News

Manufacturers can’t ship products with a simple password to the UK

Brendyn Lotz

29th April 2024

A new law comes into effect in the UK today which effectively outlaws simple and easily guessed passwords.
Manufacturers will have to prompt users to change the default password if it is as simple as “admin” or “12345”.
Manufacturers must also make it easier to report security issues.

Today a new law comes into effect in the UK which requires that manufacturers prevent users from choosing a terrible password.

This means that common, or easily guessable passwords such as “admin” or “12345” are now technically illegal in the UK. This seemingly goes beyond the passwords set by users though and extends to the default passwords many manufacturers use for new products. If a user purchases a product with a simple password, they will be prompted to change it upon startup.

“This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers,” the UK government explained.

Mirai leveraged the basic, unchanged passwords of IoT devices such as IP cameras to form a botnet that was then used to execute massive distributed denial of service (DDoS) attacks, something that this new law hopes to make tougher. More than that, research from organisation Which? revealed that 99 percent if adults in the UK own at least one smart devices and households have an average of nine connected devices.

“Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information,” says director of policy and advocacy at Which? Rocio Concha.

“The OPSS [Office for Product Safety and Standards] must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”

That point about guidance is important as passwords now need to “meet minimum-security standards” which is a broad term that we hope means that as cybercrime advances, the legislation will keep up.

In addition to the password rules, manufacturers must also make it easier for consumers to report security issues so that the problems can be addressed quickly.

This legislation is said to be the first of its kind in the world and we suspect that with a growing focus on cybersecurity for citizens, we’ll see more countries adopting similar laws in future.

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.