Laws Against Default Passwords

[deanwebb]

Found this in my research today: https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/

It's a start, I like how it requires a unique password for each device and for a password change after first logon.

[Otanx]

So that law was passed in 2018, and was supposed to be enforced starting in 2020. Wonder how enforcement is going. I am pretty sure some of the gear I work with has default passwords, and don't force changes. Maybe they don't sell those in California.

-Otanx

[deanwebb]

Could be. I read more on it and both the USA and EU have guidelines that stop short of assessing fines. The UK, however, just passed a law that assesses fines for vendors that make gear with default passwords.

I hope that the legislation also extends to hard-coded root accounts.

Network engineer whose gear was pwned because attacker used a default root account: