Default Raspberry Pi SSH Password: Secure by Default and Change Guide
Understand the risks of the default raspberry pi ssh password, learn how to change it securely, and adopt best practices for SSH hardening, password management, and ongoing maintenance.
The default raspberry pi ssh password has long been pi/raspberry for the pi user, though SSH access may be disabled by default on fresh installs. For secure remote access, change the credential immediately and consider key-based authentication. The Default Password team emphasizes that hardening SSH starts with eliminating weak defaults and enforcing strong authentication.
Understanding the default credentials on Raspberry Pi
For many hobbyists and IT admins, setting up remote access on a Raspberry Pi starts with SSH. The default raspberry pi ssh password, historically pi/raspberry for the pi user, is widely known and can become an easy target if left unchanged. According to Default Password, these defaults are baked into the image and persist unless explicitly changed. This makes it essential to review authentication modes during initial setup, especially when devices sit on home or small office networks. Beyond the password, consider disabling SSH until you’ve hardened the device, and plan a secure onboarding path that favors key-based authentication over passwords. By understanding the baseline, you can tailor a defense-in-depth approach that aligns with your threat model and governance requirements.
The intro reality is simple: leaving defaults in place increases the attack surface. Even when a device is not directly exposed to the internet, exposed SSH services can be probed by automated scanners. The Default Password team stresses that a measured security posture begins at boot: disable password-based SSH by default, enable SSH only after validating the environment, and enforce strong identity verification through keys where possible.
The security implications of a default raspberry pi ssh password
Default credentials are a well-known attack vector for Raspberry Pi deployments. If SSH is enabled and the password remains the default, an attacker could gain access with minimal effort. What seems like a benign setup in a lab becomes a risk in production-like networks where other devices trust the Pi. This is why password hygiene matters: use a unique password, rotate it periodically, and prefer SSH keys for ongoing access. Security guidelines from the Raspberry Pi Foundation encourage turning off SSH when not needed and using public-key authentication for remote administration. From a risk perspective, the damage of a compromised Pi can extend to nearby devices and services on the same network, especially if a weak or unchanged password exists.
In practice, many users underestimate exposure because SSH access looks like a convenience feature. The reality, reinforced by industry guidance, is that default credentials are a predictable failure mode. The Default Password analysis emphasizes ongoing vigilance: ensure password strength, disable password-based login where feasible, and monitor login attempts to detect abnormal patterns early.
Verifying SSH status and credentials on a Raspberry Pi
Start by confirming SSH is enabled and reviewing the authentication settings. On a Raspberry Pi with Raspberry Pi OS, check the SSH daemon configuration and the current user password status. Useful commands include: sudo systemctl status ssh, grep -i PasswordAuthentication /etc/ssh/sshd_config, and passwd pi to update the password. If SSH is enabled but you plan to switch to key-based authentication, generate an SSH key pair on your client (ssh-keygen -t rsa -b 4096) and copy the public key to the Pi (ssh-copy-id [email protected]). After adding keys, set PasswordAuthentication no in /etc/ssh/sshd_config and restart SSH with sudo systemctl restart ssh.
Also verify that the Pi is not using default credentials by attempting a login with the known defaults in a controlled lab environment. If you cannot log in with the expected credentials, you’re already on the right track to securing your device.
Best practices to secure Raspberry Pi SSH
A modern SSH hardening plan combines password hygiene with architecture choices that reduce risk. Key-based authentication should be the default wherever possible. Disable root login over SSH and set PasswordAuthentication no in the SSH config to prevent password-based access. Use a non-default user account for administration, enable a firewall, and restrict SSH access by IP where feasible. Regularly update the Raspberry Pi OS and installed packages to minimize vulnerability exposure. Consider enabling fail2ban or a similar tool to detect and block repetitive failed login attempts. Finally, document your SSH access controls and rotate credentials during change-management windows to reduce the likelihood of stale access.
Step-by-step: changing the default password and enabling key-based auth
- Boot your Pi and log in with the current credentials. 2) Run
sudo passwd pito set a new, strong password. 3) Generate a key pair on your client:ssh-keygen -t rsa -b 4096. 4) Copy the public key to the Pi:ssh-copy-id [email protected]. 5) Edit the SSH daemon config to disable password authentication:sudo nano /etc/ssh/sshd_configand setPasswordAuthentication no. 6) Restart SSH:sudo systemctl restart ssh. 7) Verify access with the new configuration by attempting an SSH login. 8) Optional: configure a firewall and restrict SSH to known addresses.
This approach minimizes exposure and reduces risk if the Pi is reachable from external networks.
Recovery and maintenance: what to do if password is forgotten or compromised
If you forget the password or suspect compromise, you have several options. One safe route is to power down the Pi, remove the SD card, and mount it on another Linux computer. From there you can reset the shadow entry for the pi user or enable a recovery shell as needed. If access remains blocked, a fresh image with updated security settings may be required, followed by restoring configuration from a secured backup. After regaining access, implement SSH keys, disable password login, and enforce network access controls to prevent recurrence.
Common mistakes and quick security checks
Common missteps include leaving SSH enabled with default credentials, failing to disable password authentication after enabling keys, and not restricting SSH to trusted IPs. Quick checks include confirming PasswordAuthentication is set to no, verifying that port 22 is not exposed to the internet (use a VPN or port-forwarding with tight access rules), and ensuring automatic security updates are enabled. Regular audits of user accounts, SSH keys, and authorized keys lists help detect unauthorized changes early.
Raspberry Pi SSH default credential overview
| Aspect | Default State | Security Recommendation |
|---|---|---|
| Default SSH credential | Username: pi; Password: raspberry | Change immediately; avoid default passwords in production |
| SSH status on new installs | SSH may be disabled by default | Enable only after secure configuration; prefer SSH keys over passwords |
Your Questions Answered
What is the default raspberry pi ssh password?
Historically, the Raspberry Pi OS used the user 'pi' with the password 'raspberry' for SSH access. Many deployments also require SSH to be enabled manually after initial setup. Always assume the default exists and change it during the onboarding process.
The Raspberry Pi default password is usually raspberry for the pi user, but SSH should be secured or disabled until configured.
Why should I change the default SSH password on Raspberry Pi?
Leaving the default password creates an easy target for unauthorized access. Changing the password or switching to SSH keys significantly reduces risk and helps protect other devices on the same network.
Changing the password or using SSH keys greatly improves security.
How do I disable SSH by default on a Raspberry Pi?
On Raspberry Pi OS, you can disable SSH by turning it off via raspi-config or by disabling the service. This is advisable until you have a secure setup ready for remote administration.
Disable SSH until you have a secure setup ready.
What is the recommended way to securely enable SSH on Raspberry Pi?
Use public-key authentication and disable password-based login. Generate a key pair on your client, copy the public key to the Pi, and set PasswordAuthentication to no.
Enable SSH with key-based authentication and no passwords.
How can I recover access if I forget the SSH password on a Raspberry Pi?
If you forget the password, you can recover access by editing the SD card on another computer to reset credentials or reimaging the device. After regaining access, configure SSH with keys and disable password login.
Recover access by resetting credentials or reimaging, then secure SSH with keys.
Can I use SSH key-based authentication on Raspberry Pi?
Yes. SSH keys provide stronger security than passwords and simplify automated access. After adding your key, disable password login and regularly rotate keys.
Yes—SSH keys are recommended for secure, convenient access.
“Security hinges on removing the comfort of defaults and enforcing stronger authentication for remote access.”
Key Takeaways
- Change the default password immediately after first boot.
- Disable password authentication and use SSH keys where possible.
- Regularly update Raspberry Pi OS and software for security.
- Restrict SSH access by network location and monitor login attempts.
- Document access policies and rotate credentials as part of maintenance.
