Yesterday, the government of the United Kingdom enforced new legislation aimed at enhancing cybersecurity measures by explicitly prohibiting the use of basic passwords.
Basic passwords, such as "123456", have long been recognized as a significant security vulnerability, easily exploited by malicious actors. Despite increasing awareness, the prevalence of basic passwords remains surprisingly common.
The danger with basic passwords is that they're easily guessed, allowing unauthorized access to sensitive information. This poses a serious threat to both financial assets and personal identity.
Read also: Japanese Police Introduce "Scam Prevention Cards" to Combat Telephone Frauds
To combat weak passwords, the UK government has introduced additional regulations to its Product Security and Telecommunications Infrastructure (PSTI) framework, focusing on security requirements for relevant connectable products. These new governmental requirements aim to enhance citizens' resilience against cyber attacks and safeguard the economy from financial disruptions.
With the regulations now enforced, manufacturers, distributors, and importers of all internet-connected devices, ranging from smartphones to smart fridges, must ensure transparency regarding the minimum period required for crucial security updates delivery. Additionally, the framework mandates companies to establish channels for security researchers to report bugs and flaws in device software.
Furthermore, the PSTI Act mandates stronger password protocols, prohibiting the use of simple or common default passwords. Instead, each product must have a unique, non-trivial password, eliminating unauthorized access risks. Importantly, these passwords cannot be reset to any universal factory default.
Internet-connected devices distributed in the UK must also include a statement of compliance with the security regulations outlined in the PSTI Act.
Science and technology minister Jonathan Berry, cited by The Guardian, believes that due to these regulations "consumers will have greater peace of mind that their smart devices are protected from cybercriminals, as we introduce world-first laws that will make sure their personal privacy, data and finances are safe."
"We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world," Berry adds.
Read also: Telegram Desktop Security Update: Clarification on Zero-Click Vulnerability Rumors
Although the success of the new regulation will only be revealed with time, it indeed may have the potential to at least partially reduce the harm stemming from oversimplified passwords. Unfortunately, despite the fact that most Internet users are aware of the importance of strong passwords, many of them still prefer rather primitive phrases that lack uniqueness, which is the foundation of their strength.
Recent data from various sources, including the B2B review team GoodFirms and the cybersecurity research platform Cybernews, sheds light on the alarming ubiquity of easily guessable passwords.
It appears that not only regular Internet users but also IT professionals suffer from data breaches directly linked to weak passwords. Shockingly, the most basic passwords like "123456" or "111111," and even the word "password" itself, continue to reign as the most popular choices for phrases aimed at protecting confidential information.
Furthermore, a comprehensive 2023 study by Cybernews, which covered 15,212,645,925 passwords, of which only 2,217,015,490 were unique, identified a wide array of predictable phrases incorporated into passwords, ranging from names of favorite sports teams and cities to months, days of the week, and even food-related terms.