This is a transcript for a video linked here: understanding usernames and how attackers may use them to attack your system.
00:00:00.640 --> 00:00:07.360 raspberry pi has removed the default pi username this has been added as a new security feature 00:00:08.080 --> 00:00:16.000 but it also has the risk of breaking numerous programs and tutorials is it worth the change 00:00:16.000 --> 00:00:22.160 before i explain the pros and cons i'll just say that i've had a raspberry pi which is configured 00:00:22.160 --> 00:00:27.600 as a server and is directly connected to the internet on that computer i already changed 00:00:27.600 --> 00:00:33.440 the username and that was several years ago in that case the existing pi username is still there 00:00:33.440 --> 00:00:40.640 but it's been disabled while security was a consideration it was really more about consistency 00:00:40.640 --> 00:00:46.000 i've implemented other steps to secure the server beyond the normal username password combination 00:00:47.200 --> 00:00:54.880 a bit of a background the default username for the raspberry pi has always been pi not only that 00:00:55.440 --> 00:01:01.360 but the default password is raspberry in the past that meant if you had your raspberry pi connected 00:01:01.360 --> 00:01:06.400 to the internet during setup you could end up in a position where someone could log in remotely to 00:01:06.400 --> 00:01:13.440 the computer using the default credentials there was not much incentive to change your password 00:01:14.240 --> 00:01:20.720 and that was a very big risk fortunately that was fixed some time ago by having it prompt to change 00:01:20.720 --> 00:01:26.400 the password during first run that was a big change and a significant improvement in security 00:01:27.760 --> 00:01:31.200 the change this time is not as significant in terms of the 00:01:31.200 --> 00:01:36.240 additional security provides but it will have a significant change to how some programs work 00:01:36.880 --> 00:01:44.560 and some tutorials so how big a risk is having a default username is the password secure enough 00:01:45.680 --> 00:01:51.520 as with many things in security it depends it depends how exposed your raspberry pi is 00:01:52.320 --> 00:01:56.960 it depends what kind of attack is likely to happen and it depends how good your password is 00:01:58.320 --> 00:02:03.280 this is going to get a bit technical now if you just want to get the implications for software or 00:02:03.280 --> 00:02:08.800 want to see how to configure a new username during install you can skip this chapter and move to the 00:02:08.800 --> 00:02:14.400 practical applications still here we can now look at some of the risks of the password-based 00:02:14.400 --> 00:02:19.520 authentication i'm going to consider a few examples and for this i'm going to assume 00:02:20.240 --> 00:02:27.680 that network login attempts across an untrusted network like the internet let's assume you have 00:02:27.680 --> 00:02:32.320 a raspberry pi connected to the internet which allows ssh logins from the internet 00:02:33.520 --> 00:02:38.080 i'm assuming a script-based attack by a user that doesn't know much about the computer 00:02:38.080 --> 00:02:39.680 or the user they're targeting 00:02:42.800 --> 00:02:49.840 so we'll take the first risk which is the worst case scenario you have a username 00:02:50.480 --> 00:02:58.400 of pi and you've left your password as raspberry this is clearly just asking for trouble 00:02:59.120 --> 00:03:03.440 it is trivial for an attacker to take a list of well-known username and passwords 00:03:03.440 --> 00:03:09.200 and just try them against the machine if someone knows it's a raspberry pi they are attacking and 00:03:09.200 --> 00:03:15.280 you have network services open that allow logins then it's likely their first guess and they can 00:03:15.280 --> 00:03:21.520 immediately get on your machine we're going to take the next step what i call a stupid password 00:03:22.880 --> 00:03:26.880 and so we're no longer using the default password but it's a well-known password 00:03:27.680 --> 00:03:32.320 again this is going to be quite easy and this is why i called it stupid passwords 00:03:33.360 --> 00:03:40.080 so here's one of the common passwords one two three four five six and as we just go 00:03:40.080 --> 00:03:46.560 through some of the more common ones things like qwerty is a combination of the keyboard password 00:03:47.680 --> 00:03:55.040 more number based ones things like password123 qwerty123 for instance all these if you're using 00:03:55.040 --> 00:04:03.760 one of these passwords then these are easy to guess and if it's on this list then it's not 00:04:03.760 --> 00:04:10.080 really that much better than how using the default password assuming you know the username then it 00:04:10.080 --> 00:04:16.800 would be trivial to make 20 or so login attempts using one of these passwords is very insecure 00:04:17.680 --> 00:04:25.840 the next consideration is if this system has a password that is not on the popular password list 00:04:27.040 --> 00:04:29.920 but it's based on something that could be guessed by a computer 00:04:30.960 --> 00:04:34.640 by this i mean simple words that are susceptible to a dictionary attack 00:04:36.960 --> 00:04:42.800 it's easy enough to get a copy of a dictionary of words and this is one of the reasons that the 00:04:42.800 --> 00:04:47.040 security policies often insist on including numbers or sometimes special characters 00:04:48.240 --> 00:04:52.960 this is partly due to the number of additional permutations required for a brute force attack 00:04:52.960 --> 00:04:59.680 which i'll cover next but it also it can make the password less susceptible for dictionary attacks 00:05:01.200 --> 00:05:05.120 i only say can because it really depends upon the user 00:05:05.120 --> 00:05:10.320 if all they do is just add a one to the end of a word that does not really add much protect extra 00:05:10.320 --> 00:05:15.840 protection and dictionaries also include words where substitutions are made within the password 00:05:16.640 --> 00:05:23.520 such as swapping a i for a one or an e with three you can see this in this 00:05:23.520 --> 00:05:29.200 this snapshot from a dictionary called "rock you" this dictionary has around 14 million words 00:05:30.320 --> 00:05:33.920 it's not something you're likely to get through by manually trying passwords 00:05:33.920 --> 00:05:40.880 but with some level of automation there's a chance that somebody can get into your system with enough 00:05:40.880 --> 00:05:48.000 resources the risk of someone being able to get into the computer is feasible so the next level 00:05:48.000 --> 00:05:53.920 of security and this is what we should really all be doing is to use a proper complex password 00:05:55.680 --> 00:06:00.160 in an ideal world this would be completely random combination of lowercase letters 00:06:00.160 --> 00:06:05.440 capital letters digits and special characters although in reality our human brains would find 00:06:05.440 --> 00:06:10.960 that hard to remember resulting with the password being written down which is another risk so it may 00:06:10.960 --> 00:06:16.400 be better to combine multiple unrelated words with occasional digits and perhaps special characters 00:06:17.520 --> 00:06:22.800 in this case an attacker would perhaps have to look at using a brute force attack 00:06:23.520 --> 00:06:28.640 and this is where an attacker tries every possible permutation of characters to guess the password 00:06:29.280 --> 00:06:34.240 it doesn't completely prevent a lucky guess but the number of possibilities 00:06:34.240 --> 00:06:40.320 increases exponentially based on the number of characters in the password i'm going to simplify 00:06:40.320 --> 00:06:44.560 the conditions here and the calculations but these give you an idea of whether it's worth 00:06:44.560 --> 00:06:51.120 the effort of a hacker even trying this let's start by looking at a fairly basic password 00:06:51.120 --> 00:06:58.160 which is exactly six characters long using only letters 26 letters in english alphabet 00:06:58.160 --> 00:07:02.880 with six independent characters and that gives around 300 million combinations 00:07:06.000 --> 00:07:08.560 if you add in some capital letters and digits 00:07:09.600 --> 00:07:18.160 that gives 62 possible characters which puts us into the billions of possible combinations 00:07:20.880 --> 00:07:25.520 you could add some special characters and increase that slightly but really the thing 00:07:25.520 --> 00:07:30.240 to do to make a password more secure is to add more characters if you set the minimum 00:07:30.240 --> 00:07:37.280 characters to seven using letters and digits then the number of permutations is now in the trillions 00:07:39.600 --> 00:07:48.160 and for eight characters that is around 218 trillion possible combinations 00:07:49.840 --> 00:07:52.880 this assumes the password is exactly eight characters long 00:07:54.400 --> 00:07:59.280 the numbers of possibilities would increase even further if that's just the minimum 00:07:59.280 --> 00:08:06.240 number of characters when we're looking at attacks against a complex password we're looking at how 00:08:06.240 --> 00:08:15.360 many attempts can be done and in what period of time and there's a number of factors on here but 00:08:15.360 --> 00:08:20.320 bear in mind this is a network connection we're looking at and so there's a number of 00:08:21.520 --> 00:08:27.760 simultaneous login attempts that can be made this can be determined by the ssh settings 00:08:28.480 --> 00:08:34.960 the processor speed of the raspberry pi the bandwidth and any additional security features 00:08:34.960 --> 00:08:42.240 that may have been added but in case of a really complicated password it might take 00:08:42.240 --> 00:08:48.800 years to be able to have enough guesses to have a reasonable chance of getting that password 00:08:49.520 --> 00:08:56.160 perhaps even thousand years or as you add more characters it could be much much longer so 00:08:57.200 --> 00:09:04.560 as i say this is only specifically about network attacks and there's always the possibility of 00:09:04.560 --> 00:09:10.800 a lucky guess but the probability of that is so low so essentially complex passwords 00:09:12.000 --> 00:09:18.880 are very very difficult to break using brute force now we'll move on to changing 00:09:18.880 --> 00:09:23.920 the username and have a look at how this is going to affect these different passwords 00:09:26.640 --> 00:09:30.960 first we're going to skip the default username and password if you change the username then 00:09:30.960 --> 00:09:34.320 i certainly hope you're going to change the password from the default as well so 00:09:34.320 --> 00:09:41.120 that's not really that relevant let's look at the well-known passwords the common password attack 00:09:42.880 --> 00:09:51.440 so if you take the first 20 possible passwords take the top 20 most common usernames 00:09:52.720 --> 00:09:57.520 that gives you a combination of around 400 possible combinations 00:09:59.520 --> 00:10:05.520 that's certainly slightly better than the 20 but with some simple script 00:10:06.080 --> 00:10:14.720 you can potentially crack that within a few hours so changing the username to a common username 00:10:14.720 --> 00:10:21.200 with your common password is not really going to add much additional security the one where 00:10:21.200 --> 00:10:27.760 it perhaps adds more security is against the dictionary tax i assume that you want to avoid 00:10:28.800 --> 00:10:37.360 the top 20 but usernames do tend to follow a more simpler pattern than passwords so we're 00:10:37.360 --> 00:10:42.800 not going to be looking at the same number of different usernames as number of passwords 00:10:44.640 --> 00:10:50.240 so if we consider a fairly common username perhaps something with the top hundred and 00:10:50.240 --> 00:10:59.840 that word could be found in a cracker dictionary there may be over a billion possible combinations 00:11:00.400 --> 00:11:05.520 and while this may take a while it's feasible that that particular username and combination 00:11:06.400 --> 00:11:10.960 and password combination may be guessed well if you add some digits and special 00:11:10.960 --> 00:11:15.920 characters in the password or a more unique username there's a good chance that this 00:11:15.920 --> 00:11:22.640 could take what otherwise may be a fairly poor password and make it much more secure 00:11:26.240 --> 00:11:28.800 and then finally looking at the brute force i've already said 00:11:29.840 --> 00:11:35.200 a brute force attack is unlikely to be successful it's just not worth putting the resources 00:11:35.200 --> 00:11:38.560 in to try and do a brute force attack over the 00:11:38.560 --> 00:11:47.920 network but adding a different username makes this even less likely to succeed 00:11:48.560 --> 00:11:57.760 because of the number of possible combinations so it potentially removes that risk of somebody 00:11:59.040 --> 00:12:07.440 by look getting an early brute force attacker a lucky guess from a security perspective i'd argue 00:12:07.440 --> 00:12:12.320 that using a good password is more important than whether it's a default username or not 00:12:13.440 --> 00:12:20.400 however changing the default username does adds an additional element of security 00:12:20.400 --> 00:12:25.440 and that's always a good thing the thing about security it's not something you just switch on 00:12:25.440 --> 00:12:31.920 and off it's about taking different measures just to make it harder for people to break in 00:12:32.880 --> 00:12:40.640 and every one of those that you add is a good thing this is purely looking at a default system 00:12:42.320 --> 00:12:48.160 there are other ways that you could add security i plan to come some of those in a future video 00:12:48.960 --> 00:12:52.000 for instance i'm going to look at ways of securing the login using 00:12:52.000 --> 00:12:58.560 key based authentication and multi-factor authentication so please consider subscribing 00:12:58.560 --> 00:13:03.360 if you're interested in those but for this video i'm just concentrating on the passwords 00:13:04.400 --> 00:13:08.160 the fact that changing the username does add an additional security step 00:13:08.160 --> 00:13:13.600 is a good thing but it does have about a downside which i'm going to look at next 00:13:16.480 --> 00:13:25.360 and the downside is that software and tutorials have been written with the expectation that 00:13:26.240 --> 00:13:32.240 there will be a user called pi and that's where potentially the software is going to be installed 00:13:33.360 --> 00:13:36.960 the raspberry pi is over 10 years old and during that time 00:13:36.960 --> 00:13:42.480 it has always had that pi username so it has been a valid assumption to this point 00:13:43.840 --> 00:13:49.840 and as a result lots of documentation tutorials and software just hard codes the username or 00:13:49.840 --> 00:13:56.640 the path slash home slash pi into them and that includes some of my own guides and the software 00:13:56.640 --> 00:14:01.840 i've written and there's a good reason for doing this it's because the raspberry pi 00:14:02.640 --> 00:14:11.520 is intended for education including for use by school children or for use by people that are new 00:14:11.520 --> 00:14:20.480 to linux perhaps makers and this is their first involvement in linux and therefore as a result 00:14:21.840 --> 00:14:26.320 try to make the tutorials or the software as easy to use as possible 00:14:29.680 --> 00:14:37.040 going forward it's not actually that difficult to remove these dependencies certainly possible to 00:14:37.040 --> 00:14:44.960 update tutorials which can work regardless of the user ids some software may be a little harder for 00:14:44.960 --> 00:14:49.680 instance if your program is being run as a local user you can just use the tilde character ~ or 00:14:49.680 --> 00:14:54.960 $HOME to refer to the home directory but for applications that are designed to run as root 00:14:54.960 --> 00:15:01.760 or being started up automatically as a daemon they don't necessarily have access to those variables 00:15:01.760 --> 00:15:09.440 and it may be better to install into a different directory perhaps the /opt directory or within the 00:15:10.160 --> 00:15:19.840 normal limits application folders such as usr and etc you could even create a symbolic link 00:15:20.480 --> 00:15:29.280 of /home/pi to the real users directory or still use the pi username if you really wanted to 00:15:29.840 --> 00:15:35.120 i suggest that would be only a temporary measure really should look at ways of 00:15:36.320 --> 00:15:41.680 integrating the program a bit better it may be that you're confident enough about your password 00:15:41.680 --> 00:15:48.880 or you have other security measures in place so using the pi username is perfectly valid in those 00:15:48.880 --> 00:15:54.880 now i've already made some changes to one of my projects this is the pixel server program 00:15:55.600 --> 00:16:02.720 which provides a web interface to allow you to control neopixels or rgb leds 00:16:04.640 --> 00:16:11.760 originally this assumed it was installed in the the pi home directory but i've now updated the 00:16:11.760 --> 00:16:18.080 instructions and some of the scripts so that it can now be installed in the /opt directory instead 00:16:18.640 --> 00:16:24.720 as much as i've said this will only have a small improvement to the overall system security it 00:16:24.720 --> 00:16:31.440 doesn't have to have much impact on the end users in this example it really didn't take much of an 00:16:31.440 --> 00:16:36.480 update and the end users as long as they follow the updated restrictions it'll still work fine 00:16:38.080 --> 00:16:46.000 so overall as this improves the security of the system i actually see this as has been quite a 00:16:46.000 --> 00:16:51.920 positive change for the raspberry pi i'm now going to show walk through showing how you can install 00:16:51.920 --> 00:16:56.960 raspberry pi os and configure it with an alternative username this is the raspberry 00:16:56.960 --> 00:17:01.520 pi imager which is the easiest way to install an image and this has been updated with the new 00:17:01.520 --> 00:17:09.360 changes run this on your local pc and it will download the latest version of the operating 00:17:09.360 --> 00:17:15.600 system and install it onto the sd card in this case i'm using the raspberry pi 64-bit version 00:17:15.600 --> 00:17:19.200 but you can use the 32-bit version as well particularly if you have an older model of 00:17:19.200 --> 00:17:25.920 the raspberry pi choose your sd card and click right and it'll take a while now 00:17:25.920 --> 00:17:30.240 to download the image over the internet and then install it onto your sd card 00:17:31.040 --> 00:17:36.080 after installing to your sd card you can boot that in the raspberry pi and you'll 00:17:36.080 --> 00:17:42.080 see this first run wizard start up you first set your country and that's important for the 00:17:42.080 --> 00:17:48.400 wireless install as well as setting your time zone you then be prompted to create a user 00:17:48.400 --> 00:17:53.920 and in this case i'm creating user called pixel server and of course giving it a secure password 00:17:55.680 --> 00:18:00.400 you can then connect to your wireless network install the updates and you'll 00:18:00.400 --> 00:18:13.840 need to reboot and it's as simple as that that's the raspberry pi setup with a non-default username 00:18:15.920 --> 00:18:20.080 if you want to run your raspberry pi in headless mode that's without a screen 00:18:20.080 --> 00:18:25.360 or keyboard attached then you can configure the new username using the imager software 00:18:27.360 --> 00:18:32.960 before starting the right click on the settings icon and that will allow you to set that before 00:18:32.960 --> 00:18:38.480 you install the sd card and there's some other new features in there so you can set your raspberry pi 00:18:38.480 --> 00:18:46.240 up straight away ready for headless mode thanks for watching i hope you found this useful if so 00:18:46.240 --> 00:18:52.160 please give it a like i plan to create more videos on cyber security guides for both computer users 00:18:52.160 --> 00:18:56.400 and those interested in understanding what hackers and crackers do so that you can understand how to 00:18:56.400 --> 00:19:02.560 make your own systems more secure please click on subscribe and the notification icon to get 00:19:02.560 --> 00:19:08.720 notified when i create more videos in the future i look forward to seeing you on a future video