The default made it simpler to boot up a Pi and start working without needing to hook up the device to a monitor or go through a multi-step setup process. However, it also meant that the Pi OS had a rather large security hole.
Now it seems times are changing and new installs of the Raspberry Pi OS will not have a default account.
Writing in his bog, Raspberry Pi Foundation software engineer Simon Long said that the "pi" user account] could potentially make a brute-force attack slightly easier.
“Some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials," he writes. This move will improve the Pi operating system's security.
Before, even if you assigned a good password to the "pi" account, attackers could still assume with a reasonable degree of certainty that most Raspberry Pi boards were using the "pi" username.
Many Pi OS-based operating systems ship with the default "pi" user account enabled and are completely passwordless, requiring extra steps to assign the account a password in the first place.
The downside is that the change could break some software and scripts, particularly those that are hard-coded to use the "pi" user account and home folder.
The Raspberry Pi OS now boots into a dedicated setup mode the first time you start it up instead of running the setup wizard as an app in the normal desktop environment. That setup wizard now prompts you to create a username and password rather than simply assigning a password to the default 'pi' user account.
To aid with setup, the wizard can now pair Bluetooth keyboards and mice without requiring you to plug in a USB accessory first."