California passed has just passed a law effectively banning weak passwords and enforcing other security measures to more effectively secure connected devices.
While its unlikely individuals or businesses will be raided by local law enforcement for attempting to lock down their computer or Wi-Fi using “Password123,” the new law will require that manufactured devices be preprogramed with unique passwords as opposed to uniform default login credentials.
The Information Privacy: Connected Devices law will also mandate devices to contain security features requiring the user to generate a new means of authentication before access is granted to the device for the first time as well as other measures to ensure devices are protected.
High-Tech Bridge CEO Ilia Kolochenko praised the move as serving a laudable example to other governments that insecure IoT and network devices pose an invisible but rapidly growing security and privacy risk today.
“Millions of connected devices become an essential part of our daily life,” Kolochenko said. “Widely present default or weak passwords may now cause not just cyber problems but physical injuries or even death.”
He added that banning weak password may also have the collateral effect of people deciding to reuse the same passwords everywhere that they eventually forget, subsequently leaving their devices without regular updates making it more prone to attacks.
Users could also be pushed to create more passwords that may not fall under the legal definition of a weak password but are still bruteforceable.
Experts agree, Amit Sethi, senior principal consultant at Synopsys said the law is unlikely to make connected devices more secure in the long run.
“Another issue is that the password uniqueness requirement only appears to apply to connected devices that are ‘equipped with a means for authentication outside a local area network,’” Sethi said. “This assumes that connected devices are deployed in completely trusted local area networks — this is rarely the case in real life.”
Other researchers suggested the law doesn’t address admin password nor the way in which large organizations administer them One Identity Senior Director Bill Evans suggested governments should use tax incentives to promote security.
“Imagine a regulation that suggests that every dollar spent on a privileged management solution can be deducted from next year’s tax burden,” Evans said. “Governments should use the ‘carrots’ available to them, rather than the “sticks,” to incentivize enterprises to make the security investments that are best for them.”
The bill will go into effect in 2020.