UK Prohibits '12345' Passwords in Smart Device Security Overhaul

6 May 2024

Think of the last time you set up a new smart device. It probably came with a default password manufacturers intend for people to use once before setting their own login details. But did you take that step? Many consumers don’t, which is why the United Kingdom’s government has cracked down on those passwords as part of larger improvements in smart security. What do they involve?

World-First Law Against Default Passwords

The Product Security and Telecommunications Infrastructure (PSTI) Act, enacted on April 29, 2024, makes the United Kingdom the first country to legally obligate manufacturers to protect device users against hacking attempts. Default passwords are a central focus. Those become problematic because default password lists often get distributed online, making it easy for cybercriminals to find entry points for wreaking havoc.

The newly introduced legislation applies to all products with network or internet connectivity and forbids manufacturers from setting easily guessable passwords, such as “12345” or “admin.” If the device password contains them, users see prompts to change the credentials.

Consumer information about the new law suggestsdevice users create passwords containing three random words. It also recommends two-factor authentication, if available. Such safeguards reduce the chances of adversaries successfully using artificial intelligence (AI) or other emerging tech to guess passwords faster or enter accounts with only those credentials.

One security professionals study found 89% of respondents believe AI-enabled threats will cause challenges for the foreseeable future. Now is the time to take proactive prevention measures. One AI password cracker can discover 51% of credentials in less than a minute. That result highlights the importance of using strong passwords and other safeguards to secure smart home products.

More User Transparency

Another legislative aspect involves manufacturers publishing contact details so users can reach them to report bugs or other problems. Then, device makers and retailers must be upfront with users about the minimum time frames for providing security updates. There’s currently significant variation, with some vendors offering them for approximately two years while others release improvements for more than a decade.

Many smart products state specifications such as battery life and compatibility with other products. You can expect to soon see similar information about security updates under the new laws. Think of them like the use-by dates on supermarket products. You’ve probably had a few foods spoil even though the label said they should have been still good to eat.

Security updates are also not foolproof, but they make it harder for cybercriminals to break into smart devices. Many enterprising hackers specifically target older operating systems or devices no longer supported by their manufacturers.

Effects Beyond the United Kingdom

While this is a U.K. law, it applies to companies selling or importing products there. Compliance failures are criminal offenses carrying fines of up to £10 million or 4% of the qualifying global revenue.

Since most internet-connected products in the United Kingdom get made elsewhere, it’ll be interesting to see if manufacturers update their product packaging and user manuals to show the newly required information in other markets.

Long security update time frames could also become a competitive advantage. Some brands already use that approach. When Dutch smartphone maker Fairphone released its fifth-generation model, the manufacturer promised users operating system, security, and software updates until 2031.

Consumers Must Act, Too

The PSTI Act increases device manufacturers’ responsibilities, but no one should allow this law to make them overly comfortable. Most reputable resources explaining the law to consumers emphasize the importance of setting strong passwords and using two-factor authentication with their smart devices.

The need for password protection extends to changing credentials after relationship breakups, housemate changes, or similar residential variables. Otherwise, someone could continue controlling connected smart home devices long after they move out, as long as they know the password.

Additionally, device users should check for software updates regularly, and — ideally — tweak settings to make them happen automatically for convenience. If there is no such option, a simple workaround is for someone to create monthly calendar reminders to look for new releases.

Striving for Security First

An enduring culture among some smart device makers involves releasing new devices as quickly as possible, treating security as an afterthought. However, people will soon lose their fascination with pioneering products that have major security flaws. The new law mandates security improvements from device makers, which is an excellent start.

However, consumers must also take a couple of simple but effective steps to stop their devices from becoming hackers’ entry points.