UK becomes first country to ban default bad passwords on IoT devices(therecord.media)
therecord.media
UK becomes first country to ban default bad passwords on IoT devices
https://therecord.media/united-kingdom-bans-defalt-passwords-iot-devices
24 comments
This is pretty sensible cybersecurity policy. Just don’t do what BT did on their HomeHubs and generate a brute forceable password based on a hash of the ssid and some serial numbers.
A lot of italian ISPs did that too in the early 2010s. Eventually someone figured out the algorithm to derive the WP2 passphrase from the SSID (and MAC address, I think) and wrote a handy tool. You were literally able to drive around a neighborhood and connect to any WiFi network you wanted.
When I moved to the UK, I figured this out and used this for a month or so of free internet while waiting for my own internet connection to be set up.
I couldn't find the text in the act that actually did anything related to what the article states it does. I looked to see if it hadn't just banned weak default passwords but banned default passwords entirely. That is that each device must have its own randomly generated passwords which are generated by another computer with sufficient entropy after the firmware is written to the device.
The PSTI Regulations that the bill gives legal effect to are here:
https://www.legislation.gov.uk/uksi/2023/1007/schedule/1/mad...
(2) Passwords must be—
(a)unique per product; or
(b)defined by the user of the product.
(3) Passwords which are unique per product must not be—
(a)based on incremental counters;
(b)based on or derived from publicly available information;
(c)based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;
(d)otherwise guessable in a manner unacceptable as part of good industry practice.Also:
Or, define it in terms of entropy? Maybe that kind of technicality is too hard to understand.
“unique per product” means unique for each individual product
of a given product class or type.
Overall, why not just require random passwords of a certain length? Compared to generating a hash, generating a random password is easier (no data input, such as the serial number, is needed) and no less user-friendly.Or, define it in terms of entropy? Maybe that kind of technicality is too hard to understand.
i feel that stance would be defensible. there are plenty of great engineering reasons to generate a per-device randomized UID during intial provisioning. default password, serial number, seeding/salting, mac randomization, licensing/drm, anonymized logs, etc.
Here's the actual law: https://www.legislation.gov.uk/ukpga/2022/46
> UK becomes first country to ban default bad passwords on IoT devices
It might be the first country, but as far as I know, not the first place to do that; I've read at https://www.servethehome.com/why-your-favorite-default-passw... that one state of another country has already implemented a similar law.
It might be the first country, but as far as I know, not the first place to do that; I've read at https://www.servethehome.com/why-your-favorite-default-passw... that one state of another country has already implemented a similar law.
From yesterday,
Default passwords in 'smart' devices now banned in UK (https://news.ycombinator.com/item?id=40195841) - (no comments)
-> https://www.ncsc.gov.uk/blog-post/smart-devices-law
Default passwords in 'smart' devices now banned in UK (https://news.ycombinator.com/item?id=40195841) - (no comments)
-> https://www.ncsc.gov.uk/blog-post/smart-devices-law
“OK, the new default password for all our newly-sold devices is now ‘by%8MmRsVWt#m4ZO’. Problem solved.”
I’m sorry. That’s not allowed. For security reasons, every new password must contain at least one emoji, three greek letters and one set-theoretic operator.
I'm sorry, based on our records you have used this emoji in a previous password. Please choose a new unique emoji.
thats always been a concern for me.
if my past passwords can be examined for comparison with a current one, i cant shake the idea that no password is secret under such a regime
if my past passwords can be examined for comparison with a current one, i cant shake the idea that no password is secret under such a regime
This is still compatible with one way hashing. The service just sits on the recent hashes. They’re still non reversible.
yes, we have to trust it is done like that, as a standard.
i suppose an "evil admin" has a lot of other ways to harvest passwds, rather than one that is a major security problem.
i suppose an "evil admin" has a lot of other ways to harvest passwds, rather than one that is a major security problem.
You joke but emojis should be allowed in password fields.
Allowed but not required
> Under the PSTI, weak or easily guessable default passwords such as “admin” or “12345” are explicitly banned
Really? The law doesn't even contain the word "password", let alone ban any.
This seems to be bullshit.
Really? The law doesn't even contain the word "password", let alone ban any.
This seems to be bullshit.
[deleted]