California, not content with stopping bots from pretending to be human, has passed a law to basically make stupid passwords illegal.
From January 1, 2020, the "Information Privacy: Connected Devices" bill will ban default passwords on new devices. That means things like “password” or “123456” will no longer be allowed – instead, all new passwords must be unique.
This doesn’t mean that if you use a password like that you’ll need to change it – although you really should. It actually applies to device manufacturers, telling them that any Internet-connected device can’t come with an easy-to-guess password installed.
“This bill… would require a manufacturer of a connected device… to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,” the bill states.
The idea is this will enable a crackdown on botnets that prey on weak passwords to break into devices. If a device is pre-loaded with a weak password, then it makes it all the more vulnerable.
However, the bill has been criticized for not going far enough. The Register notes that it is a “massive missed opportunity”, and highlights a “dangerous lack of decent technical knowledge in the corridors of power.”
The main problem, they say, is that passwords are the “lowest-hanging fruit” to fix. The bigger problem is failing to update software, something people often have to manually do. And if they won’t change their password, then there isn’t much hope they’ll install updates when prompted.
As noted by Engadget, it’s also unclear how the bill will affect older devices from the 1980s or 1990s, which have passwords that are difficult to change.
But Tech Crunch said the bill was “better than nothing”, even if there was “room for improvement”. They highlighted previous attacks, like the Mirai botnet, which was able to use default passwords to take down various sites including Twitter and Spotify.
The bill comes just a week after California passed another bill to beef up digital security, with the state passing a law that prevents online bots from pretending to be human. This bill was designed to tackle bots that swung the 2016 US Presidential Election in favor of Trump – and now they're taking on passwords, too.