The UK government wants to ban the use of default passwords on consumer electronics

jsilva

Posts: 325   +2
In context: It's not uncommon to see consumers using the default password of their devices, leaving themselves vulnerable to possible cyberattacks. To remediate this situation, the UK government passed a bill that will ban tech companies from using default passwords on their devices, among other requirements.

The UK government's Product Security and Telecommunications Infrastructure Bill (PSTI) is divided into two parts. As the name implies, the first part comprises product security measures to protect consumers and companies from cyberattacks. The second part includes telecommunications infrastructure guidelines created to accelerate the installation, usage, and upgrading of such equipment.

The first part of the bill presents three requirements to achieve its objective: ban default passwords, require products to have a vulnerability disclosure policy, and transparency about how long the products will receive essential security updates.

The list of devices covered by the security requirements includes smartphones, connected consumer electronics and appliances, connected safety-relevant products and alarm systems, IoT hubs, smart home assistants, and home automation products. Oddly, the list doesn't include computers. Once accepted, the government will provide at least 12 months for manufacturers, importers, and distributors to adapt to the new legislation.

The telecommunications infrastructure measures aim to streamline the implementation of new gigabit-capable broadband and 5G networks. These rules will encourage the use of alternative dispute resolution instead of going for legal proceedings, allow operators to share and upgrade buried infrastructure components, and streamline the renewal process after agreements have expired.

The bill has yet to receive the Royal Assent, the last step before becoming an actual law. For now, we haven't heard of any other region enforcing similar legislation, but it wouldn't be surprising to see some follow the example. Google and Microsoft have already presented some of their own measures to increase user security. Google, for example, defaulted accounts to use two-step verification and improved password security on Chrome 88, while Microsoft added a passwordless option for its accounts.

Permalink to story.

 

Uncle Al

Posts: 8,669   +7,574
When you look at things like the serial numbers on money, there is no reason they can't produce every product with a different password the same way or require the device to be registered at which time an arbitrary P/W be assigned.
 

m4a4

Posts: 2,848   +3,622
TechSpot Elite
I'm not currently seeing how this default password ban is terribly helpful.
First impression is that it would add a few extra steps (not good for the tech illiterate) that would end in a forgotten password, screwing over the IT guy that needs it down the line lol.

Or maybe they just generate a password sticker to put onto the device? But that's a more complex step for manufacturing. Which would still technically be a vulnerability...
 

wiyosaya

Posts: 7,485   +6,281
There is nothing wrong with default passwords, they're actually a useful troubleshooting tool. If security is important then change your password.
Agreed. I can see manufacturers providing default passwords per device, but what happens when you do a "factory reset"?

The bigger problem, at least as I see it, is stupid cannot be fixed, and if users keep using stupid passwords, that's the user's fault, not the maker of the device.
Bright bunch that lot.
I wish more of their intelligence would rub off on North America.
Stupid, hackable passwords no no country boundaries.
 

yRaz

Posts: 4,334   +4,971
Agreed. I can see manufacturers providing default passwords per device, but what happens when you do a "factory reset"?

The bigger problem, at least as I see it, is stupid cannot be fixed, and if users keep using stupid passwords, that's the user's fault, not the maker of the device.
Well for security vulnerabilities involving default passwords to exist on physical hardware then you either need to have physical access to the device or you need to have an already compromised device capable of remote code execution on the network.
 

p51d007

Posts: 3,096   +2,564
A lot of the office machines we sell, HAD a default password, 1111, WHICH the end user is suppose to change. You'd be surprised how many years later, still have 1111.
They changed it to the serial number of the machine as the "default". I wouldn't be surprised if some don't change it.
These are the same people that want printing from USB disabled, hard drives encrypted, MAC addressing only for their system, but, leave a default password.
 

nismo91

Posts: 1,199   +240
More than 10 years ago when you buy a wireless router, the moment you turn it on it will say something like: Linksys - Open Network (No Password).

ever since Wireless AC is introduced, I am yet to see any wireless router that act as an open network. They will have a default password that is labeled on the back of the router.

now for the configuration password, most new routers usually ask for one the moment you configure the wireless name. it's no longer admin/admin but admin/wifipassword

I'm not sure about IoT devices but people are lazy these days they won't even bother to read the label. most would rather press a button (something like WPS) which by itself is already a security threat anyway. imagine yourself buying 12 smart bulbs for your house and having to jot down every single password? not really a good idea considering those who installed these IoT devices aren't keen on network security anyway.

all these just to please some politicians... thinking that people won't use simple numerical password anyway.

 

ScottSoapbox

Posts: 291   +518
imagine yourself buying 12 smart bulbs for your house and having to jot down every single password?

The number of people that are both buying 12 smart bulbs and are also too stupid or lazy to use a strong password is pretty small so let's not base public policy on that.

It would be ridiculously simple for consumer electronics to both enforce a strong password (as most everything else does nowadays) and check an additional blacklist of the worst remaining passwords.

If entering a password is too high a bar for the customer then they can return the smart [light bulb] to the store and get a normal one. But seriously, the luddites somehow buy things online that require using strong passwords without the system collapsing in on itself.
 

Arbie

Posts: 363   +655
The expected comments from people who know the how and why of passwords, and who choose to ignore the monstrous botnets we're been plagued with for 20+ years because of the ignorance of the billions of weaker users. And btw if secure passwords had somehow been enforced from the beginning and this was an initiative to dumb that down, you'd be up in arms over that.

This resembles the virus / mask situation. I'm fine with mask rules even when I'm all vax'd up. The problem is bigger than me, and I'm not going to arrogantly impede a government that's trying to help.
 

yRaz

Posts: 4,334   +4,971
The expected comments from people who know the how and why of passwords, and who choose to ignore the monstrous botnets we're been plagued with for 20+ years because of the ignorance of the billions of weaker users. And btw if secure passwords had somehow been enforced from the beginning and this was an initiative to dumb that down, you'd be up in arms over that.

This resembles the virus / mask situation. I'm fine with mask rules even when I'm all vax'd up. The problem is bigger than me, and I'm not going to arrogantly impede a government that's trying to help.
Lazy developers are a bigger security risk than default passwords. Enjoy wearing your digital mask
 

Theinsanegamer

Posts: 3,317   +5,508
I'm not currently seeing how this default password ban is terribly helpful.
First impression is that it would add a few extra steps (not good for the tech illiterate) that would end in a forgotten password, screwing over the IT guy that needs it down the line lol.

Or maybe they just generate a password sticker to put onto the device? But that's a more complex step for manufacturing. Which would still technically be a vulnerability...
Not to mention the biggest issue: when you try to ban a phrase, a new one will take its place. You ban the use of password and password1? Now everyone uses 1password or password12 instead, because nobody is going to want to set up a 46 character hexidecimal code to service what is considered a "strong" password.

Governments should be going after the bad actors that hack into people's networks, and ISPs should be doing more to prevent remote attacks over their network. 99% of the time the router involved is theirs anyway, so they should have a system (in a perfect world) where only devices you approve are allowed to connect to it remotely anyway.

(and while they're at it, they should be doing more to prevent remote execution of foreign code anyway. Firmware updates should be able to be disabled unless over USB. This wouldnt be an issue on consumer hardware if it didnt have more holes then the titanic).
 

Arbie

Posts: 363   +655
So much opposition to an effort to make passwords more secure... This is the cost of elitism: better is the enemy of good.
 

p51d007

Posts: 3,096   +2,564
Maybe you shouldn't sell office machines which have a default password of 1111 in the first place...
Security breach No1
They changed it around July. Now they come with the machine serial number as the default. You wouldn't believe the number of *****s that want it changed back to the default. We turn on 256 bit encryption by default, they come with HDD's that are "tied" to the machine so if you plug them into something else, they are wiped, but, nothing like leaving the back door wide open with a "please enter" sign on it!
 

PinothyJ

Posts: 505   +44
I'm not currently seeing how this default password ban is terribly helpful.
First impression is that it would add a few extra steps (not good for the tech illiterate) that would end in a forgotten password, screwing over the IT guy that needs it down the line lol.

Or maybe they just generate a password sticker to put onto the device? But that's a more complex step for manufacturing. Which would still technically be a vulnerability...
How? Each product has a unique sticker that has a unique serial number on. How is a default password field underneath that a change in cost?
 

John Staerck

Posts: 18   +1
Just bought a new dishwasher. WTF do I want to connect it to my wi-fi just to play with the start/stop times and other settings. I can't get it to load or unload itself over wi-fi, which would be the only useful function for it to do other than cleaning the dishes.