Submitted via IRC for Bytram
Weak passwords to be banned in California
Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020.
The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.
It demands that each gadget be given a unique password when it is made.
Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features.
This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.
The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
(Score: 3, Interesting) by RedBear on Sunday October 07 2018, @04:17AM
This is just about the last forum where I expected people to be whining about manufacturers being legally barred from setting the default credentials of hundreds of millions of internet connected devices to something stupid like admin/admin or root/password. We're talking about devices that are not just used by consumers, they're used by giant corporations, government offices, hospitals, and even sometimes the military. How could it possibly turn out to be a bad thing for manufacturers to be held accountable for what is essentially leaving a publicly known backdoor in their devices?
Even if 50% of the owners of the devices choose to reset the unique password to "1234", which is of course ridiculously easy to prevent, that would still mean that you just cut the number of automatically-insecure devices on the market IN HALF.
The logic of being opposed to this utterly fails me. So what if every single owner of one of these devices puts their password on a post-it note on the front of the device? We're talking about devices that get attacked across the internet, not computers at the office. If I get physically close enough to read the password off the post-it, the device and the network is already compromised. As long as the password isn't allowed to be on the list of passwords commonly used by stupid people, we're already talking about potentially the most measurable improvement in overall security in the history of the internet.
I know security is a very difficult thing to do exactly right, but I'm forced to wonder what kind of steps could be taken that would actually keep some of you from complaining about moving in the right direction.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ