
California to ban weak default passwords on internet-connected devices - vezycash
https://www.theregister.co.uk/2018/10/04/california_iot_password/
======
djsumdog
I've seen more devices do this recently. Most ISPs will not ship a router with
an "admin" or any other default password. Instead there's a sticker on the
side of the device with a password that got generated and assigned to it on
the way out.

It may slow down the production process, but it's a step in the right
direction for security. All this bill means is that manufactures who don't
have that process in place can't sell their devices in California. It will
probably mean more devices with random passwords for the whole country.

~~~
freeflight
> Instead there's a sticker on the side of the device with a password that got
> generated and assigned to it on the way out.

This has been a thing for a while for WLAN routers. But I still don't really
trust those, for all I know these passwords could be seeded on something very
predictable, like the devices serial number.

~~~
zeta0134
I don't trust them either, but I muuuuch prefer this practice over the old
"admin:admin" standard. Someone going through the trouble of cracking a
Pseudo-Random Number Generator, even if that's a weakness, is a heck of a lot
more effort than typing the model number into Google along with "default
password" and clicking the first result.

~~~
x3n0ph3n3
At least the "admin:admin" can be googled by a novice who has lost the
sticker. Otherwise, the device becomes unusable.

~~~
zaarn
Don't remove the sticker. Most people will have the router simply rot in a
corner so it's unlikely to get lost.

------
ejz
This is a really misleading headline...but it did get my attention, I guess.

~~~
gh02t
Agreed. According to the summary text of the bill:

    
    
        This bill, beginning on January 1, 2020, would require a manufacturer of a 
        connected device, as those terms are defined, to equip the device with a 
        reasonable security feature or features that are appropriate to the nature 
        and function of the device, appropriate to the information it may collect, 
        contain, or transmit, and designed to protect the device and any information 
        contained therein from unauthorized access, destruction, use, modification, 
        or disclosure, as specified.
    

A better title would be "California to ban weak default passwords on devices."
Edit: or "California to require more security features on internet-connected
devices."

~~~
kevin_thibedeau
That portion is pretty much toothless without any concrete definition of
"reasonable". The password provisions have some merit though:

    
    
        Subject to all of the requirements of subdivision (a),
        if a connected device is equipped with a means for 
        authentication outside a local area network, it shall be 
        deemed a reasonable security feature under subdivision (a)
        if either of the following requirements are met:
    
        (1) The preprogrammed password is unique to each device manufactured.
    
        (2) The device contains a security feature that requires 
            a user to generate a new means of authentication 
            before access is granted to the device for the first time.
    

Even this can be weaseled out of for most consumer IoT products as they aren't
typically intended for direct access from outside the LAN.

~~~
macspoofing
>The password provisions have some merit though

Does it? The problem is that they defined a very specific solution to the
problem they are trying to solve as comprising of either approach (1) or (2)
... what if there is some innovative third option that neither people here nor
the regulators was creative enough to think of? Now you've killed a potential
innovative market from developing.

>Even this can be weaseled out of

That's not 'weaseling out'. That's a real world example of an approach that is
perfectly secure and would be hurt by this if a regulator interpreted the law
as applying to the device in question.

~~~
tinus_hn
Your browser does not know the difference between your lan and the internet so
any website you visit can instruct it to interact with websites on your lan.
It’s nowhere near ‘perfectly secure’ to have weak security on the lan.

Besides, having weak security on a network means one compromise leads to a lot
more. That isn’t very ‘perfectly secure’ either.

------
dang
Url changed from
[https://www.bbc.co.uk/news/technology-45757528](https://www.bbc.co.uk/news/technology-45757528),
which points to this.

~~~
tlrobinson
To save you a click, the clickbait title was "Weak passwords banned in
California from 2020"

------
gerdesj
_Anyone manufacturing an internet-connected device in California will, from
2020_

Is CA a major location for router manufacturing?

~~~
vuln
Nope. Well maybe a few startups. But nothing like more regulations right?

------
olliej
For the lazy among us: does it require per-device complex passwords, or is it
enough to have a single “complex” password across all devices? If the latter
that makes the bill even more dumb.

~~~
tinus_hn
It requires either a password that is unique to the device or a feature that
forces the user to change the password at first login.

------
sowbug
I'm trying and failing to think of other U.S. laws specifically regulating how
consumer software is designed. Is this one of the first?

------
the_arun
Why do we need to wait for 2020? Why can't we do this immediately? For eg.
from Jan 2019?

~~~
longerthoughts
I expect most businesses have already made significant resource allocation
decisions for work in 2019 so introducing previously unaccounted for work
would be seen as "anti-business".

------
EGreg
Sounds like Bloomberg’s soda ban. Where are the freedom advocates to fight
against the govt ban? :)

