Smart device makers will be forced to use unique default passwords on all their products sold in California from 2020.
A new law has been approved by the state to compel companies to implement “reasonable” security features in a bid to spare more people from falling victim to cyber attacks.
The security of the connected devices bill states that any “preprogrammed password is unique to each device manufactured”, meaning gadgets will not be allowed to have the same default password when first sold.
A start-up process forcing users to set up a new password of their own before they can use the product is also mentioned.
The law has been met with mixed reaction from across the security sector, with some critics claiming it does not do enough to improve cyber security.
“It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little to improve security, while doing a lot to impose costs and harm innovation,” argued cyber security expert Robert Graham.
“The law makes the vague requirement that devices have ‘reasonable’ and ‘appropriate’ security features.”
Others have welcomed the move, saying it will help consumers.
“Consumers and business are fed up with usernames, passwords and the issues that accompany them,” said Robin Tombs, chief executive of technology company Yoti.
“Everyone knows more should be done to protect data, but it needs to be as easy as the same old ‘password123’ to gain mass adoption.”