https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15310#M504 <P>The next step should be to ban all most popular passwords a'la 123456, password123 or defining mandatory regex for passwords should be even easier.</P> Sat, 06 Oct 2018 17:51:59 GMT ro83 2018-10-06T17:51:59Z https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15297#M503 <P>No more "admin/admin" or "password/password". Enforcement and penalties are not mentioned.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?yptr=yahoo" target="_self">https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?yptr=yahoo</A></P> Fri, 05 Oct 2018 21:40:54 GMT https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15297#M503 kpinkham 2018-10-05T21:40:54Z https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15310#M504 <P>The next step should be to ban all most popular passwords a'la 123456, password123 or defining mandatory regex for passwords should be even easier.</P> Sat, 06 Oct 2018 17:51:59 GMT https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15310#M504 ro83 2018-10-06T17:51:59Z https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15311#M505 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/467994801">@kpinkham</a>&nbsp;wrote:<BR /><P>No more "admin/admin" or "password/password". Enforcement and penalties are not mentioned.</P><P>&nbsp;</P><P><A href="https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?yptr=yahoo" target="_self">https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?yptr=yahoo</A></P><HR /></BLOCKQUOTE><P>You can read the bill itself here:</P><P><A href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327" target="_blank">https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327</A></P><P>&nbsp;</P><P>From the bill:</P><P><EM>"(d)&nbsp;This title shall not apply to any connected device the functionality of which is subject to security requirements under federal law, regulations, or guidance promulgated by a federal agency pursuant to its regulatory enforcement authority."</EM></P><P><SPAN><STRONG>My interpretation:</STRONG> This law does not apply to any government systems or critical infrastructure systems that have legal or regulatory security mandates, such as FISMA or RMF or CSF.&nbsp;</SPAN></P><P>&nbsp;</P><P><EM>"(e)&nbsp;This title shall not be construed to provide a basis for a private right of action. The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title."</EM></P><P><SPAN><STRONG>My interpretation</STRONG>: (a) it is up to state or local prosecutors to enforce the law. It is not clear that they would do so by filing criminal charges or by civil suit, but I suspect the latter.</SPAN></P><P><SPAN>(b) no private or personal civil lawsuits can use this law as the basis for the suit.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Sat, 06 Oct 2018 18:07:29 GMT https://community.isc2.org/t5/Tech-Talk/California-passes-law-that-bans-default-passwords-in-connected/m-p/15311#M505 CraginS 2018-10-06T18:07:29Z