UK Bans Weak Passwords – No More ‘Admin’ & ‘1234’

Why Trust Techopedia
KEY TAKEAWAYS

  • The UK implements new laws banning weak default passwords on connected devices to combat cybercrime.
  • The move shifts responsibility of securing devices from users to manufacturers, mandating unique default passwords and disclosure policies for security vulnerabilities and updates.
  • While it is seen as a positive step, experts emphasize the need for ongoing legislation and user education, or moving away from the password altogether.
  • The law increases complexity and costs for manufacturers, especially for imported devices, and when ensuring compliance through enforcement and monitoring.
  • Ultimately, cybersecurity remains a shared responsibility.

Humans and passwords are an imperfect combination — we are all likely guilty of taking shortcuts, even with the best password managers out there.

If you have unboxed and set up a new internet-connected device at home or work, it probably came with a default password — and product manufacturers often show a lack of imagination (or perhaps an overabundance of convenience) with username and passwords such as ‘Admin’ and ‘12345’ or ‘Guest’ and ‘0000’.

While this is a familiar practice by device manufacturers all over the world, it will no longer be the case in the UK — the government has outright banned weak default passwords on connected devices.

A simple law, but one with consequences for everyone involved.

For manufacturers, it’s a wake-up call, now tasked with the responsibility of setting unique default passwords for each device while meeting other security requirements outlined by the UK government.

It’s a big ask, but is it an insurmountable challenge? Or could it be an opportunity for innovation in the way devices are made and secured?

And what about the users? On the plus side, they have the promise of increased security, which means devices won’t be low-hanging fruit for cybercriminals anymore. But on the other hand, are users ready to remember complex default passwords? Will it induce password overload and anxiety? Could this be a step too far in the name of security?

Techopedia spoke with experts to discuss this new security law in the UK and its implications in the long run.

The UK’s New Password Laws

From Internet of Things (IoT) devices to smartphones, we’re increasingly intertwined with the internet and connected more than ever. But as we know, this convenience comes with several vulnerabilities.

Cybercriminals exploit these vulnerabilities, often taking advantage of users who fail to change weak default passwords on their devices to gain unauthorized access. This has led to a surge in cybercrime, with consumers bearing the brunt of the impact.

Apart from default password exploitation, recent research by IoT management platform Asimily highlights that routers currently make up 75% of infected connected devices.

Other IoT devices ranked among the most targeted devices in the research include digital signage systems, security cameras, and medical devices.

Recognizing this growing threat and the proliferation of connected devices, the UK government took action.

So, what exactly are these new laws? To operate in the UK, device manufacturers must abide by these requirements:

  1. Ban on Universal Default Passwords: Manufacturers can no longer use universal default passwords like ‘Admin’ or ‘12345’. Each device must have a unique password.
  2. Security Vulnerability Disclosure Policy: Manufacturers must provide a public point of contact to allow anyone to report a vulnerability, and they must also state how long the device will receive security updates.
  3. Statement of Security Updates: Manufacturers must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either on the box or on the product listing online.

A cursory look into these requirements shows that manufacturers are squarely responsible for securing devices, a move that could have far-reaching implications for the country’s tech industry.

To What Extent Will These Laws Help in Curbing Cybercrime?

The new laws are undoubtedly a step in the right direction, John Price CEO at SubRosa, a Managed Security Operations platform, told Techopedia.

However, he points out that it requires ongoing legislation to remain effective.

He said:

“The new laws mandating unique default passwords for each connected device are a significant advancement in cybersecurity. While this measure addresses a common vulnerability, the dynamic nature of cyber threats requires ongoing updates to legislation and strategies to remain effective.”

For Aaron Painter, CEO at Nametag Inc., a self-service password and multi-factor authentication reset platform, this new legislation will help outlaw easy-to-guess default passwords in connected devices.

However, he questions its viability given that default passwords are not the only easy-to-crack passwords. A better way to address this issue, according to Painter, is for manufacturers to follow the path of passwordless and multifactor authentication.

“This law is a great step forward towards curbing cybercrime in the UK by outlawing the most easily-cracked passwords.

 

“But default passwords aren’t the only ones that are easy to crack. To truly address the cybersecurity risks of passwords, companies need to adopt passwordless technologies and multi-factor authentication backed by strong identity verification tools to protect the reset/recovery process.”

Digital Forensics and Incident Response Consultant at Systaltech, Calum Baird, highlights how instrumental the new law could be in meeting the Open Web Application Security Project (OWASP)’s IoT top 10 vulnerabilities. He told Techopedia:

“These will be very helpful in preventing consumers from falling victim to easily avoidable password attacks. OWASPs IoT’s top 10 vulnerabilities list has number 1 as “Weak, guessable, or hardcoded passwords” — this legislation significantly reduces this.”

The Implication for Devices Manufacturers Across the UK

While this new development may appear to be a big ask for connected device manufacturers, Painter argues that it provides an opportunity for them to show leadership in the UK’s cybersecurity efforts.

“Device manufacturers across the UK have an opportunity to demonstrate leadership and build trust with their customers by going above and beyond the requirements of the law.

 

“Beyond moving away from default passwords, device manufacturers can demonstrate that they care about security by teaching their customers about good password habits and the importance of using multi-factor authentication on their accounts.”

The new cybersecurity law poses some challenges for UK device manufacturers, according to Baird. He notes “if manufacturers opt for unique initial passwords it will increase complexity and costs likely passed to consumers.

“Manufacturers must also be contactable to report concerns, and maintain compliance records, which will increase their workloads while helping maintain public confidence in product security and brands.”

Enforcing the new cybersecurity law, particularly for devices manufactured abroad, such as in China, a big producer of cheap IoT devices, is another challenge, Baird believes.

He notes the act places duties on manufacturers, importers and distributors, but individuals could still purchase non-compliant products from non-UK online marketplaces.

“This legislation places additional requirements on ‘importers’ and ‘distributors,’ including due diligence investigations to ensure products meet certain requirements.

 

“This will no doubt have an administrative impact and could be very time-consuming.”

He suggests having a centralized database of approved vendor products vetted for compliance to circumvent this issue, easing the burden on importers and distributors while ensuring effective enforcement.

“Manufacturers should be responsible for the safety and security of the devices they create,” Managing Director EMEA North at Qualys, Matt Middleton-Leal said in comments to Techopedia.

“This includes taking out insecure default set-ups and ensuring that what they put together can be updated. When you buy products that rely on software, then you should also get adequate support and updates around security.

“This law makes that process clearer on what consumers should expect. If manufacturers don’t think that they can provide this within their products, then they have the option to not sell them in this market.”

As Derek McCarthy, Senior Director, Field Engineering at NetRise pointed out:

“These new UK laws do not remove cybersecurity responsibilities from users or user organizations — they simply document the minimum requirements for the connected device manufacturers. Users must play a big part in keeping their devices safe.

“Users should regularly update their devices when new software is available. Users should use strong, unique passwords for each device. And users should learn about the security features of their devices and use them properly.”

The Bottom Line

This new cybersecurity legislation on internet-connected devices is undoubtedly a step towards improving cybersecurity. It will force companies to rethink their password practices and implement more robust credential management systems.

However, the effectiveness of these regulations will depend on enforcement and compliance. Strong penalties for violations and systematic monitoring will be essential to ensure manufacturers uphold their obligations.

Cybersecurity is also a shared responsibility—users must do their part by resetting their devices’ default login details to strong passwords and enabling additional security features where available.

Related Terms

Related Article