News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • California to Outlaw Weak Password Use in Connected Devices

    Home Forums AskWoody support Connected home / Internet of things California to Outlaw Weak Password Use in Connected Devices

    Viewing 2 reply threads
    • Author
      • #222669 Reply
        Da Boss

        California to Outlaw Weak Password Use in Connected Devices

        Starting on Jan. 1 2020, manufacturers of connected devices will need to build in “reasonable security features” into their products, including better password protection, states the new law, which was approved last week.

        By Michael Kan | Oct 5, 2018

        California is making it illegal for manufacturers to sell internet-connected devices designed with weak default passwords.

        Each internet-connected device must either be preprogrammed with a unique password or let the customer generate an entirely new means of authentication upon a first-time activation.

        The law will hopefully spell an end to vendors securing their products with weak passwords such as “admin,” “password” or “12345” — all of which can be trivial for hackers guess. In particular, internet-connected cameras, DVRs and Wi-Fi routers have all been found built with weak login credentials, opening the door for easy takeover.

        Read the full article here

        1 user thanked author for this post.
      • #222783 Reply
        AskWoody MVP

        That should be the case by default now, world-wide, not in Jan 2020.
        It’s definitely a step in the right direction but, IoT being sold now could be problematic regardless unless hardened security via firmware measures are implemented and sustained. I wonder how many devices will be out of support by then? (excluding W7)

        Win7 Pro x86/x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 |
      • #222938 Reply
        AskWoody Lounger

        This is a stupid law.  A manufacturer can have the toughest default password ever.  I won’t take long before this “tough” default password would be available with an internet search.  It would be much better to remove the “or” and make new users generate a password.

        Where am I? What am I doing in this hand basket?

        • #222941 Reply
          AskWoody Plus

          I agree, in principle, with the idea that users should have to make up their own passwords when they first use one of those gadgets, but how to make sure they won’t go for “1234”? Perhaps there could be a random numbers generator in the gadget itself that generates that first password for they owner right when it is first used, or again later, if the user forgets it and hits the “forgot your password?” button to have a new one created. The seeds of those generators could also be created with random numbers generators by the manufacturers, so they would be all different and unguessable by criminals.

          It also depends on how this law may, alternatively, require manufacturers to make up the default passwords for the gadgets they sell: if by using a random numbers generator to create a new one for each device sold, for example, an Internet search will not be much help in finding them. Unless IT security at the makers of these devices is so lax or amateurish that they get their data base of customers’ default passwords stolen… Assuming the makers need to keep those passwords in a data base, or for very long. There may be practical ways for them to get safely around the need for keeping a permanent data base that can be hacked.

          That is not to say that such measures will be required by this new law once it is given its detailed complementary regulations.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

    Viewing 2 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: California to Outlaw Weak Password Use in Connected Devices

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.