Slashdot Mirror
California Bans Default Passwords on Any Internet-Connected Device (engadget.com)
In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
I wonder what the unintended consequences will be.
So you are the champion of the flashing 12:00?
You want security cameras to be wide open?
Do you leave your house unlocked because keys are too hard to use?
Sigh...
Please try to understand that because someone is against a particular idea does not automatically mean they are in favor of the polar opposite of it. This type of thinking is extremist thinking and ruins any chance at useful dialog where both parties can try to understand each other.
I am in favor of companies stopping this "default password" crap. However, the idea of a government entity mandating it makes me uncomfortable. In choosing the lesser of evils, I would be against such a mandate and depend upon customers pressuring their vendors to change their behavior using the most effective tool known: their wallets.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
It's the mandate or nothing. Companies have had DECADES to understand that default passwords are a terrible idea. Do you figure they were somehow within seconds of the light bulb going on when the bill was signed?
If the corporations themselves were the only ones to suffer, that would be fine. If their customers might suffer as well, I could almost buy in to the idea that they should have done more research. But neither is the case. The unsecured devices get rooted and then attack 3rd parties that had no input into the terrible decision to have default passwords. In some cases (looking at you Cisco) the customer had no knowledge of or input into the default password either (nor the ability to remove it if they ever do find out about it).
When their bad dogs stop crapping in my yard, they can be free to do as they will.
Stupid government requiring businesses and consumers to avoid unnecessarily hazardous practices.
I too an uncomfortable with mandates to use GFCIs in the kitchen and bathroom, carry gasoline in approved containers, not leave my keys in a running car when I go to the store, and all the rest.
You should merely be in favor of me doing so, and trust that I wish for you to avoid electrocution, conflagration, and general mayhem.
Oh, you were serious. *snicker* All 0.01% of you that might use that as a pre-purchasing criterion will surely justify the expense.
Your stuff being being hijacked because of a default password is not just harming you, it's being used to attack me and thousands of others. Since you can't be responsible enough to prevent that harm, a regulation is needed to prevent you being irresponsible in the first place.
Entirely different regulation by different people with a different dynamic. Not all regulations are good or well considered. Not all regulations are bad or poorly thought out. More thinking, less knee jerking.