Default Passwords for Smart Connected Devices Banned in California

The legislation institutes stricter passwords for smart physical devices, including smart home security gear, that collect and share data from users.

SACREMENTO, Calif. — California has passed a law that bans default passwords for all Internet of Things (IoT) devices, including smart home security gear.

Beginning Jan. 1, 2020, the legislation (Senate Bill No. 327) requires manufacturers of a connected device to equip it with a “reasonable security feature or features.” The bill mandates that manufacturers must provide default passwords that are unique to each device or prompt the user to generate a new password before using the product.

The bill aims to improve security for the vast number of consumers who do not change default passwords — such as “123,” “password” or “admin” — that come with new devices. In doing so, the legislation effectively bans pre-installed and hard-coded default passwords to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

Although the goal of the bill is to thwart hackers from installing malware and use infected devices as part of botnet attacks, the ban has left some cybersecurity professionals skeptical of its true efficacy.

“I think the law that the State of California is contemplating is a great first step, but it’s just a first step in a very long road to ensuring security around the globe,” Bill Evans, senior director at One Identity, told the Verdict.

Evans said a preferred approach would be one that doesn’t mandate specific action. “Rather, governments should use the levers at their disposal to incentivize enterprises to solve the problems in ways that meet their needs,” he said.

The bill was approved by the California Assembly and Senate in August and was signed into law by Gov. Jerry Brown on Sept. 28.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Although Bosch’s name is quite familiar to those in the security industry, his previous experience has been in daily newspaper journalism. Prior to joining SECURITY SALES & INTEGRATION in 2006, he spent 15 years with the Los Angeles Times, where he performed a wide assortment of editorial responsibilities, including feature and metro department assignments as well as content producing for Bosch is a graduate of California State University, Fresno with a degree in Mass Communication & Journalism. In 2007, he successfully completed the National Burglar and Fire Alarm Association’s National Training School coursework to become a Certified Level I Alarm Technician.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

One response to “Default Passwords for Smart Connected Devices Banned in California”

  1. Robert Blevins says:

    Leave it to California to legislate passwords! Unbelievable…………..

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters