Should Devices Be Required to Only Allow Complex Passwords?

We all know what a pain it is to come up with new passwords all the time and can understand the allure of not having to create a new password if you don’t have to. So when you get a new device that has an included password, why create a new one? It works the way it is.

But the state of California doesn’t believe that is keeping you well protected. They passed a law banning devices from shipping with default passwords, such as “123456” and “password123.” Should this law be stretched further? Should devices be required to only allow complex passwords?

Our Opinion

Miguel says it depends on how complex the passwords need to be and took the thought wider than just devices. “Services that don’t contain any crucial personal data (like gaming forums) shouldn’t encourage such things” because if you aren’t using the same password for other more sensitive services, such as email or Paypal, there really isn’t any real danger.

He doesn’t believe this new law will have any real effect because people sill still use simple passwords on devices. Hackers will still be able to scan ports for common passwords that will still be used by lazier people. “The true remedy against hackers is educating people on the dangers of default passwords in the first place.” It’s a person’s own responsibility to maintain security.


Alex believes “it’s far better that folks use password managers rather than intentionally setting poor passwords, even for unimportant accounts.” He also feels “social engineering attacks often start by collecting apparently benign personal information that, when compiled, becomes enough to reset a crucial password.”

He’s not usually a fan of legislation with these things, but this is a “no-brainer” to him. He finds it stupid to ship devices with default passwords. He thinks they should ship with long passwords and force a user to choose new ones immediately. He just had a new Internet set up in his apartment, and while the model had a unique SSID and network password, the router configuration webpage had admin and a blank password. Someone who wasn’t as tech savvy wouldn’t even know that page existed or how and why it should be changed. He’s hoping the world, and not just California, will benefit from this.

Simon thinks devices should definitely force the use of complicated passwords. “While having a secure password for everything you use is ideal, I think it goes double for devices.” Many problems and a lot of stress could be negated by simply securing technology with a proper password. It saves resources for the company producing the devices as well, as they’ll have less customer support calls because of hacked devices.

Damien believes that while it’s a good idea for a device to use complicated passwords by default, “the manufacturer should also include additional instruction on how to handle it.” He also thinks they should come with a mechanism for the user to change the default password when necessary. He hates it when “devices come with a default password and force you to use it for its lifetime.”

Andrew also isn’t a big fan of tech legislation, “but establishing basic cybersecurity expectations for devices is a little bit like having minimum food and drug safety standards.” He thinks it’s good to know that even if something isn’t the best quality, that it’s still not something that will kill him or compromise his security. He’d prefer if people could have this cybersecurity knowledge on their own but knows it won’t happen.


He’d also like to see these rules be “fuzzy and loosely-enforced” as manufacturers should be liable for poor security practices, but overzealous enforcement might end up badly. Using the South Korean banking system with technical security legislation from the early 2000s is now a nightmare to use on a PC, yet the same legislation was never applied to mobile banking, so it made it simpler and more secure.

Phil doesn’t think it could be explained any better than it has been so far in the other comments, but he thinks there is a lot more at work here, with government legislation, companies who make devices, and the public just wanting things to work with the most minimum effort and technical knowledge. He recognizes our niche is explaining these things but feels the public wants “pushbutton ease-of-use, but they also want ultimate waterproof security,” and he doesn’t think the two things are compatible. There’s work that goes into making things secure, so a middle ground is needed where it’s relatively easy to implement good security.

Like Phil, I can’t add much to what has already been said. I don’t like a lot of government regulation, but I don’t see why manufacturers would ship a device that is easily hacked. Why would they do that to their customer base? That just seems reckless on their part to me, and if they’re not going to take care to not do that, then the law makes sense.

Your Opinion

What are your thoughts on government intervention in technology? Should they step in and make laws in this case to keep everyone safe? Or should they just stay out of it? Should devices be required to only allow complex passwords?
Join our conversation by adding your thoughts into the comments below.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. Complex password requirements only encourage shortcuts.
    Such as the same password on each and every device.
    I think we need robust systems that do away with the need for so many passwords.

  2. Forcing complex passwords only encourages people from writing them down. I think everything should be shipped with an open (published) password, but the user should be forced to change this before the device works. Also, it should be possible to erase all data and get back to the default password, but it should also be possible to lock the device so that if it is stolen nobody can profit from it or the data held on it

    Password managers do not help much, especially in this cloud enabled world where ‘data is the device’ and you can access it from almost any device you own. Two factor authentication, for example using a ‘trusted’ mobile phone might help, but if you are travelling and someone steals your laptop and phone they are close to stealing your identity and everything you thought you owned.

    Biometrics are a way forward, but in many applications – such as home automation, access control and vehicle security this needs to be enabled simply and transparently fur multi-user groups, thin includes solutions that enable and recognize juniors/minors and give the appropriate level of access.

  3. I have to say that I don’t think there’s any easy answer to this one. There are bound to be people who think bad things will never happen to their own little cyber-world and will (despite all the dire warnings) persist in using the same simple or easy-to-crack passwords on different accounts. Maybe bio-metrics is the way but just how can that be implemented, apart from a compulsory implant at birth! Not even a serious suggestion! Too Orwellian for my liking. Shipping without a default is certainly a start but it needs a radical sea-change somewhere.

  4. There is a reason California is known as “La-La Land”.

    How long before someone develops a hack to make the devices allow simple Passwords?

    My company has a policy of forcing everyone to change their password every 30 days for sake of maintaining security. BIG, FAT, HAIRY DEAL! All that policy has accomplished is to make the vast majority of users write down their password on a sticky note which would be stuck somewhere in the cubicle. So much for security!

    What is needed is not legislation but EDUCATION. The users need to be taught the dire necessity of security. However, teaching 99% of non-IT users the necessity of security is like teaching teenagers about the necessity for abstinence.

    1. Dragonmouth is 100% correct. Even publicly shaming them for keeping passwords in/on/around their desk doesn’t work with many. Trying to teach someone who isn’t very computer literate to use a password keeper tends to be a huge issue. Especially after they forget their master password then ask us to “hack” it for them…you know, because it’s so easy to hack password keeper programs. We just have to continue the education of our users and threaten to change their passwords to stuff like SheepPorn3! if they continue to forget it (which has actually worked to curb the dumb…at least here).

Comments are closed.