California Bans Weak Login Credentials

Discussion in 'HardForum Tech News' started by AlphaAtlas, Oct 5, 2018.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    California Governor Jerry Brown recently signed the "Security of Connected Devices" bill into law. Among other things, the bill forces any internet facing devices to use reasonable security measures, and explicitly prohibits weak default login credentials like "password" as a password. "admin" was allegedly the username and password for one of Equifax's systems prior to the data breach, and many other commercial systems suffer from same issue.

    The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features. This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time. The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
     
  2. cvinh

    cvinh [H]ard|Gawd

    Messages:
    1,652
    Joined:
    Sep 4, 2009
    Punishes companies for customers who don't have common sense is all I'm getting from this.
     
  3. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,044
    Joined:
    Aug 16, 2004
    However, the parts about devices requiring the user to make a password when first used is a good idea.

    The whole "factory unique password" will never work. You would literally be screwed if you lost the paperwork or the sticker came off of the unit that had the factory password on it.
     
    Armenius and tunatime like this.
  4. Disco_Stu_04

    Disco_Stu_04 Limp Gawd

    Messages:
    427
    Joined:
    Aug 18, 2003
    Despite being government and all, it's a step in the right direction.

    Masterlock figured it out decades ago.

    MasterLock2.jpg
     
    Last edited: Oct 5, 2018
    Armenius, PaulP and dugn like this.
  5. JosiahBradley

    JosiahBradley [H]ard|Gawd

    Messages:
    1,724
    Joined:
    Mar 19, 2006
    While I applaud the endevoer good luck enforcing it.
     
  6. Exercate

    Exercate Limp Gawd

    Messages:
    199
    Joined:
    Aug 25, 2015
    What?? Gasp!?!?! Are they saying that we shouldn't use PASSWORD on our ADMIN accounts???
     
  7. sfsuphysics

    sfsuphysics I don't get it

    Messages:
    13,692
    Joined:
    Jan 14, 2007
    How about instead of banning weak credentials you simply hold companies financially responsible for the restitution required to clean up your loss of info which includes a lifetime of data monitoring at a company of YOUR choosing

    Because quite frankly if someone "hacks" my "weak" credentials for my water bill and pays it for me I really don't mind and would prefer that to a 12 character minimum password that contains at least 3 numbers, 2 symbols, and a mixture of capital and lower case letters ... that needs to be changed every 6 months... and it can't be a password that was used in the past 4 years.
     
    Armenius, Paul_Johnson, PaulP and 2 others like this.
  8. The Mad Atheist

    The Mad Atheist Gawd

    Messages:
    925
    Joined:
    Mar 9, 2018
    What if I use passwordpassword and adminadmin, no one would guess, right!?

    I use basic(ish) passwords for non important stuff like gaming, and varied pass-phrases for the rest.
     
  9. dvsman

    dvsman 2[H]4U

    Messages:
    2,734
    Joined:
    Dec 2, 2009
    I get the concern for weak passwords but I am more concerned about people who use the same password EVERYWHERE. One leak and no matter how good the password, you're screwed. If you have a lame password but it's different on every site, at least you don't have to worry about one leak totally sinking every account.
     
    Armenius and The Mad Atheist like this.
  10. RealBeast

    RealBeast Gawd

    Messages:
    648
    Joined:
    Aug 4, 2010
    Nope, go with something strong, like Password1. o_O
     
  11. mkrohn

    mkrohn 2[H]4U

    Messages:
    2,330
    Joined:
    Apr 30, 2012
    just change the admin username to root and you're instantly safer right?
     
  12. harbingerofdoom

    harbingerofdoom Gawd

    Messages:
    774
    Joined:
    Apr 17, 2007
    yup.
    california is quite the nanny state.. occasionally they do things right (even a blind squirrel finds a nut now and then) but usually its this sort of stupidity.

    ..... i WILL however say that i DO like the part about forcing companies to actually be accountable in a situation where a breach happens and they're doing something stupid like using "12345" as a password for a critical system.
     
  13. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    hasnt been an issue for things like HP servers and their ilo passwords and such. There are also routers that have a unique factory default password.

    but i do agree it should not be on an easily removable sticker
     
  14. Jehuty

    Jehuty Limp Gawd

    Messages:
    430
    Joined:
    Oct 4, 2007
    I wonder what this will mean for the medical industry. There are so many places where passwords are weak at best (some don’t have any) and one could potentially access patient info... HIPAA doesn’t care because they rather let someone fuck up and then drag them through the coals rather than being diligent in ensuring everyone regularly meets or exceeds requirements
     
  15. c3k

    c3k 2[H]4U

    Messages:
    2,102
    Joined:
    Sep 8, 2007
    Has Californistan banned them from using "nimda"? How about "admin1"? Etc.
     
    Armenius likes this.
  16. PantherBlitz

    PantherBlitz Limp Gawd

    Messages:
    421
    Joined:
    Apr 14, 2011
    Nah. Much better to make a symbolic law than to anger those who give you "campaign contributions".
     
    Armenius, PaulP and dvsman like this.
  17. twonunpackmule

    twonunpackmule [H]ard|Gawd

    Messages:
    1,452
    Joined:
    Sep 27, 2005
    Some of us like the danger, okay?
     
    Armenius likes this.
  18. JStamsek

    JStamsek [H]ardForum Junkie

    Messages:
    8,854
    Joined:
    Mar 24, 2016
    Please enter your password.

    (Password must contains three symbols, four uppercase letters, nine lowercase letters, and fourteen numbers that when added together and divided by 3.14 equals the number six. Oh, and click each picture that has a car in it or storefront where the addres or license plate has prime numbers)

    Please enter your password again, but backwards and inverting the uppercase and lowercase letters.

    Would you like Chrome to save your password?
     
    Armenius, Flogger23m, hmz and 7 others like this.
  19. Dalexx

    Dalexx Limp Gawd

    Messages:
    160
    Joined:
    Mar 22, 2014
    More like punishes those of us who get called by family to do tech support.
     
  20. gamerk2

    gamerk2 [H]ard|Gawd

    Messages:
    1,612
    Joined:
    Jul 9, 2012
    Ding ding. Password reuse is as large a problem as weak passwords, if not moreso given how easy it is to find websites where you can redirect the "I Forgot my Password" to any arbitrary email address. From there, it's trivial to tie an email to a default password.

    Personally, I think that instead of every website each having to deal with user credentials, that it should be instead handled via hardware (or at least OS level). If you do this ONCE you cut down the possibilities of info leaking.
     
  21. gamerk2

    gamerk2 [H]ard|Gawd

    Messages:
    1,612
    Joined:
    Jul 9, 2012
    You missed the point. While the ideal is the end user changes the user/password themselves, that default passwords shouldn't be trivial to crack. If the user doesn't change the factory default and looses the documentation, well, sucks to be them.
     
  22. PantherBlitz

    PantherBlitz Limp Gawd

    Messages:
    421
    Joined:
    Apr 14, 2011
    Funny that they use Equifax as an example. I mean, Joe Sixpack and Sally Sundress may occasionally run with default passwords on their home equipment, but those tools at Equifax were supposedly IT professionals who screwed up in more ways than just weak passwords.
     
  23. Wiffle

    Wiffle Limp Gawd

    Messages:
    293
    Joined:
    Oct 2, 2011
    They are just doing this because they are tired of picking up kiddies for "hacking"... Its seriously a big scene when they come to get you. The FBI show up along with homeland security and swat teams to boot... you would think you were the next Bin Laden with that kind of heat showing up at your door... but no, you are just some 19 year old kid that figured out Apple's backup servers are using "username" and "admin" for the login credentials. Its a more frequent occurrence than one would think, its just not widely publicized. I only say this because I watched a raid on some kiddies in my small town in the middle of nowhere... apparently they were involved with hacking Apple, but I never heard anything after that. My guess is they were offered a squelch bargain... shut up about this and we won't prosecute you. They were back in their home a few days later.

    So now instead of going apeshit on the hacker, they can go apeshit on the companies screaming "WEVE BEEN HACKED ZOMG ARREST THEM!" when they have essentially left the door to the candy shop wide open after closing time. Criminal Negligence is a crime, and one that many tech companies have been evading for years now because there is no law in place to hold these companies accountable for crappy security. Taxpayers foot the million dollar bill to arrest and prosecute these "hackers" who are simply walking through an unlocked door, when the company themselves could have paid some random bum 5$ to think of a new password for them.

    But none of this matters if CA's new net neutrality bill gets shot down, its the only reason they are pumping out legislation left and right. Part of me feels like it won't, because these laws are being pushed by the same tech companies. It works like this: An established business can afford to pay fees and fines, start ups cannot, and are usually crushed before they ever hit the mainstream because of legal issues. Which requires you to have a financial backer in order to create a startup, which usually means you are not in complete control of your company and you are always beholden to your backers. So if you want to be an entrepreneur, you basically have to deal with devil if you want to do business at all. It eliminates competition before it ever gets going, or it ensures you have a way to buy out your competition. Either way, you win.

    More fines and legality issues are perfectly fine with large businesses, and in fact are usually pushed by the same large businesses that claim they are suffering from this legislation... when they are not. Take tobacco companies for example. They are "forced" to spend millions on anti-smoking campaigns and other funds and fees, yet they still rake in billions every year and its pretty much been the same 2 or 3 manufactures producing for the last 50 years. Same with the beer and alcohol industry, but those laws have been becoming more lenient towards boutique brewers. This in turn has actually allowed CA to have a flourishing craft alcohol market, which I am thoroughly thankful for as most of the small scale stuff is leagues better than the mass produced piss and concrete cleaner the masses consume.

    In the end, It is only the little people that can't keep up with legislation that get hurt unless provisions are made to protect them as well. Even whales require smaller organisms to stay alive, and when those organisms are gone, so are the whales.

    /end rant and insert shameless plug for Tito's Craft Vodka... truly the Devil's Water...
     
  24. Tweak42

    Tweak42 Gawd

    Messages:
    605
    Joined:
    Dec 1, 2010
    This is one of those laws necessary to deter unscrupulous companies making cheap internet devices from trying to boost sales and cut post sale support at the cost of the rest of us on the internet.

    I agree it sucks that we need government to mandate common sense for the bad actors ruining the internet by being cheap and/or lazy.
     
    mope54 likes this.
  25. mygreeneggsandham

    mygreeneggsandham n00b

    Messages:
    41
    Joined:
    Feb 18, 2016
    However you still don’t need an ID to vote.
     
    Armenius, GoldenTiger and cyclone3d like this.
  26. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,044
    Joined:
    Aug 16, 2004
    No I didn't miss the point.

    Default passwords should be available, but the equipment should also require a password change before first use.

    If the password must be changed, then the default password will never be used except for initial setup.

    A unique default password for every single device would be a nightmare logistically and would drive up costs quite a bit. And it is NOT NEEDED if the password must be changed on first use.

    Here is the minimum that would be required during manufacturing for every device to have a different default password:

    1. The sticker for each device would have to be unique
    a. Each device would have to be tied to a sticker for that specific device.
    b. You would have to have the machine printing the stickers be synced to the machine writing the EEPROM, to the machine assembling the device, and to the machine placing the stickers.
    c. To try to prevent a large number of devices from being sent out with the wrong sticker (unrecoverable password), you would also have to have matching serial numbers and barcodes on the EEPROM and the device and the documentation.
    d. Every single device and case for that device would have to be scanned to make sure they match up before they are assembled.
    e. In case of a mis-scan or systems out of sync, you would have to either manually or somehow automate the double checking of the unique password to make sure that the unique password works for each device before it is sent out.
    f. In case of needed repair or rework, everything would have to be matched up again. You would also need a stand-alone sticker printer, EEPROM programmer, and verification process as well as new documentation to be included with every single repaired unit. Might as well just throw them in the trash at that point because unless it is super-high dollar equipment it is not even feasible economically to repair defective units.
    g. In the packaging process, you would have to rescan the device and the documentation to make sure the stickers on them match.

    What happens if one of the machines goes out of sync or you have a tired person working a line that accidentally puts the wrong documentation in with a device?
    What about rework? The documentation would have to follow that device around and not get dirty or damaged... very highly unlikely in rework/repair situations.
    What if the sticker gets worn or comes off? What if the documentation is no longer around? You just throw the unit out because it has a unique default password?

    Basically, a unique default password system is NEVER going to work.

    However, a much much, much, much, much, much simpler and cheaper way to things is to require a password change on first use. Simple, easy, and very effective.

    Why would anybody go to the hassle of setting up a system to implement unique default passwords? It logically makes no sense whatsoever.
     
    Armenius and Laowai like this.
  27. sleepeeg3

    sleepeeg3 [H]ardness Supreme

    Messages:
    4,849
    Joined:
    Mar 4, 2004
    I was born there. I lived there most my life. California never does anything right.

    It's this slippery slope of regulations that eventually leads to things like Venezuela where citizens now have the "freedom" to remain in the country - forever!
    https://www.yahoo.com/news/venezuela-seals-border-colombia-fight-smuggling-065517294.html
    Let people make their own mistakes.
     
  28. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,431
    Joined:
    Jan 21, 2005
    No it punishes companies that have devices with bad defaults. That use to be the norm for routers, but my netgear came with what I believe was a random password (AFAIK the user name is hardwired to admin).

    I obviously changed it, but it's better to have something random than default to something like "password," especially as we have more of these IoT devices. I'd also argue that routers should all default to not allowing admin access from the internet. If the person wants that, make them turn it on. Although I have at times had routers that were accessible, at this point, I only turn it on if I think I'm going to need it while I'm away from home (which is very rare).

    Ideally it shouldn't happen, but when you have a huge network, it's possible something slips by. There's really no reason the MFG can't give each router or IOT device a random PW (and a sticker on the device listing that PS and possibly Username). This isn't a terribly expensive thing to do. If netgear can do it with a consumer router, CIsco can do it with their commercial routers (and for all I know they do). At that point, if the company has "password" everyone will know the company that bought it purposely set it up with a weak password.
     
  29. clockdogg

    clockdogg Gawd

    Messages:
    904
    Joined:
    Dec 12, 2007
    Read the title as:

    California Bans Login Credentials

    And thought. Finally. Everybody out of the FB pool. Closing in 5 minutes.

    Then realized they were banning weak logins only. But, it's a slippery slope. First they come for the weak, then they finish off the strong. That's why I'm never logging out of [H].


     
  30. Cardio

    Cardio Limp Gawd

    Messages:
    274
    Joined:
    Jan 3, 2008
    The law also requires you to have at least one woman's name in the password or you are fined $100,000 and you are not allowed to vote.
     
  31. socK

    socK 2[H]4U

    Messages:
    3,668
    Joined:
    Jan 25, 2004
    How am I supposed to remember my domain admin account when I need it for an emergency like a password reset if I have to make it so complicated
     
  32. Laowai

    Laowai Gawd

    Messages:
    534
    Joined:
    Aug 9, 2018
    Just write it on a Post-It and stick it on your monitor like every good admin!
     
  33. Exercate

    Exercate Limp Gawd

    Messages:
    199
    Joined:
    Aug 25, 2015
    I just retired from the Banking Industry with over 35 years working for various transaction authorization and fraud departments. All the banks (and CC companies) I worked for had a very STRICT rule for passwords. They all had to have at least One Upper case, One Lower case, a number (or so) and SOME special characters. They HAD TO CHANGE every 30 (or 31 days) The could NOT repeat for at least 12 months. So, IF I was still working, my password for this month would be Oct2018@$ - So - there 'ya go. All bases covered, and it NEVER repeats - ever. I could tell you what my password would be 20 years from now, and also what is was 20 years ago. Our IT department guys (and gals) used almost the same scheme.
     
    c3k, cyclone3d and clockdogg like this.
  34. raz-0

    raz-0 [H]ardness Supreme

    Messages:
    4,531
    Joined:
    Mar 9, 2003
    That explains why it seems ot be the norm on wi-fi routers for a few years now. I never considered that the change was impossible and I was hallucinating.
     
  35. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,431
    Joined:
    Jan 21, 2005
    http://keepass.info/
     
  36. gamerk2

    gamerk2 [H]ard|Gawd

    Messages:
    1,612
    Joined:
    Jul 9, 2012
    The irony is that password is still easy to crack; entropy matters far more then using different character sets.

    password_strength.png
     
    clockdogg likes this.
  37. atp1916

    atp1916 [H]ard|DCoTM x1

    Messages:
    3,696
    Joined:
    Jun 18, 2004
    ^^^ ain't that the truth
     
  38. nilepez

    nilepez [H]ardForum Junkie

    Messages:
    11,431
    Joined:
    Jan 21, 2005
    My typical password is 170-250 bits using as large of a character set as the program will allow, which is sometimes shockingly small). Random PW generator FTW. Of course nothing works if you're limited to 12 or 13 characters and a relatively small character set. I'm often surprised that PW's can't take any character around, including unreadable chars.
     
  39. obs

    obs 2[H]4U

    Messages:
    3,817
    Joined:
    Nov 4, 2002
    Actually not a bad idea although I think most companies were already forcing people to create new passwords the first time.
     
  40. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    13,632
    Joined:
    Oct 7, 2000
Tags: