In new legislation, California decided to ban easy to guess, default passwords.
The bill entitled SB-327, or Information Privacy: Connected Devices demands that electronics manufacturers in California equip their products with “reasonable” security features.
What does this mean practically for users?
All those generic passwords such as “Admin” and “Password” will be prohibited. Starting 2020 when the law comes into effect, computers, smartphones, tablets, and all the rest, will either require users to create a unique passwords on configuration, or may come ready with a complex random password installed.
Solid Steps for a Real Problem
The law is California State’s effort to deal with a serious problem facing the cybersphere: negligence in security configurations for password-based systems. Sloppy security on millions of new consumer devices sold every year, create a vast Internet of Things (IoT), connecting both corporate and home wireless networks. The fact that such a large number of these devices are wide open targets for hackers due to embarrassingly simple passwords can endanger the entire community of users. SB-327 asserts that at least part of the responsibility falls on the manufacturers, as leaving users the easy option for keeping default passwords encourages this trend.
A Milestone for Digital Security
It’s important to highlight how much of giant leap SB-327 is for cyber regulation. Other laws such as GDPR, and New York’s DFS Cyber Regulations have almost uniformly consisted of guidelines–some of them albeit pretty strict–for organizations handling sensitive data. Rarely if ever have specific protocols been instituted on how a given security platform must be used. The new California bill on the other hand recognizes the threat to the digital sphere posed by specific, current practices and took measures to correct them. Furthermore, the law places responsibility for those measures at the feet of manufacturers–and enforces them with harsh penalties.
The fact that SB-327 chose to single out passwords was a wise choice.
In the words of Bruce Schneier:
“Hooray for doing something, but it’s a small piece of a very large problem”
After years of a slow and steady decline, passwords have become one of the single biggest contributing factors to the rise in data breaches over the past several years. California’s new law is another nail in the coffin for the obsolete password.
Well Intentioned, Yes. But Effective…?
To quote the Register
“It’s good news, but overall a wasted opportunity” Kieren McCarthy
The new bill shows the State of California has its head in the right place addressing the problem of weak authentications.
But there is one important question users need to ask about the efficacy of SB-327: what problems will it actually solve?
Granted, the bill does fight some of the more common threats facing password authentication. Low level hacks such as password “spraying” (a form of brute force hack in which the malicious actor attempts a single password against many accounts before moving on to attempt a second password) and other automated attacks can often be prevented with complex passwords. But SB-327 fails to do go to the root of the problem.
The issue is not just password strength. The issue is the password itself.
Sooner or later, the industry will have to wake up to the reality of password authentication. Passwords are inherently weak, impinging the security of entire networks on secrets vulnerable to exposure that users must remember and manage. Passwords promote a slew of bad security practices, from creating passwords that are easily cracked, to storing them insecurely. Furthermore, more sophisticated hacks like social engineering are geared toward the vulnerabilities of password authentication. California’s legislators did not even begin to address these threats.
Password-less as the New Paradigm
When a lock is faulty, replacing the key is not the solution. Replacing the lock is.
Taking on the vulnerabilities presented by passwords will require a fundamental shift in security standards. Out of band, password-less authentication is the technology that will once and for all do away with the security challenges facing digital identities today, leaving users with solutions that are both safer and more user friendly.