SoylentNews is people
SoylentNews
from the this-password-contains-patterns-known-to-the-State-of-California-to-cause-cracking-and-data-breaches dept.
Submitted via IRC for Bytram
Weak passwords to be banned in California
Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020.
The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.
It demands that each gadget be given a unique password when it is made.
Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features.
This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.
The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
(Score: 4, Insightful) by BsAtHome on Saturday October 06 2018, @10:12AM (13 children)
The default will be fixed, that is fine. Now the user can finally set his/her favorite password "password" and "123456" and be done with it.
It is a good thing that some default and basic security must be configured. The problem is that many users have no clue whatsoever how security in the computerized world works. The complexity of security is not something one can take lightly. It requires much more than a forced change of defaults. Most users will never understand the intricate relations and interactions of computers and the potential problems that creates for security.
In the end we will have indemnified producers and still no security. Not a good prospect.
(Score: 2, Touché) by Anonymous Coward on Saturday October 06 2018, @10:50AM (3 children)
This action doesn't solve all problems in the world. Should it not have been done? (Y/N)
(Score: 2, Interesting) by Anonymous Coward on Saturday October 06 2018, @11:04AM (2 children)
California: is there anything you won't legislate?
(Score: 2, Funny) by Anonymous Coward on Saturday October 06 2018, @11:13AM (1 child)
Hmm ... let's find out. Hold my gavel.
(Score: -1, Spam) by Anonymous Coward on Saturday October 06 2018, @12:42PM
There was a technique called 'redirection.' This was where one would redirect their anger towards a person to an object, so as to avoid unnecessary conflict. The man, who had bipolar disorder, and whose therapist had told him about this technique, favored this approach. Especially now, after someone had just bumped into him, causing his fury to reach unsustainable levels.
He recalled his therapist's advice, and searched for an object. From there, it didn't take long for the man to find a suitable object; he began pummeling it with all his might until his wrath dispersed. Satisfied, the man continued walking to his destination without a care in the world. Or, at least, until someone bumped into him again.
"Ugh!" screeched the man. An object. He needed an object! When he found one, he immediately began to redirect all of the hatred and violence in his heart towards said object. Since his anger had reached extreme levels, it took quite a long time before his anger dissipated. By that point, the object had already been completely annihilated.
"There," said the man, deeming this level of destruction to be enough. Then, he continued on his way... until another mishap occurred. Then, another one. And another one. Yes, one after another, mishap after mishap occurred, forcing the man to constantly redirect.
Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect!
Finally, it was over, and the man returned to a state of serenity. He looked back at the results of his redirection and smiled. Today, there had been twenty-five of them. Eighteen women and seven children had bore the brunt of the man's fury and lust, their battered and violated bodies randomly strewn around the area. He would have to thank his therapist again for teaching him about this wondrous technique.
Yes, for without redirection, for without this technique, a person may have been hurt...
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @11:10AM (5 children)
Well, let's see here ... who do we want shouldering the majority of the security responsibility, the manufacturer or the end user? Both should share some of the responsibility but the manufacturer is more qualified than the end user - usually by orders of magnitude.
If the end user makes poor security choices it is not the responsibility of the manufacturer, though some minimum password complexity/quality should be enforced.
Seatbelts make driving safer. They don't save all lives, and there have been some instances where they have cost lives. But in the vast majority of cases seatbelts make driving safer. Still, the car manufacturers cannot force the driver or passengers to wear seatbelts. The end user is still responsible for their actions/choices.
(Score: 2) by BsAtHome on Saturday October 06 2018, @11:22AM (4 children)
The number of failure modes for a seatbelt are, for a trained individual, limited.
The number of failure modes for software are, for a trained individual, not well defined.
Changing the password is one thing. Updating the software is another story. You do not update your seatbelt every few weeks to get the bugs out, do you?
Therefore, concentrating on default passwords and "reasonable security" features are a step in the right direction, but have marginal impact in the long run. There is no silver bullet for security and no law can make your software secure. Especially when you consider the complexity of software in general and security in particular.
(Score: 2, Informative) by Anonymous Coward on Saturday October 06 2018, @11:45AM (1 child)
Car analogies are fun. Selling a device with the password "password" is like selling a car with seatbelts made of paper and expecting the consumer to retrofit real seatbelts.
(Score: 1, Insightful) by Anonymous Coward on Saturday October 06 2018, @05:12PM
I'd say it's more like selling a car with a generic key and expecting the consumer to shape the key and resize the pins themselves.
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @04:28PM
Yet for an untrained individual they are innumerable.
If software updates are necessary they should be automatic ... but that will cause havoc in the minds of the "it's mine! I paid for it!" crowd that doesn't want automatic updates. So a very conspicuous "Do you want this device to automatically apply software updates?" question immediately after the required changing of the password.
There are no perfect solutions to this, but a great deal can be improved with just a few small measures. Let's not ignore the 80% - 90% of prevention we can take with these initial small steps.
(Score: 2) by chromas on Saturday October 06 2018, @08:26PM
Not yet.
(Score: 2) by fyngyrz on Saturday October 06 2018, @04:18PM (1 child)
It's very easy to require that a password contain minimum N-length, out-of-alpha-order, out-of-qwerty-order, out-of-numeric-order, out-of-order mix of caps, punctuation, and numeric. Out-of-order can be enforced across alternating classes of characters. If there's enough space in the device, or you're building a desktop application, it's also easy to require that it not contain common English words. Dual-entry to confirm without copy/paste capability is also advisable.
Implementation and testing takes just a few hours. I'm speaking from experience here.
So there's no need to risk those kinds of problems. And then there's the generation of an initial default for the user of the device and throwing a sticker in the packaging.
I will grant you that for the low-level users, some frustration is encountered as their minds are taxed by the requirements, but clear error results during entry — not just after — mitigate that at least somewhat, and an automatic generator is be the obvious band-aid for them.
It's long past time that users learned to track passwords (and no, I don't think a "password manager vault" is a good idea. That's just a means to "lose one password, lose them all" or "have one password compromised, all are compromised.")
(Score: 2) by pipedwho on Saturday October 06 2018, @08:29PM
The problem with requiring ultra complicated hard to remember passwords is that they invariably end up saved in a password manager or written down.
These highly entropic undecipherable passwords would ideally have little to no ambiguity when written down and read back (ie. Oo0, Il, Ss5, jJ, 71l, 9g, etc.). The concept of the 4 words as per XKCD fame is a good one for users writing things down. The super complicated self/autogenerated ones are fine if the user has a decent password manager. To avoid users entering insecure passwords only requires decent minimum entropy and a few simple entropy checks for excessive repetition and/or monotonic increment 'eg password-password-password, 1234567891011121314151617181920, or password1-password2-password3, etc'. The entropy calculation should not include any substrings with the username/ID or the site/company name. A user might have a longer password with mostly low entropy characters (eg. english words), or have a short password with lots of entropy in the characters (eg. random base64 strings). It also helps if there is a description of a how to make a secure password with a selection of seemingly random but relatively easy to remember words. You could even run the password against a dictionary attack with some common dictionaries to avoid obviously broken passwords.
I'm not that concerned with the general case of users either writing down passwords or relying on password managers. Yes, both options have downsides, but they are heavily outweighed by the advantages.
Written down passwords may be lost or stolen and the user is out of luck with potentially hundreds of passwords. However, attacking this list requires offline access, and if the list is kept relatively securely (ie. locked draw, wallet, briefcase, etc) then it isn't likely to fall victim to a walk-by 'post-it note on the monitor' exposure. Also, a user can keep multiple lists at varying degrees of security. eg. important passwords in the locked briefcase or wallet, and stupid website passwords in a locked drawer of their desk. Photocopies can be used for backups if the lists are at risk of loss.
Assuming a password manager has decent backup/replication capability and is designed properly (ie. secure), then a user should only have one password to remember (or a few if they want multiple vaults) - a password that could be written down and kept securely elsewhere if the user thinks they'll forget it. Password managers generally have a consistent interface that is known to the user. And the master password request happens due to actions taken by the user out of band (and not in the browser window) of the remote password being either auto-entered or copy/pasted. So it is far less likely to be compromised than, for example, a spoofed misspelled domain asking for a corporate/banking/shopping/social media/email/etc password. Password managers are great because mis-typed domain names won't be auto-entered giving the user an extra level of protection. Good password managers can have multiple vaults if a user wants to avoid the 'one password to rule them all' allowing some additional passwords to be kept even more securely and segmented by site/security level/importance/age/etc. And can be accessed from a separate device to the one being used for password entry (eg. a smart-phone is used to bring up and manually type the admin password for a server attached to a KVM switch in the server room).
For the particularly paranoid, you can use your password manager or written list to keep a secure base password for each site. And then further transform that password with some additional secret out-of-band data (either static or generated based on the site name/password/date of generation/etc). This adds a certain amount of protection against stolen lists or hacked password manager master passwords. Some people do this without a password manager against a master password, but that is dangerous as the password from one (or more) sites may lead to sufficient clues to attack the 'algorithm' and therefore effectively leak the entire password list.
Yes there are downsides to password managers, but there is no way the vast majority of users are going to remember hundreds of secure passwords.
(Score: 3, Insightful) by Runaway1956 on Saturday October 06 2018, @09:00PM
Uhhhhmmmmm - if each device has it's own unique password by default - then user action will be required to change that default to 123456. If the user takes that action, then the user is entirely responsible for the consequences. Is this not an improvement over the default "admin" "password"? Most users won't bother to reconfigure a device, just as they have never bothered to do so in the past. If they have an 8 character randomly generated passwords, their security has been improved by several orders of magnitude. Even better, is if they get 12 character randomly generated passwords, using upper/lower case, numbers, as well as special characters. At this point, we can actually begin to consider the devices as kinda secure.