Something that might be key for PUP distros - RasPI announcement

[Clarity]

This text found in recent RasPI announcement

"Up until now, all installs of Raspberry Pi OS have had a default user called 'pi'. This isn't that much of a weakness – just knowing a valid user name doesn't really help much if someone wants to hack into your system; they would also need to know your password, and you'd need to have enabled some form of remote access in the first place. But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials. So with this latest release, the default 'pi' user is being removed, and instead you will create a user the first time you boot a newly-flashed Raspberry Pi OS image."

Today, the standard password for Official PUPs is "woof....". If a login is needed, this is it. And, if LAN access is needed, this is it. And ...

Most experienced users know that they can change the standard to something else. But, I think this knowledge shared by RasPI suggests that forcing a user to acknowledge/change the standard is a good/required thing.

Should a FirstRUN utility have a feature to alert the user to maintain or change the standard password for local and LAN access?

Or are we good?

[April]

Most experienced users know that they can change the standard to something else. But, I think this knowledge shared by RasPI suggests that forcing a user to acknowledge/change the standard is a good/required thing.
Or are we good?

Well No
"Forcing" a user?

Why would that EVER be a good thing ? Because it suits you?
You need to sit down and have a good think about what you create for your children when you adopt that attitude .

CHOICE is always the right way.

[Clarity]

HA!

I'm not sure what you're getting at??? On one hand you object to offering the user to elect his own password, .... then you suggest that he should elect CHOICE is always the right way to his own password?

Anyway, I DONT SET THE RULES! You might want to take it up with the RasPI people.

[redquine]

I think the RasPI guys have made that decision based on how people use their boards. The legislation appears to apply to IoT devices like fridges and alarms, not home PC operating systems.

From https://www.bitdefender.com/blog/hotfor ... passwords/:

Other internet connected devices - such as cars, smart meters, medical devices, and desktop and laptop computers - do not appear to fall within the bill's remit.

So yeah, we're good.

[April]

@Clarity

On one hand you object to offering the user to elect his own password

Ehh?
Where did that come from?

You don't set the rules but I am suggesting you seem to agree that users should be forced to do things . That's a dangerous approach and ,as I said, a better approach is always to give users the choice.

[Clarity]

OK, I think I see where you are referencing; its this statement:

... But, I think this knowledge shared by RasPI suggests ....

This is misinterpreted to mean I am in support FORCING a user to CHOOSE their own password (or choosing to keep a default) somehow diminishes the value of what RasPI 'might' be trying to provide.

I think they are attempting to make new users aware of choosing their own discretionary as a means of a level of security, IMHO.

The word force is used to reference a point in system setup that RasPI is doing to bring a level of responsibility to the user in the user's own choosing.

Try overlooking the word, if you can. If there is a better way to get a level of personal password security. please share it with them.

Puppy does not do that, but should there be reported breaches, I am sure this option or something like this will surface to encourage user selection over the general default that everyone already know.

This thread just shares what RasPI is now doing.