1: They’re the three most-hacked passwords of 2017.
2: They’re going to be illegal in California from 2020.
California’s Governor Jerry Brown signed the ‘Security of Connected Devices’ bill into law on October 5, which has a decent stab at making it illegal to use what are basically big ‘rob me’ signs as passwords.
It won’t come into force until 2020.
How does the law work?
You’ve got to be asking yourself, how are they going to enforce this? Knowing California’s legislators, it’s easy to imagine some tech-blind authoritarian reflex kicking in and mandating a password registry, or something equally facepalm-inducing. But actually the law seems reasonably well-designed. It will oblige device manufacturers to require users to generate a new highly-secure password when they first log in to their new device.
Seems sensible. The onus is on companies rather than individuals, and it’s enforced through financial penalties for companies that fail to comply. And all it requires of users is that they auto-generate a solid, unique password the first time they use their device.
I’m like you: I use the same handful of passwords for everything. When I have to autogenerate a string of gibberish I’ll never remember in a million years, I just use it to sign in once, then go back around and reset it to one of my usual passwords.
So there’s that.
Devices, not accounts
And then there’s the point that the bill applies to devices – not to all digital accounts. Its target is electronics manufacturers, meaning it’s not going to make that big an impact when it does come into force.
After all, you might get a new account for a service or app pretty often, but a lot of devices are sold second hand and replaced infrequently. This is kind of like laws that affect new cars: it’s not going to be every car you pass, the day it comes into force.
My computer login or my phone pass shape isn’t the issue: the problem is I use the same password for my Facebook as I do for my online banking (if you’re interested, it’s yeahright123).
And then, of course, there are the browser-based password storage tools that mean all your passwords are exactly as safe as your browser.
So this law looks pretty tokenistic. Rather than a blow against shoddy security or privacy violations as the very foundation of a new economic model, it’s a band-aid – and it’s not even on the right cut.
‘Weak passwords banned in California from 2020,’ BBC News