Using “1234” as your password isn’t just a bad security practice anymore, in California, it’s against the law. With internet connected security cameras, thermostats, and even fall detection technology there is no shortage of smart technology out there. As more IOT devices enter the marketplace and become an integral part of our day-to-day lives, lawmakers are seeing the need to ensure consumer security. Legislators in California (Senate Bill No. 327) are leading this pursuit by banning pre-installed default passwords on IOT devices.
Starting on January 1, 2020, all IOT devices manufactured or sold in the state of California are required to be programed with unique passwords, or prompt users to create a new password before the device can be used. This applies to any device that connects to the Internet–whether directly or indirectly–that has an IP or Bluetooth address.
What this Law Aims to Do
Researchers have found that when consumers purchase a new IOT device, 15 percent never change the default password. Depending on your perspective, that may seem lower than you might have guessed, but the fact remains 15 percent still leaves millions of devices susceptible to malware and hacking. This new law aims to at least take this basic step out of the security equation and encourage a more progressive mindset toward the importance of password protection.
“The lack of basic security features on internet connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” said state senator Hannah-Beth Jackson (author of the bill), in a press release. “This bill ensures that technology serves the people of California, and that security is not an afterthought, but rather a key component of the design process.”
Criticisms of the Ban
Even a seemingly simple mandate like this one has ramifications. This new requirement will increase costs for manufactures, and will likely cause pushback as laws like this become more widespread.
Critics also point out that passwords are just one way that attackers reach devices. Exploiting bugs in software and other holes in security systems are common ways that equipment is breached.
In reference to this bill, Bruce Schneier, a security technologist at the Harvard Kennedy School said, “If I have a house with 50 unlocked windows, you just secured the one in the second bedroom.”
Password Best Practices
Whether you are monitoring for a wide variety of IOT devices or simply trying to keep your personal computer protected, there are some elemental standards everyone should know about. Here are some basic best practices when it comes to setting passwords against potential security threats:
- Use long “passphrases” rather than simple words
- Don’t just substitute ‘s’ with ‘$’ or ‘a’ with ‘@’
- Implement two-factor authentication when available
- Don’t keep written passwords consolidated in one document