Laws Against Default Passwords

Started by deanwebb, April 12, 2022, 01:12:39 PM

Previous topic - Next topic

deanwebb

Found this in my research today: https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/

It's a start, I like how it requires a unique password for each device and for a password change after first logon.

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

So that law was passed in 2018, and was supposed to be enforced starting in 2020. Wonder how enforcement is going. I am pretty sure some of the gear I work with has default passwords, and don't force changes. Maybe they don't sell those in California.

-Otanx

deanwebb

Could be. I read more on it and both the USA and EU have guidelines that stop short of assessing fines. The UK, however, just passed a law that assesses fines for vendors that make gear with default passwords.

I hope that the legislation also extends to hard-coded root accounts.

Network engineer whose gear was pwned because attacker used a default root account:

:facepalm1:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.