We all know what a pain it is to come up with new passwords all the time and can understand the allure of not having to create a new password if you don’t have to. So when you get a new device that has an included password, why create a new one? It works the way it is.
But the state of California doesn’t believe that is keeping you well protected. They passed a law banning devices from shipping with default passwords, such as “123456” and “password123.” Should this law be stretched further? Should devices be required to only allow complex passwords?
Miguel says it depends on how complex the passwords need to be and took the thought wider than just devices. “Services that don’t contain any crucial personal data (like gaming forums) shouldn’t encourage such things” because if you aren’t using the same password for other more sensitive services, such as email or Paypal, there really isn’t any real danger.
He doesn’t believe this new law will have any real effect because people sill still use simple passwords on devices. Hackers will still be able to scan ports for common passwords that will still be used by lazier people. “The true remedy against hackers is educating people on the dangers of default passwords in the first place.” It’s a person’s own responsibility to maintain security.
Alex believes “it’s far better that folks use password managers rather than intentionally setting poor passwords, even for unimportant accounts.” He also feels “social engineering attacks often start by collecting apparently benign personal information that, when compiled, becomes enough to reset a crucial password.”
He’s not usually a fan of legislation with these things, but this is a “no-brainer” to him. He finds it stupid to ship devices with default passwords. He thinks they should ship with long passwords and force a user to choose new ones immediately. He just had a new Internet set up in his apartment, and while the model had a unique SSID and network password, the router configuration webpage had admin and a blank password. Someone who wasn’t as tech savvy wouldn’t even know that page existed or how and why it should be changed. He’s hoping the world, and not just California, will benefit from this.
Simon thinks devices should definitely force the use of complicated passwords. “While having a secure password for everything you use is ideal, I think it goes double for devices.” Many problems and a lot of stress could be negated by simply securing technology with a proper password. It saves resources for the company producing the devices as well, as they’ll have less customer support calls because of hacked devices.
Damien believes that while it’s a good idea for a device to use complicated passwords by default, “the manufacturer should also include additional instruction on how to handle it.” He also thinks they should come with a mechanism for the user to change the default password when necessary. He hates it when “devices come with a default password and force you to use it for its lifetime.”
Andrew also isn’t a big fan of tech legislation, “but establishing basic cybersecurity expectations for devices is a little bit like having minimum food and drug safety standards.” He thinks it’s good to know that even if something isn’t the best quality, that it’s still not something that will kill him or compromise his security. He’d prefer if people could have this cybersecurity knowledge on their own but knows it won’t happen.
He’d also like to see these rules be “fuzzy and loosely-enforced” as manufacturers should be liable for poor security practices, but overzealous enforcement might end up badly. Using the South Korean banking system with technical security legislation from the early 2000s is now a nightmare to use on a PC, yet the same legislation was never applied to mobile banking, so it made it simpler and more secure.
Phil doesn’t think it could be explained any better than it has been so far in the other comments, but he thinks there is a lot more at work here, with government legislation, companies who make devices, and the public just wanting things to work with the most minimum effort and technical knowledge. He recognizes our niche is explaining these things but feels the public wants “pushbutton ease-of-use, but they also want ultimate waterproof security,” and he doesn’t think the two things are compatible. There’s work that goes into making things secure, so a middle ground is needed where it’s relatively easy to implement good security.
Like Phil, I can’t add much to what has already been said. I don’t like a lot of government regulation, but I don’t see why manufacturers would ship a device that is easily hacked. Why would they do that to their customer base? That just seems reckless on their part to me, and if they’re not going to take care to not do that, then the law makes sense.
What are your thoughts on government intervention in technology? Should they step in and make laws in this case to keep everyone safe? Or should they just stay out of it? Should devices be required to only allow complex passwords?
Join our conversation by adding your thoughts into the comments below.