California Bans Default Passwords on Any Internet-Connected Device (engadget.com)

← Back to Stories (view on slashdot.org)

California Bans Default Passwords on Any Internet-Connected Device (engadget.com)

Posted by msmash on Friday October 5, 2018 @06:40AM from the how-about-that dept.

In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."

3 of 240 comments (clear)

Min score:

Reason:

Sort:

On first look, this seems very sensible. by mark_reh · 2018-10-05 06:49 · Score: 4, Insightful

I wonder what the unintended consequences will be.
Re:It's time for revolt by prisoner-of-enigma · 2018-10-05 07:03 · Score: 5, Insightful

So you are the champion of the flashing 12:00?
You want security cameras to be wide open?
Do you leave your house unlocked because keys are too hard to use?

Sigh...
Please try to understand that because someone is against a particular idea does not automatically mean they are in favor of the polar opposite of it. This type of thinking is extremist thinking and ruins any chance at useful dialog where both parties can try to understand each other.
I am in favor of companies stopping this "default password" crap. However, the idea of a government entity mandating it makes me uncomfortable. In choosing the lesser of evils, I would be against such a mandate and depend upon customers pressuring their vendors to change their behavior using the most effective tool known: their wallets.

--
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Re:It's time for revolt by sjames · 2018-10-05 07:16 · Score: 5, Insightful

It's the mandate or nothing. Companies have had DECADES to understand that default passwords are a terrible idea. Do you figure they were somehow within seconds of the light bulb going on when the bill was signed?
If the corporations themselves were the only ones to suffer, that would be fine. If their customers might suffer as well, I could almost buy in to the idea that they should have done more research. But neither is the case. The unsecured devices get rooted and then attack 3rd parties that had no input into the terrible decision to have default passwords. In some cases (looking at you Cisco) the customer had no knowledge of or input into the default password either (nor the ability to remove it if they ever do find out about it).
When their bad dogs stop crapping in my yard, they can be free to do as they will.