News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • California to Outlaw Weak Password Use in Connected Devices

    Home Forums AskWoody support Connected home / Internet of things California to Outlaw Weak Password Use in Connected Devices

    This topic contains 3 replies, has 4 voices, and was last updated by

     OscarCP 7 months, 2 weeks ago.

    • Author
      Posts
    • #222669 Reply

      Kirsty
      Da Boss

      California to Outlaw Weak Password Use in Connected Devices

      Starting on Jan. 1 2020, manufacturers of connected devices will need to build in “reasonable security features” into their products, including better password protection, states the new law, which was approved last week.

      By Michael Kan | Oct 5, 2018

       
      California is making it illegal for manufacturers to sell internet-connected devices designed with weak default passwords.

      Each internet-connected device must either be preprogrammed with a unique password or let the customer generate an entirely new means of authentication upon a first-time activation.

      The law will hopefully spell an end to vendors securing their products with weak passwords such as “admin,” “password” or “12345” — all of which can be trivial for hackers guess. In particular, internet-connected cameras, DVRs and Wi-Fi routers have all been found built with weak login credentials, opening the door for easy takeover.

       
      Read the full article here

      1 user thanked author for this post.
    • #222783 Trash | Reply

      Microfix
      Da Boss

      That should be the case by default now, world-wide, not in Jan 2020.
      It’s definitely a step in the right direction but, IoT being sold now could be problematic regardless unless hardened security via firmware measures are implemented and sustained. I wonder how many devices will be out of support by then? (excluding W7)

      ********** Peng/Wins x86/x64 **********

    • #222938 Trash | Reply

      Tiny
      AskWoody Lounger

      This is a stupid law.  A manufacturer can have the toughest default password ever.  I won’t take long before this “tough” default password would be available with an internet search.  It would be much better to remove the “or” and make new users generate a password.

      Where am I? What am I doing in this hand basket?

      • #222941 Trash | Reply

        OscarCP
        AskWoody Plus

        I agree, in principle, with the idea that users should have to make up their own passwords when they first use one of those gadgets, but how to make sure they won’t go for “1234”? Perhaps there could be a random numbers generator in the gadget itself that generates that first password for they owner right when it is first used, or again later, if the user forgets it and hits the “forgot your password?” button to have a new one created. The seeds of those generators could also be created with random numbers generators by the manufacturers, so they would be all different and unguessable by criminals.

        It also depends on how this law may, alternatively, require manufacturers to make up the default passwords for the gadgets they sell: if by using a random numbers generator to create a new one for each device sold, for example, an Internet search will not be much help in finding them. Unless IT security at the makers of these devices is so lax or amateurish that they get their data base of customers’ default passwords stolen… Assuming the makers need to keep those passwords in a data base, or for very long. There may be practical ways for them to get safely around the need for keeping a permanent data base that can be hacked.

        That is not to say that such measures will be required by this new law once it is given its detailed complementary regulations.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: California to Outlaw Weak Password Use in Connected Devices

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.