UK government submits bill to ban passwords that are too easy to set as default

Passwords, let us reconsider.

The British government has submitted a bill to throw a stone in the IoT industry and is attracting the world's attention. The Product Security and Telecommunications Infrastructure Bill (PSTI) was submitted to the British Parliament. This bill prohibits the shipment of Internet-enabled devices such as smart TVs, smart speakers, and cameras with easy default password settings. The purpose is to improve cyber security.

If the bill is passed, the default passwords for many IoT devices will need to be unique passwords for each. Companies that fail to do so face fines of £10 million ($15 million) or 4% of global revenues. In addition to passwords, the bill also includes transparency around security updates.

UK Media, Data and Digital Infrastructure Minister Julia Lopez said in a press release:

Password too easy, set as default UK government submits bill

Many consumers assume that the products they sell are safe. However, the reality is that many products are insecure and expose consumers to the risk of fraud and theft.

Easy passwords are easy to target

Easy passwords are bad! Unfortunately, there should be more than a few people who have a sore ear when they say that. According to a study by cybersecurity firm Symantec, 55% of IoT devices that were attacked in some way had the password "123456" and 3% had the password "admin". Many users are using the default passwords, or the passwords they set themselves are too easy. Palo Alto Networks, which also handles cybersecurity, reports that 98% of IoT terminal traffic is not encrypted.

In recent years, the price of IoT terminals and smart terminals has fallen, and the problem has become more serious as more consumers can get their hands on them. It is predicted that the number of IoT devices in the world will exceed 20 billion by 2030. According to Kaspersky Lab, 1.5 billion IoT attacks have already been confirmed in the first half of 2021 alone, double the number in the second half of 2020. The number of terminals is increasing at a frightening speed, and the number of cyber attacks is also increasing proportionally.

Manufacturers say users are responsible

On the other hand, some IoT companies say users are responsible for data breaches caused by hacking. For example, Ring claimed that users reused passwords, leading to a class action lawsuit in 2019. Well, RIng has since worked to improve security with two-factor authentication and end-to-end encryption.

So, do something about the British government's default password! I think that the bill is very to the point in terms of the balance between cyber security and human carelessness. Although the United States is also moving forward with legal initiatives related to IoT devices, the UK bill is superior in that it provides clear penalties that can be widely applied to IoT device manufacturers. Of course, instead of leaving everything to the company side, we consumers also need to change our awareness of our own passwords.

Source: UK.gov