California Is Making It Illegal for Devices to Have Shitty Default Passwords

The law only applies to passwords that come pre-programmed into devices, but it’s still a step in the right direction.

A new California law will require unique, secure passwords for all devices sold in the state that come with pre-programmed passwords by 2020. The law sets out a number of requirements aimed ensuring all new internet-connected devices in the state are equipped with “reasonable security features.” It was passed by the state legislature in August and signed into law by Governor Jerry Brown last week.


“The lack of basic security features on internet connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” state senator Hannah-Beth Jackson, who authored the bill, said in a press release. “This bill ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process.”

As the internet of things grows, more and more everyday home items are connected to the internet, from microwaves to baby monitors. And as soon as a device is connected to the web, it becomes vulnerable to hacking. Many of these devices have lackluster security (or no security at all), banking instead on the expectation that your average hacker isn’t interested in messing with some random family’s microwave or fridge. But there have been many reports of average Americans having their IoT devices hacked, and in 2016, hackers leveraged millions of insecure, internet-connected devices to create the largest botnet in history. As the number of IoT devices we have in our homes increases, so does our risk of attack.

There are things you can do to better protect yourself, but a lot of people are either unaware or don’t bother. A recent survey by the website Broadband Genie found that 82 percent of respondents had never bothered to change the default password on their home router. Often, default passwords are the same on every device a manufacturer sends out, which makes them even less secure than your average crappy password.

Under the new law, all new internet-connected devices made or sold in California with a default password will be required to make that password unique and secure for every single device. That means no more devices shipped with username/password combos of “admin/admin,” for example. It’s far from a panacea—and really, why aren’t you using a password manager already—but it’s a step towards at least a minimal baseline of security in our internet-of-things addled future.