California Bans Default Passwords for All IoT Devices

Using default passwords can seriously weaken the security on your devices. By banning them, the legislation aims to fend off hackers and improve cybersecurity.

California Bans Default Passwords for All IoT Devices

Manufacturers can no longer set generic default passwords like "123" for their devices. Many people do not change them, making them vulnerable to hackers.

California has passed a law that bans default passwords for all Internet of Things (IoT) devices.

Beginning Jan. 1, 2020, the legislation (Senate Bill No. 327) requires manufacturers of a connected device to equip it with a “reasonable security feature or features.” The bill mandates that manufacturers must provide default passwords that are unique to each device or prompt the user to generate a new password before using the product.

Most physical security and life safety systems are now connected to the Internet, making them vulnerable to cybersecurity attacks. Video surveillance, security cameras, and fire systems all fall into these categories.

Chuck Davis, Hikvision’s director of cybersecurity says it is crucial to apply cybersecurity best practices or your systems could become quite vulnerable.

The bill aims to improve security for the vast number of consumers who do not change default passwords — such as “123,” “password” or “admin” — that come with new devices. In doing so, the legislation effectively bans pre-installed and hard-coded default passwords to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

Although the goal of the bill is to thwart hackers from installing malware and use infected devices as part of botnet attacks, the ban has left some cybersecurity professionals skeptical of its true efficacy.

“I think the law that the State of California is contemplating is a great first step, but it’s just a first step in a very long road to ensuring security around the globe,” Bill Evans, senior director at One Identity, told the Verdict.

Evans said a preferred approach would be one that doesn’t mandate specific action. “Rather, governments should use the levers at their disposal to incentivize enterprises to solve the problems in ways that meet their needs,” he said.

The bill was approved by the California Assembly and Senate in August and was signed into law by Gov. Jerry Brown on Sept. 28.

This article originally ran in Campus Safety’s sister publication, Security Sales & Integration.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Katie Malafronte is Campus Safety's Web Editor. She graduated from the University of Rhode Island in 2017 with a Bachelor's Degree in Communication Studies and a minor in Writing & Rhetoric. Katie has been CS's Web Editor since 2018.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ