autotldr@lemmings.world
on 29 Apr 2024 07:55
nextcollapse
This is the best summary I could come up with:
Tech that comes with weak passwords such as “admin” or “12345” will be banned in the UK under new laws dictating that all smart devices must meet minimum security standards.
It means manufacturers of phones, TVs and smart doorbells, among others, are now legally required to protect internet-connected devices against access by cybercriminals, with users prompted to change any common passwords.
Rocio Concha, a director of policy and advocacy at Which?, said: “The OPSS [Office for Product Safety and Standards] must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”
The science and technology minister, Jonathan Berry, said: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.
“From today, consumers will have greater peace of mind that their smart devices are protected from cybercriminals, as we introduce world-first laws that will make sure their personal privacy, data and finances are safe.
The laws are taking effect as part of the product security and telecommunications infrastructure (PSTI) regime, which aims to strengthen the UK’s resilience against cybercrime.
The original article contains 350 words, the summary contains 223 words. Saved 36%. I’m a bot and I’m open source!
It’s for manufacturer passwords, not ones set by users.
The legislation is to help regulate the manufacturers of IoT devices, not the users themselves.
Zikeji@programming.dev
on 29 Apr 2024 08:56
nextcollapse
The law is for devices that come out of the box with a weak default. Like buying a wifi hotspot where the default is “admin123” would be bad. The default being random and printed on a label in the device is probably what this is aiming to usher in.
metaStatic@kbin.social
on 29 Apr 2024 09:37
collapse
it's been a very long time since I've seen a default that wasn't random or a unique pass phrase
drkt@lemmy.dbzer0.com
on 29 Apr 2024 09:21
nextcollapse
That’s not what this law is about, but yes actually they do!
I’m not even in the UK and my domains get hit by UK authorities that claim to be scanning for vulnerabilities
Th4tGuyII@kbin.social
on 29 Apr 2024 09:44
nextcollapse
From what I see on the article, it looks like it mostly applies to manufacturer set passwords - though it does look like the devices are now required to prompt the user if they try to set a weak or common password (though I can't remember the last time I wasn't prompted)
TheGrandNagus@lemmy.world
on 29 Apr 2024 10:19
nextcollapse
Did you really just share an article without actually reading it?
SlopppyEngineer@lemmy.world
on 29 Apr 2024 11:05
collapse
No, others do that for them: insecam.org
thbb@lemmy.world
on 29 Apr 2024 09:09
nextcollapse
Usually, an impact study is made before such type of laws are made:
if this law is enacted, how much will it cost to the manufacturers to update their factory settings?
how will this be impacted on the device cost in the UK compared to other markets?
how many users will get stuck when losing the unique ID of the device, what are the recovery procedures, how costly is it to end users?
how many users will be protected by the measure and what cost for society does it represent?
how many users will set a dumb password anyhow and what is the cost for society?
I’d be curious to see the impact study, as many of those are actually botched.
metaStatic@kbin.social
on 29 Apr 2024 09:38
nextcollapse
a user set weak password is infinitly more strong than a known default.
That makes a strong password a million times infinite strong.
magic_lobster_party@kbin.run
on 29 Apr 2024 10:31
collapse
Most routers already have non-standard passwords by default. At least in EU. I’m not sure which devices besides routers and IoT peripherals are affected by this bill.
TheGrandNagus@lemmy.world
on 29 Apr 2024 13:50
collapse
All of them I’ve seen do use non-standard passwords for the web access portion, however it’s been a mixed bag for the admin controls on the router OS itself. It’s often just admin/admin.
Which is crazy. I could, if I were inclined, log into the router in someone’s house/business if they haven’t changed the admin password, but they have provided me with a password to access the web. Most people don’t bother changing the admin password.
RobotToaster@mander.xyz
on 29 Apr 2024 09:30
nextcollapse
Is the flying squad going to kick down my door if I use 12345 as a password?
Is it really on the device manufacturer that people don’t change the default password? That’s advice that’s been around so long and it’s the first thing they tell you in computer training.
Default passwords have their use cases for testing, ease of set-up, and for device recovery.
TheGrandNagus@lemmy.world
on 29 Apr 2024 13:45
collapse
Yes, it should be. Sending someone a device with usr/pwd as admin/admin, for example, is completely reckless if it doesn’t prompt the user to change it during setup.
it’s the first thing they tell you in computer training.
You shouldn’t need specialist training to use basic home products, and you shouldn’t have to put up with extremely compromised security in the event of you not being technically-minded or you blitz through installations pressing next next next. Not everyone is or can be technically minded.
Plenty of products have protections in place designed to protect users in the realistic event that not everything will be used flawlessly 100% of the time.
PCs aren’t shipped to you with always-on root-level access, gas hobs often have features to turn themselves off if they detect they’ve not been ignited, cars have all kinds of safety features, pills come in pop-packs to discourage taking a load at once by swigging a bottle, Switch cartridges taste like shit to stop babies from choking on them, etc. sure, not all of these should be legally required, but some absolutely should be.
Bonehead@kbin.social
on 29 Apr 2024 10:07
nextcollapse
Don't worry, this law doesn't affect luggage.
cybersandwich@lemmy.world
on 29 Apr 2024 13:24
collapse
I have 2fa for my luggage.
andrew@lemmy.stuart.fun
on 30 Apr 2024 02:59
collapse
I wonder about raspberry pi - it's the image you download that has the known user and password.
It might mean that you can't sell one with a pre-imaged, pre-installed sdcard unless you customised the image.
TimeSquirrel@kbin.social
on 29 Apr 2024 11:52
nextcollapse
It's very easy to remove that and ask for a password on first boot. It could literally be one line in a shell script. They could put it in a text menu if they want to get fancy.
More professional (non-hobby) RP based devices probably aren't using stock vanilla Raspbian anyway.
TrickDacy@lemmy.world
on 29 Apr 2024 12:44
collapse
stock vanilla Raspbian anyway.
Raspberry pi OS != Raspbian
Those are two completely separate and different OSes.
TimeSquirrel@kbin.social
on 29 Apr 2024 18:26
nextcollapse
Force of habit. I've been working with Pis for a while, long before the name change.
TrickDacy@lemmy.world
on 29 Apr 2024 18:30
nextcollapse
Hmm, ok. My impression was that Raspian still exists as a separate thing. I didn’t know there was a name change.
DinosaurSr@programming.dev
on 30 Apr 2024 00:40
collapse
Wait, is Rasbian not a thing anymore?
TimeSquirrel@kbin.social
on 30 Apr 2024 00:43
collapse
It is. There are two. Raspberry Pi Os, and Raspbian. The former used to be Raspbian. I still get them confused.
Peer@discuss.tchncs.de
on 29 Apr 2024 14:26
collapse
You can already use a tool in the rpi imager to set the default login for your image.
wewbull@feddit.uk
on 29 Apr 2024 11:53
nextcollapse
I hope when they say TVs, they don’t mean the parental controls pin.
In fact… What password is needed on a TV?
Bahnd@lemmy.world
on 29 Apr 2024 14:12
nextcollapse
12345? Thats amazing, I have the same combination on my luggage!
RecluseRamble@lemmy.dbzer0.com
on 29 Apr 2024 14:26
collapse
Ha, mine is 10 times more secure!
RandomVideos@programming.dev
on 29 Apr 2024 16:39
collapse
123450?
ColeSloth@discuss.tchncs.de
on 29 Apr 2024 17:49
nextcollapse
I like the easy default passwords for when I’m setting stuff up. If the end user doesn’t change it, that’s on them. This is one of those laws that just inconveniences the 90% to protect the lazy/stupid 10%.
hangonasecond@lemmy.world
on 29 Apr 2024 23:57
collapse
I feel like there’s a level of easy, that’s still secure. I used to be the kind of person who used the same password for everything. Now, I’ve changed that password on everything and I’m particular about using a password manager even for most local uses. But when I’m performing first time set up, I use a variation on that easy to type, burned into my brain old password. It’s not incredibly secure, but it’s not 4 digits or my birthday or anything of the like.
stealth_cookies@lemmy.ca
on 29 Apr 2024 23:36
nextcollapse
This should already be in place with a lot of products due to a California law effective in 2020.
uriel238@lemmy.blahaj.zone
on 30 Apr 2024 07:04
collapse
I assumed each device would be programmed with the top 5,000 most common passwords which it would refuse.
And the device would nag the administrator to change the password away from the default as soon as possible, please.
threaded - newest
This is the best summary I could come up with:
Tech that comes with weak passwords such as “admin” or “12345” will be banned in the UK under new laws dictating that all smart devices must meet minimum security standards.
It means manufacturers of phones, TVs and smart doorbells, among others, are now legally required to protect internet-connected devices against access by cybercriminals, with users prompted to change any common passwords.
Rocio Concha, a director of policy and advocacy at Which?, said: “The OPSS [Office for Product Safety and Standards] must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”
The science and technology minister, Jonathan Berry, said: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.
“From today, consumers will have greater peace of mind that their smart devices are protected from cybercriminals, as we introduce world-first laws that will make sure their personal privacy, data and finances are safe.
The laws are taking effect as part of the product security and telecommunications infrastructure (PSTI) regime, which aims to strengthen the UK’s resilience against cybercrime.
The original article contains 350 words, the summary contains 223 words. Saved 36%. I’m a bot and I’m open source!
How they know what password we use in our device ? Do they scan our device without our permission ?
Probably just default passwords
It’s for manufacturer passwords, not ones set by users.
The legislation is to help regulate the manufacturers of IoT devices, not the users themselves.
The law is for devices that come out of the box with a weak default. Like buying a wifi hotspot where the default is “admin123” would be bad. The default being random and printed on a label in the device is probably what this is aiming to usher in.
it's been a very long time since I've seen a default that wasn't random or a unique pass phrase
.
Nah they scan your brain
🤔
That’s not what this law is about, but yes actually they do!
I’m not even in the UK and my domains get hit by UK authorities that claim to be scanning for vulnerabilities
From what I see on the article, it looks like it mostly applies to manufacturer set passwords - though it does look like the devices are now required to prompt the user if they try to set a weak or common password (though I can't remember the last time I wasn't prompted)
Did you really just share an article without actually reading it?
No, others do that for them: insecam.org
Usually, an impact study is made before such type of laws are made:
I’d be curious to see the impact study, as many of those are actually botched.
a user set weak password is infinitly more strong than a known default.
admin
admin
That makes a strong password a million times infinite strong.
Most routers already have non-standard passwords by default. At least in EU. I’m not sure which devices besides routers and IoT peripherals are affected by this bill.
All of them I’ve seen do use non-standard passwords for the web access portion, however it’s been a mixed bag for the admin controls on the router OS itself. It’s often just admin/admin.
Which is crazy. I could, if I were inclined, log into the router in someone’s house/business if they haven’t changed the admin password, but they have provided me with a password to access the web. Most people don’t bother changing the admin password.
Is the flying squad going to kick down my door if I use 12345 as a password?
I use "4cab".
They'll never guess that.
Only four of them?
The non headline part of the law sounds great to me.
Yeah I read the headline and thought what, then read the article and it actually seems pretty reasonable.
Devices should not come with a username of ‘admin’ and a password of ‘admin’, it’s a disaster waiting to happen.
Is it really on the device manufacturer that people don’t change the default password? That’s advice that’s been around so long and it’s the first thing they tell you in computer training.
Default passwords have their use cases for testing, ease of set-up, and for device recovery.
Yes, it should be. Sending someone a device with usr/pwd as admin/admin, for example, is completely reckless if it doesn’t prompt the user to change it during setup.
You shouldn’t need specialist training to use basic home products, and you shouldn’t have to put up with extremely compromised security in the event of you not being technically-minded or you blitz through installations pressing next next next. Not everyone is or can be technically minded.
Plenty of products have protections in place designed to protect users in the realistic event that not everything will be used flawlessly 100% of the time.
PCs aren’t shipped to you with always-on root-level access, gas hobs often have features to turn themselves off if they detect they’ve not been ignited, cars have all kinds of safety features, pills come in pop-packs to discourage taking a load at once by swigging a bottle, Switch cartridges taste like shit to stop babies from choking on them, etc. sure, not all of these should be legally required, but some absolutely should be.
Don't worry, this law doesn't affect luggage.
I have 2fa for my luggage.
Something I have: my luggage
Something else I have: bolt cutters
It’s an expensive system but it works for me.
I wonder about raspberry pi - it's the image you download that has the known user and password.
It might mean that you can't sell one with a pre-imaged, pre-installed sdcard unless you customised the image.
It's very easy to remove that and ask for a password on first boot. It could literally be one line in a shell script. They could put it in a text menu if they want to get fancy.
More professional (non-hobby) RP based devices probably aren't using stock vanilla Raspbian anyway.
Raspberry pi OS != Raspbian
Those are two completely separate and different OSes.
Force of habit. I've been working with Pis for a while, long before the name change.
Hmm, ok. My impression was that Raspian still exists as a separate thing. I didn’t know there was a name change.
Wait, is Rasbian not a thing anymore?
It is. There are two. Raspberry Pi Os, and Raspbian. The former used to be Raspbian. I still get them confused.
.
You can already use a tool in the rpi imager to set the default login for your image.
I hope when they say TVs, they don’t mean the parental controls pin.
In fact… What password is needed on a TV?
12345? Thats amazing, I have the same combination on my luggage!
Ha, mine is 10 times more secure!
123450?
I like the easy default passwords for when I’m setting stuff up. If the end user doesn’t change it, that’s on them. This is one of those laws that just inconveniences the 90% to protect the lazy/stupid 10%.
I feel like there’s a level of easy, that’s still secure. I used to be the kind of person who used the same password for everything. Now, I’ve changed that password on everything and I’m particular about using a password manager even for most local uses. But when I’m performing first time set up, I use a variation on that easy to type, burned into my brain old password. It’s not incredibly secure, but it’s not 4 digits or my birthday or anything of the like.
This should already be in place with a lot of products due to a California law effective in 2020.
I assumed each device would be programmed with the top 5,000 most common passwords which it would refuse.
And the device would nag the administrator to change the password away from the default as soon as possible, please.