• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

California Bill Increases Default Password Security

October 11, 2018 By Trevor Collins

California has taken steps to increase the password security on new devices made after January 1 2020. Senate Bill No. 327 forces manufactures to create unique passwords for each device or force the user to create a new password on their first login.

This only applies to devices that are accessible outside the local network.

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

Many websites provide the default credentials for devices and hackers use this same information to quickly authenticate to devices when the administrator leaves the default as-is. The hope is that this bill would eliminate this easy attack vector. I would expect this to help prevent default password from being used, however it may not be enough. Forcing a home user to change their password without guidance often results in weak passwords. If the manufacture creates good unique passwords for each device this would be better. But this still fails to use good security techniques. Having some form of 2-factor authentication (2FA) would be best. Implemented correctly, a weak password with 2FA would be far better than then a strong password without 2FA. There was no mention of using 2FA in the bill.

The bill also requires “appropriate” security of the device for the information that is collected. This is ambiguous with many definitions of what is “appropriate”. Hopefully the manufacturer will require strong passwords and good encryption. Also, educating to customer with good security practices would go a long way to keep customers safe.

The bill doesn’t cover firmware updates. If there is a easy exploit in the firmware this is just as bad as default passwords. Exploits in firmware are often slow to be patched because the time it takes to release the patch as well as the customer not being familiar with the device or updating the device. One-click firmware upgrades and update reminders on the device would help more devices to be updated quicker. Some firmware updates are hidden under multiple “advanced” options or the update requires multiple devices like a USB to update the firmware. This makes it difficult for the customer, delaying the patch.

The bill seems to be a response to the VPNFilter attack where over 500,000 home routers were compromised with malware through the use of default passwords and exploits. The bill may not prevent many attacks but with a bit of effort from the manufacture and customers, some attacks may be prevented.

Share This:

Related

Filed Under: Editorial Articles Tagged With: Infosec news

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use