i'm going to consider a few

examples and for this i'm going to assume

00:02:20.240 --> 00:02:27.680

that network login attempts across an untrusted

network like the internet let's assume you have

00:02:27.680 --> 00:02:32.320

a raspberry pi connected to the internet

which allows ssh logins from the internet

00:02:33.520 --> 00:02:38.080

i'm assuming a script-based attack by a user

that doesn't know much about the computer

00:02:38.080 --> 00:02:39.680

or the user they're targeting

00:02:42.800 --> 00:02:49.840

so we'll take the first risk which is the

worst case scenario you have a username

00:02:50.480 --> 00:02:58.400

of pi and you've left your password as raspberry

this is clearly just asking for trouble

00:02:59.120 --> 00:03:03.440

it is trivial for an attacker to take a

list of well-known username and passwords

00:03:03.440 --> 00:03:09.200

and just try them against the machine if someone

knows it's a raspberry pi they are attacking and

00:03:09.200 --> 00:03:15.280

you have network services open that allow logins

then it's likely their first guess and they can

00:03:15.280 --> 00:03:21.520

immediately get on your machine we're going to

take the next step what i call a stupid password

00:03:22.880 --> 00:03:26.880

and so we're no longer using the default

password but it's a well-known password

00:03:27.680 --> 00:03:32.320

again this is going to be quite easy and

this is why i called it stupid passwords

00:03:33.360 --> 00:03:40.080

so here's one of the common passwords one

two three four five six and as we just go

00:03:40.080 --> 00:03:46.560

through some of the more common ones things like

qwerty is a combination of the keyboard password

00:03:47.680 --> 00:03:55.040

more number based ones things like password123

qwerty123 for instance all these if you're using

00:03:55.040 --> 00:04:03.760

one of these passwords then these are easy to

guess and if it's on this list then it's not

00:04:03.760 --> 00:04:10.080

really that much better than how using the default

password assuming you know the username then it

00:04:10.080 --> 00:04:16.800

would be trivial to make 20 or so login attempts

using one of these passwords is very insecure

00:04:17.680 --> 00:04:25.840

the next consideration is if this system has a

password that is not on the popular password list

00:04:27.040 --> 00:04:29.920

but it's based on something that

could be guessed by a computer

00:04:30.960 --> 00:04:34.640

by this i mean simple words that are

susceptible to a dictionary attack

00:04:36.960 --> 00:04:42.800

it's easy enough to get a copy of a dictionary

of words and this is one of the reasons that the

00:04:42.800 --> 00:04:47.040

security policies often insist on including

numbers or sometimes special characters

00:04:48.240 --> 00:04:52.960

this is partly due to the number of additional

permutations required for a brute force attack

00:04:52.960 --> 00:04:59.680

which i'll cover next but it also it can make the

password less susceptible for dictionary attacks

00:05:01.200 --> 00:05:05.120

i only say can because it

really depends upon the user

00:05:05.120 --> 00:05:10.320

if all they do is just add a one to the end of a

word that does not really add much protect extra

00:05:10.320 --> 00:05:15.840

protection and dictionaries also include words

where substitutions are made within the password

00:05:16.640 --> 00:05:23.520

such as swapping a i for a one or an

e with three you can see this in this

00:05:23.520 --> 00:05:29.200

this snapshot from a dictionary called "rock

you" this dictionary has around 14 million words

00:05:30.320 --> 00:05:33.920

it's not something you're likely to get

through by manually trying passwords

00:05:33.920 --> 00:05:40.880

but with some level of automation there's a chance

that somebody can get into your system with enough

00:05:40.880 --> 00:05:48.000

resources the risk of someone being able to get

into the computer is feasible so the next level

00:05:48.000 --> 00:05:53.920

of security and this is what we should really

all be doing is to use a proper complex password

00:05:55.680 --> 00:06:00.160

in an ideal world this would be completely

random combination of lowercase letters

00:06:00.160 --> 00:06:05.440

capital letters digits and special characters

although in reality our human brains would find

00:06:05.440 --> 00:06:10.960

that hard to remember resulting with the password

being written down which is another risk so it may

00:06:10.960 --> 00:06:16.400

be better to combine multiple unrelated words with

occasional digits and perhaps special characters

00:06:17.520 --> 00:06:22.800

in this case an attacker would perhaps

have to look at using a brute force attack

00:06:23.520 --> 00:06:28.640

and this is where an attacker tries every possible

permutation of characters to guess the password

00:06:29.280 --> 00:06:34.240

it doesn't completely prevent a lucky

guess but the number of possibilities

00:06:34.240 --> 00:06:40.320

increases exponentially based on the number of

characters in the password i'm going to simplify

00:06:40.320 --> 00:06:44.560

the conditions here and the calculations but

these give you an idea of whether it's worth

00:06:44.560 --> 00:06:51.120

the effort of a hacker even trying this let's

start by looking at a fairly basic password

00:06:51.120 --> 00:06:58.160

which is exactly six characters long using

only letters 26 letters in english alphabet

00:06:58.160 --> 00:07:02.880

with six independent characters and that

gives around 300 million combinations

00:07:06.000 --> 00:07:08.560

if you add in some capital letters and digits

00:07:09.600 --> 00:07:18.160

that gives 62 possible characters which puts

us into the billions of possible combinations

00:07:20.880 --> 00:07:25.520

you could add some special characters and

increase that slightly but really the thing

00:07:25.520 --> 00:07:30.240

to do to make a password more secure is to

add more characters if you set the minimum

00:07:30.240 --> 00:07:37.280

characters to seven using letters and digits then

the number of permutations is now in the trillions

00:07:39.600 --> 00:07:48.160

and for eight characters that is around

218 trillion possible combinations

00:07:49.840 --> 00:07:52.880

this assumes the password is

exactly eight characters long

00:07:54.400 --> 00:07:59.280

the numbers of possibilities would increase

even further if that's just the minimum

00:07:59.280 --> 00:08:06.240

number of characters when we're looking at attacks

against a complex password we're looking at how

00:08:06.240 --> 00:08:15.360

many attempts can be done and in what period of

time and there's a number of factors on here but

00:08:15.360 --> 00:08:20.320

bear in mind this is a network connection

we're looking at and so there's a number of

00:08:21.520 --> 00:08:27.760

simultaneous login attempts that can be made

this can be determined by the ssh settings

00:08:28.480 --> 00:08:34.960

the processor speed of the raspberry pi the

bandwidth and any additional security features

00:08:34.960 --> 00:08:42.240

that may have been added but in case of a

really complicated password it might take

00:08:42.240 --> 00:08:48.800

years to be able to have enough guesses to have

a reasonable chance of getting that password

00:08:49.520 --> 00:08:56.160

perhaps even thousand years or as you add more

characters it could be much much longer so

00:08:57.200 --> 00:09:04.560

as i say this is only specifically about network

attacks and there's always the possibility of

00:09:04.560 --> 00:09:10.800

a lucky guess but the probability of that

is so low so essentially complex passwords

00:09:12.000 --> 00:09:18.880

are very very difficult to break using

brute force now we'll move on to changing

00:09:18.880 --> 00:09:23.920

the username and have a look at how this is

going to affect these different passwords

00:09:26.640 --> 00:09:30.960

first we're going to skip the default username

and password if you change the username then

00:09:30.960 --> 00:09:34.320

i certainly hope you're going to change

the password from the default as well so

00:09:34.320 --> 00:09:41.120

that's not really that relevant let's look at the

well-known passwords the common password attack

00:09:42.880 --> 00:09:51.440

so if you take the first 20 possible passwords

take the top 20 most common usernames

00:09:52.720 --> 00:09:57.520

that gives you a combination of

around 400 possible combinations

00:09:59.520 --> 00:10:05.520

that's certainly slightly better than

the 20 but with some simple script

00:10:06.080 --> 00:10:14.720

you can potentially crack that within a few hours

so changing the username to a common username

00:10:14.720 --> 00:10:21.200

with your common password is not really going

to add much additional security the one where

00:10:21.200 --> 00:10:27.760

it perhaps adds more security is against the

dictionary tax i assume that you want to avoid

00:10:28.800 --> 00:10:37.360

the top 20 but usernames do tend to follow a

more simpler pattern than passwords so we're

00:10:37.360 --> 00:10:42.800

not going to be looking at the same number

of different usernames as number of passwords

00:10:44.640 --> 00:10:50.240

so if we consider a fairly common username

perhaps something with the top hundred and

00:10:50.240 --> 00:10:59.840

that word could be found in a cracker dictionary

there may be over a billion possible combinations

00:11:00.400 --> 00:11:05.520

and while this may take a while it's feasible

that that particular username and combination

00:11:06.400 --> 00:11:10.960

and password combination may be guessed

well if you add some digits and special

00:11:10.960 --> 00:11:15.920

characters in the password or a more unique

username there's a good chance that this

00:11:15.920 --> 00:11:22.640

could take what otherwise may be a fairly

poor password and make it much more secure

00:11:26.240 --> 00:11:28.800

and then finally looking at the

brute force i've already said

00:11:29.840 --> 00:11:35.200

a brute force attack is unlikely to be successful

it's just not worth putting the resources

00:11:35.200 --> 00:11:38.560

in to try and do a brute force attack over the

00:11:38.560 --> 00:11:47.920

network but adding a different username

makes this even less likely to succeed

00:11:48.560 --> 00:11:57.760

because of the number of possible combinations

so it potentially removes that risk of somebody

00:11:59.040 --> 00:12:07.440

by look getting an early brute force attacker a

lucky guess from a security perspective i'd argue

00:12:07.440 --> 00:12:12.320

that using a good password is more important

than whether it's a default username or not

00:12:13.440 --> 00:12:20.400

however changing the default username does

adds an additional element of security

00:12:20.400 --> 00:12:25.440

and that's always a good thing the thing about

security it's not something you just switch on

00:12:25.440 --> 00:12:31.920

and off it's about taking different measures

just to make it harder for people to break in

00:12:32.880 --> 00:12:40.640

and every one of those that you add is a good

thing this is purely looking at a default system

00:12:42.320 --> 00:12:48.160

there are other ways that you could add security

i plan to come some of those in a future video

00:12:48.960 --> 00:12:52.000

for instance i'm going to look at

ways of securing the login using

00:12:52.000 --> 00:12:58.560

key based authentication and multi-factor

authentication so please consider subscribing

00:12:58.560 --> 00:13:03.360

if you're interested in those but for this

video i'm just concentrating on the passwords

00:13:04.400 --> 00:13:08.160

the fact that changing the username

does add an additional security step

00:13:08.160 --> 00:13:13.600

is a good thing but it does have about a

downside which i'm going to look at next

00:13:16.480 --> 00:13:25.360

and the downside is that software and tutorials

have been written with the expectation that

00:13:26.240 --> 00:13:32.240

there will be a user called pi and that's where

potentially the software is going to be installed

00:13:33.360 --> 00:13:36.960

the raspberry pi is over 10

years old and during that time

00:13:36.960 --> 00:13:42.480

it has always had that pi username so it

has been a valid assumption to this point

00:13:43.840 --> 00:13:49.840

and as a result lots of documentation tutorials

and software just hard codes the username or

00:13:49.840 --> 00:13:56.640

the path slash home slash pi into them and that

includes some of my own guides and the software

00:13:56.640 --> 00:14:01.840

i've written and there's a good reason for

doing this it's because the raspberry pi

00:14:02.640 --> 00:14:11.520

is intended for education including for use by

school children or for use by people that are new

00:14:11.520 --> 00:14:20.480

to linux perhaps makers and this is their first

involvement in linux and therefore as a result

00:14:21.840 --> 00:14:26.320

try to make the tutorials or the

software as easy to use as possible

00:14:29.680 --> 00:14:37.040

going forward it's not actually that difficult to

remove these dependencies certainly possible to

00:14:37.040 --> 00:14:44.960

update tutorials which can work regardless of the

user ids some software may be a little harder for

00:14:44.960 --> 00:14:49.680

instance if your program is being run as a local

user you can just use the tilde character ~ or

00:14:49.680 --> 00:14:54.960

$HOME to refer to the home directory but for

applications that are designed to run as root

00:14:54.960 --> 00:15:01.760

or being started up automatically as a daemon they

don't necessarily have access to those variables

00:15:01.760 --> 00:15:09.440

and it may be better to install into a different

directory perhaps the /opt directory or within the

00:15:10.160 --> 00:15:19.840

normal limits application folders such as usr

and etc you could even create a symbolic link

00:15:20.480 --> 00:15:29.280

of /home/pi to the real users directory or still

use the pi username if you really wanted to

00:15:29.840 --> 00:15:35.120

i suggest that would be only a temporary

measure really should look at ways of

00:15:36.320 --> 00:15:41.680

integrating the program a bit better it may be

that you're confident enough about your password

00:15:41.680 --> 00:15:48.880

or you have other security measures in place so

using the pi username is perfectly valid in those

00:15:48.880 --> 00:15:54.880

now i've already made some changes to one of

my projects this is the pixel server program

00:15:55.600 --> 00:16:02.720

which provides a web interface to allow

you to control neopixels or rgb leds

00:16:04.640 --> 00:16:11.760

originally this assumed it was installed in the

the pi home directory but i've now updated the

00:16:11.760 --> 00:16:18.080

instructions and some of the scripts so that it

can now be installed in the /opt directory instead

00:16:18.640 --> 00:16:24.720

as much as i've said this will only have a small

improvement to the overall system security it

00:16:24.720 --> 00:16:31.440

doesn't have to have much impact on the end users

in this example it really didn't take much of an

00:16:31.440 --> 00:16:36.480

update and the end users as long as they follow

the updated restrictions it'll still work fine

00:16:38.080 --> 00:16:46.000

so overall as this improves the security of the

system i actually see this as has been quite a

00:16:46.000 --> 00:16:51.920

positive change for the raspberry pi i'm now going

to show walk through showing how you can install

00:16:51.920 --> 00:16:56.960

raspberry pi os and configure it with an

alternative username this is the raspberry

00:16:56.960 --> 00:17:01.520

pi imager which is the easiest way to install

an image and this has been updated with the new

00:17:01.520 --> 00:17:09.360

changes run this on your local pc and it will

download the latest version of the operating

00:17:09.360 --> 00:17:15.600

system and install it onto the sd card in this

case i'm using the raspberry pi 64-bit version

00:17:15.600 --> 00:17:19.200

but you can use the 32-bit version as well

particularly if you have an older model of

00:17:19.200 --> 00:17:25.920

the raspberry pi choose your sd card and

click right and it'll take a while now

00:17:25.920 --> 00:17:30.240

to download the image over the internet

and then install it onto your sd card

00:17:31.040 --> 00:17:36.080

after installing to your sd card you can

boot that in the raspberry pi and you'll

00:17:36.080 --> 00:17:42.080

see this first run wizard start up you first

set your country and that's important for the

00:17:42.080 --> 00:17:48.400

wireless install as well as setting your time

zone you then be prompted to create a user

00:17:48.400 --> 00:17:53.920

and in this case i'm creating user called pixel

server and of course giving it a secure password

00:17:55.680 --> 00:18:00.400

you can then connect to your wireless

network install the updates and you'll

00:18:00.400 --> 00:18:13.840

need to reboot and it's as simple as that that's

the raspberry pi setup with a non-default username

00:18:15.920 --> 00:18:20.080

if you want to run your raspberry pi in

headless mode that's without a screen

00:18:20.080 --> 00:18:25.360

or keyboard attached then you can configure

the new username using the imager software

00:18:27.360 --> 00:18:32.960

before starting the right click on the settings

icon and that will allow you to set that before

00:18:32.960 --> 00:18:38.480

you install the sd card and there's some other new

features in there so you can set your raspberry pi

00:18:38.480 --> 00:18:46.240

up straight away ready for headless mode thanks

for watching i hope you found this useful if so

00:18:46.240 --> 00:18:52.160

please give it a like i plan to create more videos

on cyber security guides for both computer users

00:18:52.160 --> 00:18:56.400

and those interested in understanding what hackers

and crackers do so that you can understand how to

00:18:56.400 --> 00:19:02.560

make your own systems more secure please click

on subscribe and the notification icon to get

00:19:02.560 --> 00:19:08.720

notified when i create more videos in the future

i look forward to seeing you on a future video

Previous Application Security Testing
Application Security Testing