In case you didn't notice, just last year the state of California passed a law banning default passwords like “admin,” “123456” or "password" in all new consumer electronics starting in 2020. It's only a matter of time for other states to follow California's lead.
That means that every new gadget built and sold in the Golden State, from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”
Additionally, the law mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.” This means as soon as you pick up a new device, you need to assign a new password immediately.
While some laws pertaining to consumer gadgets aren't always welcome, this one is designed to help protect more of us against hackers and botnets, which have taken advantage of poorly secured devices and used them to overwhelm websites with huge amounts of internet traffic — known as distributed denial-of-service (DDoS) attacks. Botnets typically rely on default passwords that are hardcoded into devices when they’re built that aren’t later changed by the user. Malware then breaks into the devices using publicly available default passwords, hijacks the device and traps the device into conducting DDoS cyberattacks without the user’s knowledge. Ouch!
Other, more advanced botnets, don’t need to guess a password because they instead exploit known vulnerabilities in Internet of Things devices — like smart bulbs, alarms and home electronics.
The takeaway? Always change your password when you buy a new device, and better yet, change them periodically. And in California, it's soon to be the law.