The Information Privacy: Connected Devices bill (SB-327) will make it illegal for companies who manufacture an internet-connected device, such as a router or webcam, to set a weak default password on the device. Right now many routers came with the administrative password “admin” or “password,” which users are then expected to change to something more complex after they set it up in their home.
Of course, most users rarely do this, meaning hackers have a very easy time accessing their networked devices. From 2020, it will be illegal for manufacturers of internet connected devices to set such simple default passwords on those devices. The bill will require manufacturers to set complex, unique admin passwords on their devices or have a start-up procedure that requires the user to create a strong password when setting up the device for the first time.
As the BBC points out, simple admin passwords for internet connected devices led to hackers being able to take major sites like Twitter, Spotify, and Reddit offline. The new law goes into effect in California on January 1, 2020.