The BBC has reported that default passwords such as “admin” and “password” will be illegal for electronics firms to use in California from 2020. The state has passed a law that sets higher security standards for net-connected devices made or sold in the region. It demands that each gadget be given a unique password when it is made. Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
Please see below for commentary from several cybersecurity experts.
Amit Sethi, Senior Pprincipal Consultant at Synopsys:
“This will certainly get connected device manufacturers to think about the problem of default passwords. But, it is unlikely to make connected devices more secure.
The problem is that most organisations with good security programs have already addressed issues like this; organisations that do not have good security programs will probably not get the solution right.
An obvious problem is that uniqueness does not imply that it is difficult to guess. For example, using device serial numbers as passwords would likely be in compliance with the law, but would result in poor security.
Another issue is that the password uniqueness requirement only appears to apply to connected devices that are “equipped with a means for authentication outside a local area network.” This assumes that connected devices are deployed in completely trusted local area networks — this is rarely the case in real life.
Finally, default passwords are just one of many different ways in which devices get compromised. This does not address anything other than default passwords.”
Bill Evans, senior director at One Identity:
“I think the law that the State of California is contemplating is a great first step, but it’s just a first step in a very long road to ensuring security around the globe. The challenge with the specific California law is that it doesn’t address the core issue that enterprises have, which is managing all the admin passwords in an automated fashion. While it’s great to implement legislation that requires each device to ship with a unique password, lazy admins will simply change them back to a standard set of credentials and render the solution moot. The underlying problem is, how does a large organisation administer dozens, hundreds or thousands of unique credentials?
A better approach would be one that does not mandate specific action. Rather, governments should use the levers at their disposal to incentivise enterprises to solve the problems in ways that meet their needs. An example would be tax incentives. Imagine a regulation that suggests that every dollar spent on a privileged management solution can be deducted from next year’s tax burden. Governments should use the “carrots” available to them, rather than the “sticks,” to incentivise enterprises to make the security investments that are best for them.”
Nabil Hannan, Managing Principal at Synopsys:
“As interesting as this is, it unfortunately doesn’t solve the problem. Just enforcing complex passwords solves the problem of attackers trying to use things like dictionary attacks or common password-based attacks to take over people’s accounts. This however doesn’t stop the problem of say:
- A user’s password getting stolen through a vulnerability like SQL injection or through a phishing attack. Now the attacker can use the complex password and still get into the user’s account.
- A user maintaining the same complex password across all applications. If one application is breached due to a vulnerability such as SQL injection, where all user passwords are stolen, then the attacker can now use the same complex password to get into the user’s account across all applications.
Instead, a much better solution would be to enforce users having to use two-factor authentication by default. This way, even if their password is breached, attackers cannot log into the applications as that user since they wouldn’t have access to the second factor.”
Javvad Malik, Security Advocate at AlienVault:
“There are many challenges with internet-connected devices. Easy-to-guess default passwords have plagued many devices, but the issue is slightly more nuanced.
Not only should simple default passwords be avoided, but users should be forced to change the password on first use. Additionally, the UI should be intuitive so that changing a password is easy for customers.
Keeping the devices updated should also be a requirement, so that any patches or security fixes can be easily deployed.
Finally, many internet-connected devices are only usable when they are connected to the manufacturers cloud. If the manufacturer decided to stop support, or end-of-life a product, then often the customer is left with an unusable device. One option to combat this, is that manufacturers place the device code in escrow, so that if the company stops supporting the devices, or ceases to exist – customers, or a third party can manage the devices themselves.
There are probably other issues that will come to light in this regard over the years as more and more devices have internet-capabilities built in; so regulation at this stage would seem premature, as it could force design changes that could introduce other unforeseen issues.”
Jake Moore, Cyber Security Expert at ESET UK:
“This is a massive step forward in security and it is great to see such a trailblazing effort to combat the prevention of accounts. Banning terrible and overused passwords is an excellent way to reinforce the message that the top ten most used passwords could soon be a thing of the past.
Admin and password are used so often straight out of the box for “ease of use” but by forcing the user by design to change the password adds the layer of better security from the start. The ongoing balancing act between convenience and security is always a delicate one but acting on enforcement, is sometimes the only way to make our internet a safer world.
But let’s not stop there. It will be great to see all accounts enforce two factor authentication as compulsory soon too. Then that will really start to defend our accounts far better still.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.