As of today, a new law has come into effect requiring smart device manufacturers to make it more difficult for hackers and cyber attackers to compromise devices in the UK.
The update in law is due to an increased risk of attack globally, with several huge breaches shutting down systems in the UK, USA and other countries in the last few years. Notably, a 2017 attack on the NHS thought to be connected to North Korea, which resulted in the sudden shutdown of some A&E departments.
The law covers three key points:
- Common, easily guessed passwords are now banned
- Manufacturers must publish their contact details so consumers can alert them to bugs or issues with their devices
- Manufacturers and retailers must be transparent with the minimum time consumers can expect to receive important security updates
How is the new password law different to previous guidance?
While many manufacturers already require device users to set complex passwords, until now it was only a recommendation from the UK government to do so, leaving it up to companies to decide what their restrictions should be. From today, easily cracked passwords such as ‘12345’ or ‘password’ will be banned, and manufacturers must ensure they can not be used. For consumers, this will likely be a relatively easy transition as the use of password restrictions are thankfully prevalent already.
What are examples of safe and unsafe passwords?
A very safe password is something like SwKeFegfEbln15!4£; it is a sequence that has:
- Capital and lowercase letters
- Numbers
- Symbols
- More than 12 characters
Many people find remembering a sequence like the above difficult, and so advice generally is to try and create a safe password that:
- Has two or three random words together
- Has numbers, letters and symbols in it
- Has more than 10 characters
For example; News!eTTerMarKer5 would be considered a good password. It has two random words, some capital letters, a number and a symbol. To help you find a good password, you could think about:
- Your favourite lunch item + a place
- Your coffee order + an item on your desk
- A landmark + road name + age of your car
As long as you can remember it (and won’t need to write it down), this formula works very well for creating safe, memorable and hard to guess passwords.
What to avoid when creating passwords
An unsafe password is easily guessable (by a person or specialist software that exists to break into devices), such as a common admin password, your birthday, or your dog’s name. Eg. 12345.
Examples of things to avoid with passwords:
- Avoid a short (less than 8 characters) password
- Places of birth
- Birthdays
- Children’s / Pet’s names
- Common words such as ‘password’
- Common number sequences such as ‘12345’ or ‘09876’
Why are they changing the law on passwords?
With cyber attacks becoming more common, and our increasing reliance on connected devices, the UK government has found it imperative to protect UK infrastructure by protecting our devices from criminals and would-be attackers. With pressure building in relations with other countries such as Russia or China, it is important that we are proactive in ensuring our safety and security. This isn’t to say we’re going to be under attack; only that we should avoid any vulnerabilities to ensure an attack can’t happen.
Since the last change in cyber security guidance in 2016, a 2017 attack on the NHS left our A&E departments unable to open. The Mirai attack of 2016 compromised up to 300,000 devices and left much of the US East Coast without internet. Thousands of private companies have faced cyber attacks in the last 8 years; most recently there was a breach in popular business software MOVEit, which resulted in the copying of employee data from several large companies such as the BBC, BA and Boots.
We also have more digital devices than ever before, with the average household owning 9 connected devices. Over 99% of UK adults own at least one digital device and many have several. This includes doorbells, smart TVs, fridges, mobile phones and more.
NCSC Deputy Director for Economy and Society, Sarah Lyons said:
“With 57% of households owning a smart TV, 53% owning a voice assistant and 49% owning a smart watch or fitness wristband, this new regime reinforces the government’s commitments to addressing these threats to society and the economy head on.
The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.”
How does the new password law affect businesses?
Unless you manufacture digital devices, this law does not affect your business. There is currently no law requiring that companies who buy the devices should ensure strong passwords, only that the device manufacturers themselves should ensure a weak password would not be accepted by the device.
This doesn’t mean that you are off the hook completely, it is still very important to ensure your employees use a strong password and practise safe password habits, such as not writing them down and not using them on multiple devices / accounts.
Do remember the data breaches we’ve seen in recent years and the public fallouts from them; avoiding weak security is the responsibility of each business and each employee.
You can read the full Gov.uk press release here
What is a ‘cyber attack’?
A cyber attack is any attempt to compromise (break into) a computer system, network, infrastructure or device in order to cause harm. Harm could be caused by way of stealing data (such as names, addresses, bank details), disrupting major services (such as locking NHS computer systems), or simply collecting information that should be kept private (such as a company calendar). This could be small scale, for example someone hacking into your social media account, or country-wide scale such as the Mirai attack. The cyber attacks that the UK government is concerned about avoiding are generally large scale attacks, though consumers should be aware of vulnerabilities in all areas in order to keep themselves safe.
Cyber attacks happen for a number of reasons, from political gain to stealing money. To avoid becoming a victim to attackers, it is important to keep passwords safe and security software up-to-date.
If you would like to discuss your cyber security, or have any questions about the article and your business, please get in touch with us and we can support you to strengthen your systems. We are Cyber Essentials certified and have experts on hand to assess and improve your cyber security so that you can be confident you and your business is safe.
about viewdata
Viewdata is a specialist IT support provider with over 30 years experience. We're based in Reading and offer flexible IT solutions to local and national businesses of all sizes.
Our solutions and services include:
IT Support | Mac IT Support | IT Support for Small Business | IT Outsourcing | Managed IT Solutions | Cross-platform IT Support | Mac Integration | Apple Reseller | Apple Hardware | Apple Certified Engineers | Zero-touch Deployment | Mobile Device Management | iPad Support | Business Continuity Solutions | Data Back-up Services | Jamf Gold Reseller | Centrify Select Partner | Adobe Licensing | Cloud Solutions | Apple Hardware Leasing | IT Accessories | IT Relocation Services | VoIP
