Don’t worry, this law doesn’t affect luggage.
Brands have to publish contact details so that bugs and issues can be reported, and must be transparent about timings of security updates.
The non headline part of the law sounds great to me.
Yeah I read the headline and thought what, then read the article and it actually seems pretty reasonable.
Devices should not come with a username of ‘admin’ and a password of ‘admin’, it’s a disaster waiting to happen.
Is it really on the device manufacturer that people don’t change the default password? That’s advice that’s been around so long and it’s the first thing they tell you in computer training.
Default passwords have their use cases for testing, ease of set-up, and for device recovery.
Yes, it should be. Sending someone a device with usr/pwd as admin/admin, for example, is completely reckless if it doesn’t prompt the user to change it during setup.
it’s the first thing they tell you in computer training.
You shouldn’t need specialist training to use basic home products, and you shouldn’t have to put up with extremely compromised security in the event of you not being technically-minded or you blitz through installations pressing next next next. Not everyone is or can be technically minded.
Plenty of products have protections in place designed to protect users in the realistic event that not everything will be used flawlessly 100% of the time.
PCs aren’t shipped to you with always-on root-level access, gas hobs often have features to turn themselves off if they detect they’ve not been ignited, cars have all kinds of safety features, pills come in pop-packs to discourage taking a load at once by swigging a bottle, Switch cartridges taste like shit to stop babies from choking on them, etc. sure, not all of these should be legally required, but some absolutely should be.
12345? Thats amazing, I have the same combination on my luggage!
Usually, an impact study is made before such type of laws are made:
- if this law is enacted, how much will it cost to the manufacturers to update their factory settings?
- how will this be impacted on the device cost in the UK compared to other markets?
- how many users will get stuck when losing the unique ID of the device, what are the recovery procedures, how costly is it to end users?
- how many users will be protected by the measure and what cost for society does it represent?
- how many users will set a dumb password anyhow and what is the cost for society?
I’d be curious to see the impact study, as many of those are actually botched.
Most routers already have non-standard passwords by default. At least in EU. I’m not sure which devices besides routers and IoT peripherals are affected by this bill.
All of them I’ve seen do use non-standard passwords for the web access portion, however it’s been a mixed bag for the admin controls on the router OS itself. It’s often just admin/admin.
Which is crazy. I could, if I were inclined, log into the router in someone’s house/business if they haven’t changed the admin password, but they have provided me with a password to access the web. Most people don’t bother changing the admin password.
a user set weak password is infinitly more strong than a known default.
admin
admin
I wonder about raspberry pi - it’s the image you download that has the known user and password.
It might mean that you can’t sell one with a pre-imaged, pre-installed sdcard unless you customised the image.
It’s very easy to remove that and ask for a password on first boot. It could literally be one line in a shell script. They could put it in a text menu if they want to get fancy.
More professional (non-hobby) RP based devices probably aren’t using stock vanilla Raspbian anyway.
stock vanilla Raspbian anyway.
Raspberry pi OS != Raspbian
Those are two completely separate and different OSes.
Force of habit. I’ve been working with Pis for a while, long before the name change.