California May Ban Terrible Default Passwords On Connected Devices

According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.

Re:It should be

[mjwx]

all building a single OS for IoT with security built in

You think "security" is something that can be "built in." Security in software development is a mindset. How does having a secure operating system help when the web frontend developer doesn't understand how to correctly validate passwords.

Security in everything is a mindset... However a good mindset on it's own is useless. You need to give the user the tools as well.

What we have needed for years in connected home appliances is for the first configuration screen to be "Change this default password before the device becomes usable". Laws here in the UK have meant that ISP's aren't permitted to hand out devices with generic or default passwords, so every router you get has a sticker on it with your individual password.