The End of the Default Password?

Security is hard. Nobody is saying it isn't. But sometimes we make it a lot harder on ourselves than might otherwise be the case. But, every once in a while, there are small wins and at the tail end of last month that happened in the United Kingdom, where default passwords were just made illegal.

The long road to this legislation started back in 2016 with the Mirai attacks. Mirai was a piece of malware that identified vulnerable IoT devices using a list of just sixty (or so) common factory default usernames and passwords, then it logged into those devices, and took them over to form part of a botnet.

Infected devices continued to function perfectly normally, except for occasional sluggishness, and a hugely increased use of bandwidth. So their owners generally didn’t notice anything is wrong. The types of devices that were taken over were, for the most part, ‘just’ IP cameras, but despite that, the botnets created by the Mirai malware were used to perform some of the largest and most disruptive distributed denial of service attacks ever recorded.

The guidelines issued alongside the legislation mandate that devices must have a randomized passwords, or generate one during setup. Additionally the password cannot follow a pattern, or be related to publicly accessible information, like as MAC addresses of the device. Devices must be resistant to brute-force attacks, including attacks like credential stuffing, and should include an easy method for changing the password.

Interestingly though, the guidelines actually go a lot further. Software components on the device need to be securely updateable, be regularly checked for updates, and update either automatically or in a user-friendly way. Critically, owners should be able to report security issues, and receive responses about how those reports were handled. Which is going to be a big departure for some companies used to shipping anonymous boxes, and then forgetting about them, and potential needed security updates.

Like the GDPR the new PTSI comes with hefty penalties for infringement. Violations of the new law can result in fines up to 10 million pounds, or 4 percent of worldwide revenue, whichever is higher.