UK to Ban ‘12345’ Passwords in Smart Device Security Crackdown

The UK government has announced that it will be banning weak passwords such as “12345” and “admin” as part of a new legislation to bolster security practices for smart devices nationwide.

The world-first law, which came into effect on Monday as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, aims to protect consumers from hackers who exploit easily guessable passwords by forcing them to strengthen their security settings to prevent cybercrime and account theft. 

It means that manufacturers technologies such as smartphones, TVs and smart home devices are now legally required to protect internet-connected devices against access by cybercriminals, with users prompted to change any common passwords.

They will also have to publish contact details so bugs and issues can be reported and resolved and tell consumers the minimum time they can expect to receive important security updates.

This is to help give customers confidence in buying and using products, which is hoped to help grow businesses and the economy.

“As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater,” said Viscount Camrose, Minister for Cyber. 

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world-first laws that will make sure their personal privacy, data and finances are safe.”

Banning weak passwords

Under the new PTSI regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up. 

It is hoped this will help prevent threats like the Mirai botnet attack in 2016, which saw over 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the East Coast without internet. 

Since then, similar attacks have occurred leading to disruption to customers, most recently with the so-called smart toothbrush botnet that allegedly tuned 3 million smart toothbrushes into a botnet for a DDoS attack. 

Read: What is a DDoS Botnet?

Many devices have little to no security, making it easy for hackers to hijack them and access local networks. Devices that do have security practices are often protected by default or easy-to-guess passwords that fail to protect them from attacks. 

Passwords used by the majority of UK consumers are worryingly predictable and often very weak. The most common passwords in the UK include:

1. 123456
2. password
3. qwerty
4. liverpool
5. 123456789
6. arsenal
7. 12345678
8. 12345
9. abc123
10. Chelsea

“The use and ownership of consumer products that can connect to the internet or a network is growing rapidly. UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices, said OPSS Chief Executive, Graham Russell. 

“As the UK’s product regulator, OPSS will be ensuring consumers can have that confidence by working with the industry to encourage innovation and compliance with these new laws.”

Securing the smart home

The new legislation marks a significant step towards boosting the UK’s resilience to cyber attacks targeting smart home devices. Recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. 

It comes after an investigation by Which? found that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with 2,684 attempts to guess weak passwords on five devices. 

“The OPSS [Office for Product Safety and Standards] must provide the industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law,” said ocio Concha, Which? Director of Policy and Advocacy.

“But we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”

NCSC Deputy Director for Economy and Society Sarah Lyons emphasised that businesses and smart tech manufacturers must play a crucial role in keeping consumers protected from cybercrime. 

“Smart devices have become an important part of our daily lives, improving our connectivity at home and at work; however, we know this dependency also presents an opportunity for cybercriminals.” 

“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy.”