California bans default passwords on any internet-connected device

In less than two years, anything that can connect to the internet will come with a unique password — that is, if it's produced or sold in California. The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate.

The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."

The law is clearly aimed at stopping the spread of botnets made up of compromised network devices, such as routers, smart switches or even security cameras and other IoT equipment. Malicious software could often take control of them by trying easy-to-guess or publicly disclosed default login credentials. It's not entirely clear yet as to how the new regulation will affect legacy industry hardware from the 1980s and 1990s where passwords are either hard-coded or next to impossible to change.