The UK Government Suggests That Single, Universal (Weak) Passwords for Gadgets Should Be Banned

In a newly released policy paper on regulating customer smart-product cybersecurity, Matt Warman MP, the United Kingdom Minister for Digital Information stated that the Department for Digital, Culture, Media, and Sport has been working with the NCSC to address the problem of poor IoT (internet-of-things) gadget security. It is expected that making weak passwords for gadgets will be illegal in the next year.

The problem with the Internet of Insecure Things is the thorn in the side of cybersecurity researchers ever since the IoT first became a trend. According to predictions, there will be nearly 41 billion IoT devices by the year 2025, and the scale of security problems is growing. Everything from light bulbs to smart speakers, security cameras, and televisions, all sit inside this often insecure ecosystem of IoT devices.

Hackers use these devices to spy on people and steal their data. They are insecure because most of these devices come with pre-loaded, hard-wired, passwords that you cannot change. If those passwords were at least strong or unique, there would not have been many security issues.

Even where customers can change passwords, they often do not change them as the gadgets are sold as being fire and forget, easy to use non-tech gizmos. Gadgets that connect to the internet via the home network, there is a possibility that hackers could already know the passwords, or easily crack those passwords.

Internet of Things devices is also often corralled into botnets by hackers that are then used to execute DDoS attacks against online businesses. The policy paper ‘Proposals for regulating consumer smart-product cybersecurity - call for views,’ was released on July 16.


The UK government suggests that single. Universal password for devices should be made illegal, and the government wants to move towards the use of alternative authorization techniques that do not use passwords. According to the policy paper, the government also plans to ban those passwords that are unique to every gadget, however, they can still easily be guessed.

The policy paper claims that where pre-installed passwords that unique to every device are used, they cannot be created by a system that does not take into account the minimization of automated hacks. It is also recommended that manufacturers will have to provide a mechanism for consumers to easily report security vulnerabilities, and the paper also requires more transparency on how long the gadget will continue to receive security updates.

If these requirements become law, the potential for financial penalties is expected to enforce them. Cybersecurity experts state that strong enforcement of password standards is positive more, and the benefits outweigh the difficulty of shipping gadgets with unique passwords. Vice-president at Tripwire, Tim Erlin, stated that there is no technical reason why device manufacturers need to ship gadgets with a common default password.


Photo: Getty

Read next: Google Is Testing a Security Feature to Make Sure Auto-fill is disabled on Mixed Forms for Chrome 86 To Protect Privacy of Users
Previous Post Next Post