The United Kingdom has banned banal passwords on Internet devices, including routers, cable modems, and other devices. This was reported by Ars Technica.

This is provided for by amendments to the Product Security and Telecommunications Infrastructure Act (PTSI). The changes were introduced in 2022 and have now entered into force.

According to them, any Wi-Fi card must have a random password or generate it during initialization through a smartphone app or otherwise.

This password cannot be incremental (“password1”, “password54”). It should also not be obviously related to public information such as a MAC address or Wi-Fi network name.

The changes are aimed at combating malware that can turn routers, cable modems, IP cameras, and DVRs into tools for DDoS attacks.

The device should be sufficiently resistant to brute force attacks, including credential spoofing, and should have a simple mechanism for changing the password.

Software components must be checked for updates and updated either automatically or in a “user-friendly” manner.

Failure to comply with these requirements could result in fines of up to £10 million (approximately $12.5 million) or 4% of global revenue, whichever is greater.