Technologist - The FindLaw Legal Technology Blog

CA Law Makes It Illegal to Sell Devices With Weak Passwords

If you've set up some web connected tech in the last decade that requires password protection, there's a good chance you've seen some pretty basic username password combinations (i.e. admin/admin) straight from the manufacturer and thought to yourself, "this must be like taking candy from a baby, for hackers." Because it is.

Some people are notoriously oblivious to the need to change factory set passwords, or that these even exist. However, a new law in California seeks to change that by requiring manufacturers that sell internet connected devices that should be password protected to ensure the devices come pre-coded with unique passwords that hackers cannot easily guess.

Strong Passwords Are the Law

For tech manufacturers, the new law seems to codify what's already been taking place in the industry. Consumers want better privacy and security for their home systems, but aren't necessarily able to do it themselves. For example, most of the major brand-name home internet routers or wifi mesh networks will now come pre-programmed with unique network names and passwords, pre-configured for strong network security.

Device manufacturers know that, economically speaking, it's likely cheaper to provide unique pre-configurations than dealing with the number of phone calls and emails from people who don't know how to follow the step-by-step instruction booklet that usually comes with every device.

Why the Law?

The impetus for the law isn't to help run up the bill even higher for IT professionals that need to setup every little bit of network infrastructure in commercial settings, but rather to protect those consumers that might be expecting a more "plug-and-play" experience from being exploited by hackers, which in turn, could have a much larger impact.

As explained by Motherboard (linked above), hackers have hijacked millions of unsuspecting peoples' IoT devices to create botnets for nefarious purposes. The law makes it much more difficult for hackers that may be relying on non-unique factory set passwords to gain easy access.

Related Resources: