California just made it a whole lot harder to use a weak password.
Gov. Jerry Brown on Sept. 28 signed into law S.B. 327, which will ban companies from selling Internet-connected devices with weak or default passwords, such as “Password” or “1234567.” Instead, beginning on Jan. 1, 2020, all devices must have a “preprogrammed password [that] is unique to each device manufactured.” A primary concern with weak pre-programmed passwords is that users don’t change them to strong, unique passwords after purchasing the device.
“The lack of basic security features on internet connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” state Sen. Hannah-Beth Jackson, D-Santa Barbara, who authored the bill, said in a press release. “This bill ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process.”
As a means to further combat poor security, the legislation also requires that the device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
The legislation is attempting to head off botnets, which can take advantage of weak or easily guessed passwords to perpetrate distributed denial-of-service (DDoS) attacks. In a botnet attack, malware is used to break into a device using publicly available default passwords. The malware than takes over the device and uses it to conduct cyberattacks–without the user ever knowing what’s going on. Botnets largely rely on users never changing their devices default passwords.
However, the legislation isn’t without opposition. The California Manufacturers and Technology Association said in a statement that the legislation “Stifles innovation by inviting arbitrary and vague mandates on manufacturers of connected devices by requiring all connected devices to be equipped with ‘reasonable’ security features ‘appropriate’ to the nature of the devices.”
Gov. Brown’s pen has been busy recently. Last month he also signed S.B. 822, which restores in the state Obama-era Federal net neutrality laws that were gutted by the Federal Communications Commission earlier this year. Almost immediately, the Department of Justice filed a lawsuit against the state to overturn the new law because. Brown, a Democrat, also signed a bill that prohibits automated accounts from pretending to be human when attempting to “incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”