Slashdot Mirror
California Bans Default Passwords on Any Internet-Connected Device (engadget.com)
In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
now enforce it, idiot
California is a load of shit who cares what they do.
I bet cisco is gonna be pissed of about their routers, switches and appliances though.
The big problem right now is that devices that DO come with "unique" passwords are far too often based on the device's MAC address. If you can already connect to the device to communicate with it, odds are you'd already have the information needed to "generate" the default password on the device. The bill should have a specific provision that the passwords are indeed truly random, and not based on hardware IDs.
I am sure that the IOT'mania crowd may not like this, but the internet is worth protecting.
https://www.youtube.com/c/BrendaEM
Most of the gun companies have abandoned California and refuse to sell to or service firearms from CA government agencies. The rest of every other industry must now follow suit and just refuse to do business in California. Those idiots couldn't feed themselves if they had to so just let them suffer and starve until they come crawling down off that high horse to rejoin society.
It would be funny if manufactures stopped sending their products to California.
Don't worry though, your raspberry pis are safe!
Now manufacturers can make their IOT products for California with *NO* password! That should save time & money wasted on security testing.
Taking guns away from the 99% gives the 1% 100% of the power.
the default password will be part of the mac address of the device
part of the serial number of the device
production date for the device.
et voila, unique id. ... any other pretty obvious default password that is easy to remember like password. :-D
the users will have to change the default password on first use, and will change it to 12345 or secret or
caption -- milked
California bans internet-connected devices!
I wonder what the unintended consequences will be.
Every time I pull an old router out of the closet, I do a reset to factory defaults, then look up the factory default password on the internet. Does the law now say I'm no longer allowed to do that? Are they going to ship every frickin' device with a different default password? That would send their return rate through the ceiling as customers couldn't login to configure their equipment.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
IANAL, nor do I regularly read legislature bills. But, on my read of the bill, I don't see any teeth to the bill? What are the repercussions for a company for violating this law? Other than setting a more concrete bar for possible civil cases, are there any more repercussions?
If a bill don't have teeth, what's the point?
I don't have a password on my phone, because it doesn't have personal data (it's strictly a phone). And there's none on my desktop computer, because it never leaves the security of my house.
I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself. (If someone steals my phone, I am the only one harmed. Leave me alone.)
Maybe politicians should start calling themselves Daddy Brown and Mommy Pelosi, if they insist upon treating us like children.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
...but do they do, scan all your devices and fine you? It's one thing to make manufacturers *in* California to do this; I don't see how you can stop other manufacturers from motoring along as they are whether or not it's a good idea. I don't know how you make this happen short of using force.
Ferret
Sic gorgiamus allos subjectatos nunc
And queue the list of devices with the trusty old admin/password combo... Tada! Security!
Liberals ban hate, injustice, and poverty. Anybody who support the previous 3 things will be beaten up, ostricized, and have their money taken away from them.
Hooray for the goverment
I can see it now... the system boots and prompts
Please Enter Password> _
User enters: "password"
Confirm new Password> ********
Buck passed to user who has now entered a well known password. Problem solved !!!
This will effectively deprecate compatibility with really old Bluetooth devices ( prior to 2.1, c.a. 2007) because manufacturers likely will drop support for legacy pairing (the 4 digit code, which is almost always "0000").
Not so sure that is a bad thing.
EUI-64 is typically used for the link-local address in IPv6.
The link-local address is, as it's name implies, valid only on the local link. Routers will not route it.
So in order to be exposed to the EUI-64 link-local address, you'd have to be on the same switched Ethernet link - which means you'd also see the Ethernet frames and the Mac addresses in the Ethernet header.
This is idiotic, can you imagine tech support ?
"Yeah i cant log in to my router with the password provided"
"Well, you need to reset it and try it again, if it doesn't work return it, cos there's not a thing to be done. Thanks for calling"
You want your cake and eat it. So typical - screaming for your individual rights, wilfully blind to any personal responsibility. Fuck you asshole, governments exist precisely to protect us from the dickheads like you.
It can be. As you mentioned, it's typically not.
Eom
When 1 one employee puts the wrong stickers on the wrong units identifying what each unique password is.
John
California is one of the most populated states in US. If default pw is banned here, it's banned everywhere. You wonder why?
Any company who wants to sell a product in CA will sell the same product everywhere else in the country. Abiding CA regulations alone will bring inheritance to other states. Bravo!!!
I think it has to be done in a production line fashion... you can't get a sticker until the code is burned into the device... and with a production line constantly moving, you can't really put one sticker on another machine by mistake.
Nice work!
I eagerly await California prohibiting "1234" as the combination on a lock.
Ken
This is the same legislature that has destroyed its education system, allowed its roads to rot, allowed human feces and the associated diseases in the streets of its major cities, and is always so busy passing new headline-grabbing laws to pleaseits "progressive" base that it has no time to update any older laws or policies to keep them current and properly functioning.
so:
With technology marching forward at internet speed, which is admittedly not warp speed but is certainly many many times faster than legislative speed, this law will be on the books and still applying to electronics sold in CA 20 years from now when nobody is even using passwords. Some poor coder who has not even been born yet will be dictating code into his super quantum headset computer decades from now and will ask his manager why he's having to cut-and-paste a bunch of old C code into a new product and encase it in a wrapper written in some language that does not now exist. After a bunch of meetings and legal searches, it will be discovered that the code must be there for the product to be sold in CA.
It's a HORRIBLE idea for stupid glad-handing lawyers, fuelled by special interest money, who have become esconsed into political offices to have ANYTHING to do with tech policy, no matter which party they are in.
This is probably a good concept. Execution may be a little bit difficult. How well have gun bans worked? How well has most of the rest of Sacramento's idiocies have worked - the carbon tax? the not a train to nowhere? the sky high taxes?
In addition it appears to me that this is effectively a barrier to interstate and international trade. The feds may object to the interstate trade barrier. And international barriers are the sole responsibility of the feds.
I predict large teams of lawyers are going to feed well at this trough that sack-o-tomatoes has created.
{^_^}
So, let's see, what's going to happen when my bluetooth earbuds want to pair with my bluetooth pandora wifi radio that has no keyboard? Or even my smart tv that has no keyboard? This is a poorly thought-out law passed by stupid people trying to do a smart thing.
In other news, CA state representatives have tapped into California vast budget surplus to enact a new law demanding that all table fork importers must now apply a cork to every fork before providing "dangerous tools" to the public. A one-eyed, self-proclaimed LGBTQ-LMNOP she-man and registered Democrat, shouted praise from his^H^H^Hher^H^H^Htheir puddle of tears.
Seriously, WTF? I depend on default passwords on devices for when they need to be reflashed. So if we lose the stupid insert with the forced default password we've now got bricks? Fuck this!