California has passed a law banning default passwords for all connected consumer electronics and requires users to “generate a new means of authentication before access is granted to the device for the first time.”
The new legislation passed last month means that as of 2020 manufacturers will have to equip devices with “reasonable” security features in the form of preprogrammed passwords “unique to each device.”
Currently, developers assign a default password such as “123,” “password” or “admin” to the program of a hardware device, and if left unchanged the default provides an easy attack vector opportunity, Computer Hope reported.
The aim is to protect the users “personal information from unauthorized access, destruction, use, modification, or disclosure.”
The legislation comes as botnets continue to take advantage of badly secured devices to distribute denial-of-service (DDoS) attacks, TechCrunch reported.
Malware uses publicly available default passwords, which have not been changed by the user, to hijack the device and use it to launch cyber-attacks.
According to the U.K.’s Register, the bill is one step to addressing the problem, but failure to update software is a much greater issue.
Manufacturers may take measures to update software to address the latest security threats but it is still up to the user to update their system to install it. In many cases, users neglect to do this, leaving their devices vulnerable to attacks.