PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

RIP 'Admin'? UK Cracks Down on Weak, Default Passwords for IoT Devices

The Product Security and Telecommunications Act (PSTIA) requires devices makers to either remove simple default passwords or prompt the user to create a password upon setup.

Joe Hindy
 & Joe Hindy Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Joan Cros / NurPhoto via Getty Images)

Security professionals have been telling us for years to change the default passwords on internet-connected smart home devices, but the UK is taking it a step further and mandating a crackdown on the use of weak passwords for IoT devices.

The Product Security and Telecommunications Act (PSTIA) went into effect this week and bans manufacturers from shipping products with simple passwords. On most routers, for example, the username is "admin" and the password is "admin" or "password," which can leave a host of devices vulnerable to hackers.

With this legislation, a device manufacturer must either remove easily guessed, default passwords or require the user to create a password upon setup. In theory, those well-known default passwords would then no longer provide access to a device.

The problem, according to UK consumer nonprofit Which?, is that the legislation doesn't require people setting up their IoT devices to use a strong password.

Recommended by Our Editors

Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams
Craigslist Founder Teams Up With a Muppet to Persuade People to Stop Clicking on Scams
This AI Kidnapping Scam Is Every Parent's Worst Nightmare
This AI Kidnapping Scam Is Every Parent's Worst Nightmare

"In our view, such an approach basically enables a manufacturer to delegate responsibility for good security onto the user," says a Which? spokesperson, who conceded that "the act goes one step towards addressing the issue of default passwords, and that should be applauded."

A spokesperson for the UK's Department for Science, Innovation and Technology also said "we are not mandating passwords or mandating that users need to take any new actions."

The PSTIA also requires manufacturers to publish information on how users can report security threats, along with receipts to show that the report was received and handled. Companies also have to publish information on how long a product will receive security updates in an "accessible and transparent manner." Failure to comply can result in a recall or fines for device makers.

Ultimately, the law is looking to prevent incidents like the Mirai botnet DDoS attack in 2016, which used a short list of 62 common default usernames and passwords to scan for vulnerable devices and ensnared nearly 300,000 devices.

About Our Expert

Joe Hindy

Joe Hindy

Contributor

Hello, my name is Joe and I am a tech blogger. My first real experience with tech came at the tender age of 6 when I started playing Final Fantasy IV (II on the SNES) on the family's living room console. As a teenager, I cobbled together my first PC build using old parts from several ancient PCs, and really started getting into things in my 20s. I served in the US Army as a broadcast journalist. Afterward, I served as a news writer for XDA-Developers before I spent 11 years as an Editor, and eventually Senior Editor, of Android Authority. I specialize in gaming, mobile tech, and PC hardware, but I enjoy pretty much anything that has electricity running through it.

Read the latest from Joe Hindy

Read full bio