The first two paragraphs of Senators Want A Hack-Proof Internet Of Government Things are sufficient to establish the authors of the Internet of Things Cybersecurity Improvements Act as deeply uninformed:
Internet-connected smart devices purchased by the federal government would have to meet strict security standards under bipartisan legislation introduced Tuesday.
Those devices would have to accept software patches to remove vulnerabilities and allow users to change default passwords, according to the Internet of Things Cybersecurity Improvements Act.
…
Sigh, “…allow users to change default passwords….”
That’s section 3, (a)(1)(A)(i)(IV):
…does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.
Yeah! Getting users to change default passwords is a step towards …. 91% insecurity.
If you have the top 1,000 passwords by popularity, you are close to 91% of the “changed” passwords you will encounter. (That link leads to the top 10,000 passwords if you are looking for completeness.)
You could argue that improving the security of the Internet of Things by 9 percentage points (maybe) isn’t nothing.
True but it is so nearly nothing as to not be worth the effort.
PS: There are solutions to the IoT password issue but someone needs to pay money to spark that discussion.