The BBC has reported that default passwords such as “admin” and “password” will be illegal for electronics firms to use in California from 2020. The state has passed a law that sets higher security standards for net-connected devices made or sold in the region. It demands that each gadget be given a unique password when it is made. Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
Please see below for commentary from several cybersecurity experts.
Amit Sethi, Senior Pprincipal Consultant at Synopsys:
The problem is that most organisations with good security programs have already addressed issues like this; organisations that do not have good security programs will probably not get the solution right.
An obvious problem is that uniqueness does not imply that it is difficult to guess. For example, using device serial numbers as passwords would likely be in compliance with the law, but would result in poor security.
Another issue is that the password uniqueness requirement only appears to apply to connected devices that are “equipped with a means for authentication outside a local area network.” This assumes that connected devices are deployed in completely trusted local area networks — this is rarely the case in real life.
Finally, default passwords are just one of many different ways in which devices get compromised. This does not address anything other than default passwords.”
Bill Evans, senior director at One Identity:
A better approach would be one that does not mandate specific action. Rather, governments should use the levers at their disposal to incentivise enterprises to solve the problems in ways that meet their needs. An example would be tax incentives. Imagine a regulation that suggests that every dollar spent on a privileged management solution can be deducted from next year’s tax burden. Governments should use the “carrots” available to them, rather than the “sticks,” to incentivise enterprises to make the security investments that are best for them.”
Nabil Hannan, Managing Principal at Synopsys:
- A user’s password getting stolen through a vulnerability like SQL injection or through a phishing attack. Now the attacker can use the complex password and still get into the user’s account.
- A user maintaining the same complex password across all applications. If one application is breached due to a vulnerability such as SQL injection, where all user passwords are stolen, then the attacker can now use the same complex password to get into the user’s account across all applications.
Instead, a much better solution would be to enforce users having to use two-factor authentication by default. This way, even if their password is breached, attackers cannot log into the applications as that user since they wouldn’t have access to the second factor.”
Javvad Malik, Security Advocate at AlienVault:
Not only should simple default passwords be avoided, but users should be forced to change the password on first use. Additionally, the UI should be intuitive so that changing a password is easy for customers.
Keeping the devices updated should also be a requirement, so that any patches or security fixes can be easily deployed.
Finally, many internet-connected devices are only usable when they are connected to the manufacturers cloud. If the manufacturer decided to stop support, or end-of-life a product, then often the customer is left with an unusable device. One option to combat this, is that manufacturers place the device code in escrow, so that if the company stops supporting the devices, or ceases to exist – customers, or a third party can manage the devices themselves.
There are probably other issues that will come to light in this regard over the years as more and more devices have internet-capabilities built in; so regulation at this stage would seem premature, as it could force design changes that could introduce other unforeseen issues.”
Jake Moore, Cyber Security Expert at ESET UK:
Admin and password are used so often straight out of the box for “ease of use” but by forcing the user by design to change the password adds the layer of better security from the start. The ongoing balancing act between convenience and security is always a delicate one but acting on enforcement, is sometimes the only way to make our internet a safer world.
But let’s not stop there. It will be great to see all accounts enforce two factor authentication as compulsory soon too. Then that will really start to defend our accounts far better still.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.