California made news when it passed its consumer privacy act (CCPA), even with the resistance of tech companies. Now California is making security news again with new legislation, this time geared to address password security.
Most of our connected devices are given a default password, often something ridiculously easy (like “admin”), and we’re supposed to change that password right away. I’ve written a lot over the years about how poor we are at doing that, both at home and at work. The default password remains the regular password. Hackers have an easy open door into those devices because they know the password. You’ve left the keys to your internet home under the door mat for anyone to find and use.
With the California law, that practice of easy default passwords will come to an end in 2020. According to TechCrunch, the law will require each device to be programmed with a unique password, and:
It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.
This should help address the rising threat to IoT devices, both as they are being targeted with malware to turn them into botnets but also as they collect more and more personal and corporate data.
Frankly, this is something that manufacturers should have addressed a long time ago. Security, even when we knew cybersecurity had to be baked in, continued to get pushed aside so devices could hit the market quicker. Security could come later. Well, later is here, so the time has come to do something. The California law takes a step in that direction, but it needed to go a bit further, BBC stated:
A bigger problem than poor passwords was the creation of devices that could not be updated. California should have added clauses that required manufacturers to take a more rounded approach . . . to limit how much access malicious hackers can get to all kinds of devices.
But it is something, as Tim Erlin, VP, product management and strategy at Tripwire, told me in an email comment:
Weak passwords are a problem, but this bill aims to address a more challenging and serious problem with poor default security in vendors’ products. It’s important that vendors see security as their responsibility, even after the customer takes possession of the product.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba