California Bans Weak Login Credentials

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
California Governor Jerry Brown recently signed the "Security of Connected Devices" bill into law. Among other things, the bill forces any internet facing devices to use reasonable security measures, and explicitly prohibits weak default login credentials like "password" as a password. "admin" was allegedly the username and password for one of Equifax's systems prior to the data breach, and many other commercial systems suffer from same issue.

The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features. This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time. The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
 
Punishes companies for customers who don't have common sense is all I'm getting from this.

However, the parts about devices requiring the user to make a password when first used is a good idea.

The whole "factory unique password" will never work. You would literally be screwed if you lost the paperwork or the sticker came off of the unit that had the factory password on it.
 
Despite being government and all, it's a step in the right direction.

Punishes companies for customers who don't have common sense is all I'm getting from this.

Masterlock figured it out decades ago.

MasterLock2.jpg
 
Last edited:
What?? Gasp!?!?! Are they saying that we shouldn't use PASSWORD on our ADMIN accounts???
 
How about instead of banning weak credentials you simply hold companies financially responsible for the restitution required to clean up your loss of info which includes a lifetime of data monitoring at a company of YOUR choosing

Because quite frankly if someone "hacks" my "weak" credentials for my water bill and pays it for me I really don't mind and would prefer that to a 12 character minimum password that contains at least 3 numbers, 2 symbols, and a mixture of capital and lower case letters ... that needs to be changed every 6 months... and it can't be a password that was used in the past 4 years.
 
What if I use passwordpassword and adminadmin, no one would guess, right!?

I use basic(ish) passwords for non important stuff like gaming, and varied pass-phrases for the rest.
 
I get the concern for weak passwords but I am more concerned about people who use the same password EVERYWHERE. One leak and no matter how good the password, you're screwed. If you have a lame password but it's different on every site, at least you don't have to worry about one leak totally sinking every account.
 
Punishes companies for customers who don't have common sense is all I'm getting from this.

yup.
california is quite the nanny state.. occasionally they do things right (even a blind squirrel finds a nut now and then) but usually its this sort of stupidity.

..... i WILL however say that i DO like the part about forcing companies to actually be accountable in a situation where a breach happens and they're doing something stupid like using "12345" as a password for a critical system.
 
The whole "factory unique password" will never work. You would literally be screwed if you lost the paperwork or the sticker came off of the unit that had the factory password on it.


hasnt been an issue for things like HP servers and their ilo passwords and such. There are also routers that have a unique factory default password.

but i do agree it should not be on an easily removable sticker
 
I wonder what this will mean for the medical industry. There are so many places where passwords are weak at best (some don’t have any) and one could potentially access patient info... HIPAA doesn’t care because they rather let someone fuck up and then drag them through the coals rather than being diligent in ensuring everyone regularly meets or exceeds requirements
 
Has Californistan banned them from using "nimda"? How about "admin1"? Etc.
 
I get the concern for weak passwords but I am more concerned about people who use the same password EVERYWHERE. One leak and no matter how good the password, you're screwed. If you have a lame password but it's different on every site, at least you don't have to worry about one leak totally sinking every account.

Some of us like the danger, okay?
 
Please enter your password.

(Password must contains three symbols, four uppercase letters, nine lowercase letters, and fourteen numbers that when added together and divided by 3.14 equals the number six. Oh, and click each picture that has a car in it or storefront where the addres or license plate has prime numbers)

Please enter your password again, but backwards and inverting the uppercase and lowercase letters.

Would you like Chrome to save your password?
 
I get the concern for weak passwords but I am more concerned about people who use the same password EVERYWHERE. One leak and no matter how good the password, you're screwed. If you have a lame password but it's different on every site, at least you don't have to worry about one leak totally sinking every account.

Ding ding. Password reuse is as large a problem as weak passwords, if not moreso given how easy it is to find websites where you can redirect the "I Forgot my Password" to any arbitrary email address. From there, it's trivial to tie an email to a default password.

Personally, I think that instead of every website each having to deal with user credentials, that it should be instead handled via hardware (or at least OS level). If you do this ONCE you cut down the possibilities of info leaking.
 
However, the parts about devices requiring the user to make a password when first used is a good idea.

The whole "factory unique password" will never work. You would literally be screwed if you lost the paperwork or the sticker came off of the unit that had the factory password on it.

You missed the point. While the ideal is the end user changes the user/password themselves, that default passwords shouldn't be trivial to crack. If the user doesn't change the factory default and looses the documentation, well, sucks to be them.
 
Funny that they use Equifax as an example. I mean, Joe Sixpack and Sally Sundress may occasionally run with default passwords on their home equipment, but those tools at Equifax were supposedly IT professionals who screwed up in more ways than just weak passwords.
 
They are just doing this because they are tired of picking up kiddies for "hacking"... Its seriously a big scene when they come to get you. The FBI show up along with homeland security and swat teams to boot... you would think you were the next Bin Laden with that kind of heat showing up at your door... but no, you are just some 19 year old kid that figured out Apple's backup servers are using "username" and "admin" for the login credentials. Its a more frequent occurrence than one would think, its just not widely publicized. I only say this because I watched a raid on some kiddies in my small town in the middle of nowhere... apparently they were involved with hacking Apple, but I never heard anything after that. My guess is they were offered a squelch bargain... shut up about this and we won't prosecute you. They were back in their home a few days later.

So now instead of going apeshit on the hacker, they can go apeshit on the companies screaming "WEVE BEEN HACKED ZOMG ARREST THEM!" when they have essentially left the door to the candy shop wide open after closing time. Criminal Negligence is a crime, and one that many tech companies have been evading for years now because there is no law in place to hold these companies accountable for crappy security. Taxpayers foot the million dollar bill to arrest and prosecute these "hackers" who are simply walking through an unlocked door, when the company themselves could have paid some random bum 5$ to think of a new password for them.

But none of this matters if CA's new net neutrality bill gets shot down, its the only reason they are pumping out legislation left and right. Part of me feels like it won't, because these laws are being pushed by the same tech companies. It works like this: An established business can afford to pay fees and fines, start ups cannot, and are usually crushed before they ever hit the mainstream because of legal issues. Which requires you to have a financial backer in order to create a startup, which usually means you are not in complete control of your company and you are always beholden to your backers. So if you want to be an entrepreneur, you basically have to deal with devil if you want to do business at all. It eliminates competition before it ever gets going, or it ensures you have a way to buy out your competition. Either way, you win.

More fines and legality issues are perfectly fine with large businesses, and in fact are usually pushed by the same large businesses that claim they are suffering from this legislation... when they are not. Take tobacco companies for example. They are "forced" to spend millions on anti-smoking campaigns and other funds and fees, yet they still rake in billions every year and its pretty much been the same 2 or 3 manufactures producing for the last 50 years. Same with the beer and alcohol industry, but those laws have been becoming more lenient towards boutique brewers. This in turn has actually allowed CA to have a flourishing craft alcohol market, which I am thoroughly thankful for as most of the small scale stuff is leagues better than the mass produced piss and concrete cleaner the masses consume.

In the end, It is only the little people that can't keep up with legislation that get hurt unless provisions are made to protect them as well. Even whales require smaller organisms to stay alive, and when those organisms are gone, so are the whales.

/end rant and insert shameless plug for Tito's Craft Vodka... truly the Devil's Water...
 
This is one of those laws necessary to deter unscrupulous companies making cheap internet devices from trying to boost sales and cut post sale support at the cost of the rest of us on the internet.

I agree it sucks that we need government to mandate common sense for the bad actors ruining the internet by being cheap and/or lazy.
 
You missed the point. While the ideal is the end user changes the user/password themselves, that default passwords shouldn't be trivial to crack. If the user doesn't change the factory default and looses the documentation, well, sucks to be them.

No I didn't miss the point.

Default passwords should be available, but the equipment should also require a password change before first use.

If the password must be changed, then the default password will never be used except for initial setup.

A unique default password for every single device would be a nightmare logistically and would drive up costs quite a bit. And it is NOT NEEDED if the password must be changed on first use.

Here is the minimum that would be required during manufacturing for every device to have a different default password:

1. The sticker for each device would have to be unique
a. Each device would have to be tied to a sticker for that specific device.
b. You would have to have the machine printing the stickers be synced to the machine writing the EEPROM, to the machine assembling the device, and to the machine placing the stickers.
c. To try to prevent a large number of devices from being sent out with the wrong sticker (unrecoverable password), you would also have to have matching serial numbers and barcodes on the EEPROM and the device and the documentation.
d. Every single device and case for that device would have to be scanned to make sure they match up before they are assembled.
e. In case of a mis-scan or systems out of sync, you would have to either manually or somehow automate the double checking of the unique password to make sure that the unique password works for each device before it is sent out.
f. In case of needed repair or rework, everything would have to be matched up again. You would also need a stand-alone sticker printer, EEPROM programmer, and verification process as well as new documentation to be included with every single repaired unit. Might as well just throw them in the trash at that point because unless it is super-high dollar equipment it is not even feasible economically to repair defective units.
g. In the packaging process, you would have to rescan the device and the documentation to make sure the stickers on them match.

What happens if one of the machines goes out of sync or you have a tired person working a line that accidentally puts the wrong documentation in with a device?
What about rework? The documentation would have to follow that device around and not get dirty or damaged... very highly unlikely in rework/repair situations.
What if the sticker gets worn or comes off? What if the documentation is no longer around? You just throw the unit out because it has a unique default password?

Basically, a unique default password system is NEVER going to work.

However, a much much, much, much, much, much simpler and cheaper way to things is to require a password change on first use. Simple, easy, and very effective.

Why would anybody go to the hassle of setting up a system to implement unique default passwords? It logically makes no sense whatsoever.
 
yup.
california is quite the nanny state.. occasionally they do things right (even a blind squirrel finds a nut now and then) but usually its this sort of stupidity.

..... i WILL however say that i DO like the part about forcing companies to actually be accountable in a situation where a breach happens and they're doing something stupid like using "12345" as a password for a critical system.
I was born there. I lived there most my life. California never does anything right.

It's this slippery slope of regulations that eventually leads to things like Venezuela where citizens now have the "freedom" to remain in the country - forever!
https://www.yahoo.com/news/venezuela-seals-border-colombia-fight-smuggling-065517294.html
Let people make their own mistakes.
 
Punishes companies for customers who don't have common sense is all I'm getting from this.
No it punishes companies that have devices with bad defaults. That use to be the norm for routers, but my netgear came with what I believe was a random password (AFAIK the user name is hardwired to admin).

I obviously changed it, but it's better to have something random than default to something like "password," especially as we have more of these IoT devices. I'd also argue that routers should all default to not allowing admin access from the internet. If the person wants that, make them turn it on. Although I have at times had routers that were accessible, at this point, I only turn it on if I think I'm going to need it while I'm away from home (which is very rare).

How about instead of banning weak credentials you simply hold companies financially responsible for the restitution required to clean up your loss of info which includes a lifetime of data monitoring at a company of YOUR choosing

Because quite frankly if someone "hacks" my "weak" credentials for my water bill and pays it for me I really don't mind and would prefer that to a 12 character minimum password that contains at least 3 numbers, 2 symbols, and a mixture of capital and lower case letters ... that needs to be changed every 6 months... and it can't be a password that was used in the past 4 years.
Ideally it shouldn't happen, but when you have a huge network, it's possible something slips by. There's really no reason the MFG can't give each router or IOT device a random PW (and a sticker on the device listing that PS and possibly Username). This isn't a terribly expensive thing to do. If netgear can do it with a consumer router, CIsco can do it with their commercial routers (and for all I know they do). At that point, if the company has "password" everyone will know the company that bought it purposely set it up with a weak password.
 
Read the title as:

California Bans Login Credentials

And thought. Finally. Everybody out of the FB pool. Closing in 5 minutes.

Then realized they were banning weak logins only. But, it's a slippery slope. First they come for the weak, then they finish off the strong. That's why I'm never logging out of [H].


 
The law also requires you to have at least one woman's name in the password or you are fined $100,000 and you are not allowed to vote.
 
What?? Gasp!?!?! Are they saying that we shouldn't use PASSWORD on our ADMIN accounts???

How am I supposed to remember my domain admin account when I need it for an emergency like a password reset if I have to make it so complicated
 
How am I supposed to remember my domain admin account when I need it for an emergency like a password reset if I have to make it so complicated
Just write it on a Post-It and stick it on your monitor like every good admin!
 
How am I supposed to remember my domain admin account when I need it for an emergency like a password reset if I have to make it so complicated

I just retired from the Banking Industry with over 35 years working for various transaction authorization and fraud departments. All the banks (and CC companies) I worked for had a very STRICT rule for passwords. They all had to have at least One Upper case, One Lower case, a number (or so) and SOME special characters. They HAD TO CHANGE every 30 (or 31 days) The could NOT repeat for at least 12 months. So, IF I was still working, my password for this month would be Oct2018@$ - So - there 'ya go. All bases covered, and it NEVER repeats - ever. I could tell you what my password would be 20 years from now, and also what is was 20 years ago. Our IT department guys (and gals) used almost the same scheme.
 
However, the parts about devices requiring the user to make a password when first used is a good idea.

The whole "factory unique password" will never work. You would literally be screwed if you lost the paperwork or the sticker came off of the unit that had the factory password on it.

That explains why it seems ot be the norm on wi-fi routers for a few years now. I never considered that the change was impossible and I was hallucinating.
 
I just retired from the Banking Industry with over 35 years working for various transaction authorization and fraud departments. All the banks (and CC companies) I worked for had a very STRICT rule for passwords. They all had to have at least One Upper case, One Lower case, a number (or so) and SOME special characters. They HAD TO CHANGE every 30 (or 31 days) The could NOT repeat for at least 12 months. So, IF I was still working, my password for this month would be Oct2018@$ - So - there 'ya go. All bases covered, and it NEVER repeats - ever. I could tell you what my password would be 20 years from now, and also what is was 20 years ago. Our IT department guys (and gals) used almost the same scheme.

The irony is that password is still easy to crack; entropy matters far more then using different character sets.

password_strength.png
 
The irony is that password is still easy to crack; entropy matters far more then using different character sets.

View attachment 110657
My typical password is 170-250 bits using as large of a character set as the program will allow, which is sometimes shockingly small). Random PW generator FTW. Of course nothing works if you're limited to 12 or 13 characters and a relatively small character set. I'm often surprised that PW's can't take any character around, including unreadable chars.
 
Actually not a bad idea although I think most companies were already forcing people to create new passwords the first time.
 
Back
Top