New 2022 U.K. Law Bans Use of Dumb Passwords

You know when you first get a new “smart” device and some of the default passwords for things don’t seem that smart? Well, the U.K. government has now moved to introduce legislation that will ban the use of dumb passwords in so-called smart devices.

The Product Security and Telecommunications Infrastructure (PSTI) Bill has yet to become law; according to government sources that will happen as soon as parliamentary time allows. This means that we should see the law come into play in 2022.

However, what has happened already is that the legislation has been published, and we now know what the months and years of consultation and industry expertise have brought to bear. 

What consumer security protections will the new law introduce?

In effect, the PSTI Bill will provide for three regulatory steps to shore up the security sinkhole as it applies to smart devices:

  • Default, factory set, weak passwords will no longer be allowed. Instead, all relevant devices will need to come with unique passwords that cannot be set back to a single, universal, factory default.
  • A contact for researchers, hackers, bug bounty hunters and the like to report security vulnerabilities must be published publicly.
  • Consumers must be advised of the period for which the device they are buying will receive security updates, and so advised at the point of purchase. If the device cannot receive such updates or patches or won’t get any, that must be declared.

“One of the most commonly used attack vectors is through default passwords, which are easy to guess and preloaded on multiple devices,” George Papamargaritis, a director at Obrela Security Industries, said. “The fact that this new legislation bans default passwords is a huge step forward and it will encourage device manufacturers to consider security before marketing products, otherwise they could face business destroying fines.”

“We’re getting to a place where security by design will be a mandatory requirement and not an afterthought,” Laurie Mercer, a security engineer at HackerOne, said. “This is a significant milestone towards more secure consumer connectable products, and shows the U.K. is leading in creating a safe digital connected society.”

And before you say, well that’s in the U.K., you should probably know that of course, California already has Senate Bill 327 that requires similar password rules and came into effect on January 1, 2020.  And you can bet legal disputes about it will be coming!

That’s because business disputes are everywhere! And when those things negatively impact you and/or your business including bankruptcies, landlord/tenant matters including unlawful detainers, contract issues, nuisance ADA claims and even collections, call in your good guy business litigator, Dean Sperling to resolve YOUR matter with YOUR best interests in mind!  

More on the case: