California has moved to ban generic and easy to guess default passwords, in a bid to boost the security of connected devices.
The ban is outlined in a new bill, titled Information Privacy, and will come into effect from 2020. Under the new rules, firms manufacturing electronics in the state will have to provide a unique password for each device.
The move comes amid fears that weak passwords such as “admin” are aiding hackers in their attempts to launch cyber attacks using connected devices in massive ‘botnets’.
In 2016, some of the world’s most popular websites, including Twitter, Reddit and Github, were knocked offline by a distributed denial of service attack leveraging thousands of poorly protected devices.
In light of such attacks, there have been calls for legislators to force device manufacturers to follow the principles of ‘security by design’. Jake Moore, a cyber security expert at ESET, described the Californian bill as “a massive step forward”.
“The ongoing balancing act between convenience and security is always a delicate one but acting on enforcement, is sometimes the only way to make our internet a safer world,” he said.
But Moore suggested that the bill could have gone even further. “Let’s not stop there. It will be great to see all accounts enforce two factor authentication as compulsory soon too,” he added. “Then that will really start to defend our accounts far better still.”
In March, the UK government unveiled plans for a code of conduct to boost the security of devices such as smart TVs, toys and speakers. Using unique passwords for each device is a key requirement. While the code is voluntary, the government has vowed to “make [the] guidelines compulsory through law” if businesses do not follow them.