Weak IOT passwords outlawed in California

News by Robert Abel

The US state of California has passed a law effectively banning weak passwords and enforcing other security measures to more effectively secure connected devices.

In the US the state of California has passed a law effectively banning weak passwords and enforcing other security measures to more effectively secure connected devices.

While it's unlikely individuals or businesses will be raided by local law enforcement for attempting to lock down their computer or Wi-Fi using "Password123," the new law will require that manufactured devices be preprogramed with unique passwords as opposed to uniform default login credentials.

The Information Privacy: Connected Devices law will also mandate devices to contain security features requiring the user to generate a new means of authentication before access is granted to the device for the first time as well as other measures to ensure devices are protected.

High-Tech Bridge CEO Ilia Kolochenko praised the move as serving a laudable example to other governments that insecure IoT and network devices pose an invisible but rapidly growing security and privacy risk today.

"Millions of connected devices become an essential part of our daily life," Kolochenko said. "Widely present default or  weak  passwords  may now cause not just cyber-problems but physical injuries or even death."

He added that banning weak password may also have the collateral effect of people deciding to reuse the same passwords everywhere that they eventually forget, subsequently leaving their devices without regular updates making it more prone to attacks.

Users could also be pushed to create more passwords that may not fall under the legal definition of a weak password but are still bruteforceable.

Experts agree, Amit Sethi, senior principal consultant at Synopsys said the law is unlikely to make connected devices more secure in the long run.

"Another issue is that the password uniqueness requirement only appears to apply to connected devices that are ‘equipped with a means for authentication outside a local area network,’" Sethi said. "This assumes that connected devices are deployed in completely trusted local area networks — this is rarely the case in real life."

Other researchers suggested the law doesn’t address admin passwords nor the way in which large organisations administer them One Identity senior director Bill Evans suggested governments should use tax incentives to promote security.

"Imagine a regulation that suggests that every dollar spent on a privileged management solution can be deducted from next year’s tax burden," Evans said.  "Governments should use the ‘carrots’ available to them, rather than the "sticks," to incentivise enterprises to make the security investments that are best for them."

Yogesh Patel, chief data scientist Callsign commented: "Although it is promising to see the involvement of the US government in the battle against security online, passwords as a single form of security has been known to be insufficient for some time. While we have come on leaps and bounds in terms of biometric authentication technology which has helped improve the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently, it is also not 100 percent secure. There are also issues relating to the storage of individuals’ biometric samples including the possible security implications should the information be leaked."

Jake Moore, cyber-security expert at ESET UK said: "Admin and password are used so often straight out of the box for "ease of use" but by forcing the user by design to change the password adds the layer of better security from the start. The ongoing balancing act between convenience and security is always a delicate one but acting on enforcement, is sometimes the only way to make our internet a safer world. 

"But let’s not stop there. It will be great to see all accounts enforce two factor authentication as compulsory soon too. Then that will really start to defend our accounts far better still."

The bill will go into effect in 2020. 

Originally published in scmagazine.com North America.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews