California to Make Weak Passwords Illegal

California is set to clamp down on manufacturers who ship their products with weak or generic passwords, protecting

As any savvy internet user knows, your personal data is only as safe as your password. It turns out that some of those passwords simply aren’t that secure, which is why California is passing legislation to make weak ones illegal by 2020.

Fortunately, the move won’t see unimaginative users carted off to jail – its aimed at manufacturers who are selling products with generic username and passwords that can be easily cracked, leading to potential data concerns.

While the new legislation could lead to serious repercussions for manufacturers who compromise their customers privacy, does it go far enough? And for those that want protection now, what can be done in the immediate future, before this bill comes into law in 2020? Read on to find out more.

How will the law combat weak passwords?

The law, introduced in the Information Privacy: Connected Devices bill, seeks to make manufacturers of tech products more responsible for their customers online security. It is common practice for devices to come with generic username and passwords, that can be easily cracked. It’s also fairly common for all devices to share the same username and passwords out of the box, and with many users never taking steps to change them, their personal data could be at stake.

The law will mandate that new devices must either come with unique log in details, or that the user will have to follow initial steps when using it for the first time to create these themselves. It will cover a myriad of ever expanding internet connected equipment, from routers and cameras, to smart televisions.

In order to incentivise companies to carry out these changes, the bill also states that customers can sue the original manufacturer in cases where they have had their privacy compromised due to a weak password.

Why is California banning weak passwords?

Weak passwords can be problematic for consumers, especially if steps aren’t taken to update them straight away. There have been many instances of severe breaches of privacy due to default security details on tech products. Connected cameras are a popular one for hackers, and you don’t have to look too hard on the internet to find lists of lo-in details, as well as sites that host unsecured, live footage broadcasting directly from the homes of unsuspecting owners.

Also vulnerable are routers, which can ship with generic username and passwords and in turn be easily exploited. This can mean that any activities carried out on the network can be intercepted, leading personal and financial details getting into the hands of hackers.

Is this law enough to protect Californians?

While there’s no doubt that this is a positive move by the state of California that will protect less net-savvy consumers, some are claiming that it doesn’t go far enough. Writing in The Register, Kieren McCarthy claimed that it was a missed opportunity, and could go even further, incorporating more strict rules about enforcing updates. It’s a good point. While devices can be exploited by cracking generic username and password details, flaws and exploits in software also provide a backdoor to the maliciously minded.

Developers are fully aware of this, which is why they are constantly updating their software, to patch these security concerns. However, consumers tend to be less bothered, and see updates as a nuisance, or are put off by the odd horror story about updates going wrong (Windows 10 providing the latest example). Doing more around ensuring that these updates are actually acknowledged and installed would certainly reduce the number of weak spots of any devices security.

How can I improve my personal security?

While this new legislation will protect consumers, there are steps that you can take today to seriously improve your online safety.

In order to ensure you’re protected online, it’s important to have a robust password. Here are some tips to help you create the perfect password:

  • Don’t duplicate – Use a different password for each site you use.
  • Combine letters and numbers – Mix up your password with numbers and letters. Throw in a exclamation mark or percentage symbol to make it extra secure.
  • Two-factor – If the site offers it, use tw0-factor authentication. This usually means that the site will periodically send you a code to your mobile to ensure you are who you say you are.
  • Password clues – Don’t make your password clues anything too obvious. Your mother’s maiden name or first school could be easily broken with a little research.
  • Check your password – From time to time, enter your email address into to see if your account has been compromised.

The easiest way to remember passwords is to not remember them in the first place. That might sound a little counter intuitive, but with a password manager, you can generate complex and secure passwords, without having to worry about forgetting them. Your password manager will automatically log you in to sites, and some even alert you if your security is compromised. Check out our Best Password Managers of 2018 guide to see what kind of features they offer, or start a free trial today.

OFFER: Get a 14-day free trial of LastPass, one of's top-rated password managers
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Jack is the Deputy Editor for He has over 15 years experience in publishing, having covered both consumer and business technology extensively, including both in print and online. Jack has also led on investigations on topical tech issues, from privacy to price gouging. He has a strong background in research-based content, working with organisations globally, and has also been a member of government advisory committees on tech matters.
Back to top