Stories
Slash Boxes
Comments

SoylentNews is people

Weak Passwords to be Banned in California

posted by chromas on Saturday October 06 2018, @08:20AM   Printer-friendly
from the this-password-contains-patterns-known-to-the-State-of-California-to-cause-cracking-and-data-breaches dept.

upstart writes:

Submitted via IRC for Bytram

Weak passwords to be banned in California

Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020.

The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.

It demands that each gadget be given a unique password when it is made.

Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.

The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features.

This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.

The bill also allows customers who suffer harm when a company ignores the law to sue for damages.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Weak Passwords to be Banned in California | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by RedBear on Sunday October 07 2018, @04:17AM

    by RedBear (1734) on Sunday October 07 2018, @04:17AM (#745364)

    This is just about the last forum where I expected people to be whining about manufacturers being legally barred from setting the default credentials of hundreds of millions of internet connected devices to something stupid like admin/admin or root/password. We're talking about devices that are not just used by consumers, they're used by giant corporations, government offices, hospitals, and even sometimes the military. How could it possibly turn out to be a bad thing for manufacturers to be held accountable for what is essentially leaving a publicly known backdoor in their devices?

    Even if 50% of the owners of the devices choose to reset the unique password to "1234", which is of course ridiculously easy to prevent, that would still mean that you just cut the number of automatically-insecure devices on the market IN HALF.

    The logic of being opposed to this utterly fails me. So what if every single owner of one of these devices puts their password on a post-it note on the front of the device? We're talking about devices that get attacked across the internet, not computers at the office. If I get physically close enough to read the password off the post-it, the device and the network is already compromised. As long as the password isn't allowed to be on the list of passwords commonly used by stupid people, we're already talking about potentially the most measurable improvement in overall security in the history of the internet.

    I know security is a very difficult thing to do exactly right, but I'm forced to wonder what kind of steps could be taken that would actually keep some of you from complaining about moving in the right direction.

    --
    ¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
    ... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3