A recent survey revealed that 65 percent of people struggle to remember their passwords, with an average of 17 passwords to manage. Additionally, 43 percent of respondents reported having their passwords compromised, leading to a general sense of insecurity.

Issues regarding credential security was the impetus for California's default password legislation (SB-327), which requires vendors to implement unique default passwords for network-connected devices. This law aims to enhance security by eliminating the use of common default passwords, which are often exploited by hackers.

https://newsradio1310.com/ixp/94/p/changing-passwords-and-security-isnt-working-in-california/

Commentary

Password security is a significant factor in data breaches. An estimated 81 percent of data breaches are because of poor password security.

A study by BitSight found that home networks were 3.5 times more likely than corporate networks to have at least one malware family, and 7.5 times more likely to have five or more distinct types of malware. Additionally, 45 percent of organizations had one or more devices accessing its corporate network from a home network with at least one malware infection.

California is not the only state with legislation addressing default passwords and IoT security. Although California's SB-327 is one of the most well-known laws, other states have also enacted, or are considering, similar legislation to enhance cybersecurity and protect consumer data.

For example, Nevada and Virginia have enacted consumer privacy laws that require organizations to implement and maintain reasonable security procedures to protect data from unauthorized access, disclosure, or theft. These laws, while not specifically focused on default passwords, emphasize the importance of robust security measures, which can include the management of passwords.

California's Senate Bill 327 (SB-327), also known as the California Internet of Things (IoT) Security Law, was enacted in 2018 and became effective on January 01, 2020. This legislation aims to enhance the security of connected devices sold or offered for sale in California by addressing the issue of default passwords, which are often exploited by hackers.

The key provisions of SB-327 include:

• Reasonable security features: Manufacturers must equip devices with reasonable security features that are appropriate to the nature and function of the device, as well as the information it may collect, contain, or transmit. These features are designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
• Unique passwords and security measures: Connected devices must be assigned a unique preprogrammed password or require new users to create a new password before first-time access. This measure aims to eliminate the use of common default passwords, which are easily found and exploited by attackers.

The rationale behind SB-327 is to address the rapid increase in IoT devices and the associated security risks. Many IoT devices have been shipped with default passwords, creating vulnerabilities that can be easily exploited by hackers. High-profile security breaches, such as the Mirai botnet in 2016, highlighted the need for stronger security measures.

Online criminals know administrative passwords make office and home IoT vulnerable and that users will often fail to change administrative passwords. By hacking a home office router with an administrative password, an online criminal can access a worker's information and work but also may be able to gateway into an employer's networked system.

The final takeaway is that administrative passwords create a cyber risk. For employers, they should require all administrative passwords to be changed before installing equipment on a network and, as a requirement of working from home, require all administrative passwords be changed on home office equipment.

https://www.darkreading.com/vulnerabilities-threats/insecure-home-office-networks-heighten-work-at-home-risks and https://earthweb.com/blog/weak-password-statistics/ and https://financesonline.com/password-statistics/