COMMENTARY: In April 2024, the UK banned default guessable usernames and passwords for some IoT devices, becoming the first country to implement such stringent regulations.
The move raises many questions: Should such legislation extend beyond IoT devices? Should we include personal as well as business passwords? Should we consider such bans in the U.S. and elsewhere? The U.S. has set regulations to improve security for IoT devices owned or controlled by the federal government, but in terms of usernames and passwords, it hasn’t gone beyond what’s mandated in broad regulations like the Federal Trade Commission Act, the Children’s Online Privacy Protection Act (COPPA), and the California Consumer Privacy Act (CCPA).
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Password-based security has been limited because shared secrets are inherently vulnerable. In the UK legislation’s case, there’s nothing preventing a user from changing a strong default password to a weak password. The UK’s legislation is better than nothing, but we should strive to improve security beyond just banning weak default IoT passwords.
The scope and limitations of password bans
How will the UK enforce its legislation? It’s impractical to enforce any sort of mandate across millions, if not billions, of users across an entire global ecosystem. It’s also unlikely that overseas manufacturers will suddenly stop shipping weak password-protected IoT devices to the UK.
Even if that was the case, the passwords on IoT devices are just a small portion of all the passwords most people have. According to a survey NordPass conducted in March 2024, the company’s users have an average of 168 passwords. While users without a password manager may have fewer passwords, 77% of basic web application hacks start with using stolen credentials, according to Verizon’s 2024 Data Breach Investigations Report. Clearly, focusing solely on IoT devices does not solve the problem.
Shareable credentials like passwords are inherently weak, so the idea of strengthening them is also flawed. Even the strongest passwords are weaker than two-factor authentication or passwordless alternatives.
Instead of banning weak default passwords on IoT devices, we should strive for better authentication solutions for all personal and business accounts, and look beyond the username and password combination.
Innovative authentication methods
Even if we effectively apply a weak password ban to every single account, such a mandate will not spur innovation. Instead, a ban will frustrate users over login friction and cause new security obstacles. Countries pursuing innovation in the security industry should focus on replacing passwords with other authentication methods, rather than passing new types of bans.
Imagine a future in which passwords are extinct, or at least outnumbered by more secure and user-friendly methods. Strengthening passwords represents a band-aid solution. We can and should take passwords out of the equation completely.
There are already many innovations beyond passwords, from time-based passcodes, to passkeys, to trusted end-to-end encrypted channels. Other secure authentication methods that eschew passwords include FIDO2/U2F, PKI-based authentication, and on-device biometrics. These affirm user presence, which completely outclasses all types of passwords in every way.
Alternatives to passwords show that it’s possible to balance security and user experience without sacrificing either. If it’s not possible to replace passwords in a specific situation, legislation can play a role, but incentivizing 2FA offers even better route. Getting another factor involved makes sense and a good idea, and it’s certainly better than just trying to ban weak default passwords.
Raising the floor on default security
The UK ban doesn’t go far enough, but it also begs the question: should governments even enforce a password ban or should service providers take the initiative? As governments struggle to keep pace with tech, companies should consider taking the lead on user security.
Not only does this fulfill the obligation and responsibility that service providers have to their users, but improving default security posture can help safeguard users who may not have the time, expertise, or resources to manage their own security. Improving default security posture can be more effective than legislative bans.
To reduce the reliance on passwords and single factor shared secrets, tech companies, regulators, and users must work together. Moving users to having fewer passwords will raise the floor on default security, and that’s what everyone (except cybercriminals) ultimately wants.
The less that we depend on weak passwords, the better. The less that we depend on passwords, the better. Outright password bans are a blanket solution to a nuanced security problem.
If the entire ecosystem moves towards more secure defaults, meaning doing away with passwords whenever and wherever possible -- we will not need to regulate our way out of this mess. Legislation will always play a role in the security industry, but we can solve more long-term problems by leveraging innovative authentication methods and raising the floor on default security.
Legislation and bans are not a permanent solution. We should instead work toward not giving users the opportunity for bad behaviors, like adopting default passwords or reusing existing passwords. Improving authentication beyond password bans requires tech companies and service providers to take the initiative to reduce password use. It’s time to start working toward a future where security and seamless user experience live hand-in-hand.
Rishi Bhargava, co-founder, Descope
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
