Caught the news today:

Gadget-makers face ban on easy-to-guess passwords

" Internet-connected gadgets will have to come pre-set with a unique password, or require the owner to set one before use, as part of plans for a UK cyber-security law.

Manufacturers could face being forced to recall non-compliant products and could also be fined."
Read More

and to add more clout for MicroSoft, they took away passwords!

Microsoft’s passwordless plans lets users switch to app-based login.

Microsoft has announced users can now delete all passwords from their accounts and instead login using an authenticator app or other solution.

The technology giant made passwordless accounts available for business users of its products in March.

And that system is now being made available to all Microsoft or Windows users."
Read More

WOW

Which “Windows”, isn’t clear. With Windows 11 invading more devices makes me wonder, as it did with Win10, why is it free? Is it free as well because there is no price on privacy? Has anyone seen the lack-of-privacy specs for Win11?

~s~

Overall seem like good ideas (no default password, must specify security update supported timeframe) although the use of “cyber security” and “law” in the same sentence should always be treated with suspicion.

Mandating a recall doesn’t make a lot of sense to me i.e. this should not be retrospective. However maybe the intention is not to apply it retrospectively and the wording is just poor i.e. would only apply to goods sold after some future date (the commencement date). The problem with that is that in reality the supply chain will want to dump a whole lot of non-compliant goods before the commencement date because it is too expensive and difficult to upgrade “in transit” - so that means that things might get worse before they get better.

I would also like to see: no backdoor password but, oops, government wouldn’t want that now.

I would go further than only requiring the manufacturer to specify the security update timeframe - and instead actually legislate a minimum timeframe. As described, a manufacturer could say “yeah, we support our crap for three months” and that would be compliant.

From what I’ve seen of a limited sample of routers, some manufacturers are already doing the right thing in respect of “no default password” (mostly opting for “unique password” rather than “default password that must be changed before use”).

It is fair to point out also that this is not “law”. It is “proposed”. So there is still time for feedback, either urging a scaling back or urging going further.

To answer the original question … in respect of the Librem 5, I think it might be non-compliant regarding a default password, but it is too long ago that I set mine up, so I don’t remember. Likewise the OpenPGP smartcard that I ordered with it - but maybe that does not count as “internet-connected”.

In the near future, we’ll start seeing reports of the theft of fingerprint and eye scan images…or perhaps of the actual body parts.

Do you remember whether the Librem 5 (purism user) comes with a default password and if so whether you are forced to set a new password on first use?

It was “123456” and no, not forced to reset, unless it has since changed.

While I support in principle what the UK government is trying to do … I can see support costs for companies going up - as they get lots of calls along the lines of: it forced me to change the password on first use but I didn’t really know what I was doing at that stage and now I have locked myself out.

I would suggest that the “unique code” approach is better. Routers that I have seen just slap a sticker on the bottom of the unit. That isn’t very secure from an anti-interdiction point of view though. Perhaps if the customer pays for anti-interdiction then Purism should remove the sticker and provide the information that was on the sticker via a secure channel.

I do worry though that companies using the “unique code” approach may be deriving the “unique code” in an insecure manner. There is of course no transparency as to how the code is being derived.

Crypto-strong random number generator? Good.

Deterministic, crypto-strong or weak, derivation from other available information (e.g. serial number, model number, MAC address)? Not so good.

If and when this becomes UK law, hopefully Purism will have thoughts to share.

I think that how the password is used should be a function of the device and how it is used. To connect my employer’s laptop to the company network via VPN requires a duo mobile authentication using both my personal smart phone and a password. That in the given situation is appropriate. To login to my account with my electric utility provider to see how much electricity I am using requires only a simple name and a weak password. There is nothing there to steal there and the privacy needs there are low. To let any government regulate these issues would be overkill.

One thing I hate are strong password requirements. I hate having to reset my password every time I login somewhere because I can’t remember my complex password. I also don’t like using the same password with more than one account. I really don’t like password manager apps because I don’t trust them. So with fifteen or twenty unique complex passwords in my life, how can I possibly remember more than a few of them? My bank actually recognizes my home wifi network and other properties of my phone or PC. The password can be simple and I am still quite protected. These types of security need to become more common. Longer and more complex passwords just translate to more forgotten passwords. That doesn’t help anyone.

You may be overthinking this.

• It applies to passwords used to access devices that are connected to the internet.

It isn’t clear that it applies to abstract things like “the company VPN” - but it would apply to the VPN appliance itself if “the company VPN” is implemented by such an appliance. (You, as a user, would not normally be logging in to the VPN appliance itself.)

It isn’t clear that it necessarily applies to business-grade products or only to consumer-grade products. It may be being assumed that if you are using a business-grade product then you are sophisticated enough to know that you should never stick with the out-of-the-box password default (which anyone can search for on the internet).

• Nothing in the article says that the password has to be strong.

(The poorly worded headline could be read as implying that but I don’t think that is what is meant.)

If there is an initial password then it must not be a constant, same password for all devices of that make and model. Instead it has to be a unique password for the specific unit - and you are free to change the password to 1234 as soon as you get into it. (Having said that, it is likely that the initial unique password would be strong.)

Alternatively, there can be no initial password but in that case the device must force you to set a password the first time you use the device and, again, the password chosen by you can be 1234.

In other words, it is trying to stop manufacturer lameness, not user lameness.

The no initial password option therefore wouldn’t exclude the possibility of alternatives to password authentication (like biometrics or hardware tokens or software authenticators - however the latter two are usually used in conjunction with a password i.e. second factor - and in my opinion biometrics suck).

If you happen to be in the UK, you should perhaps be providing feedback on the proposed legislation.

I suppose you might reasonably extrapolate, on the theory of slippery-slopes, that if the UK government is legislating the above this year then next year the UK government will be legislating against weak passwords (like 1234).

@irvinewade @amarok @StevenR
I would be more interested in the views of the gurus here regarding the second Headline, than the first - I noticed in forums that people rarely read to the end.
I guess I should have made the two different ‘password’ items into separate OP posts.

1 is about the forced unique password, the other (2) bolded second headline is about Microsoft’s Password-less accounts.

Ta
~s~
this is the end

I think all three authentication factors (“something you know” like passwords, “something you have” like a USB security dongle, and “something you are” or biometrics) all have their place. Each has advantages and disadvantages which I won’t go into here just so this reply doesn’t get too long.

Personally I still think the strongest of the three in most cases is “something you know” provided you have good password policies in place, especially when combined with “something you have” as a second factor. In general that’s the approach I intend to continue with authentication on Purism products. Biometrics, if we ever use them, would likely only serve as a 3rd factor, or possibly as a 2nd factor along with something else for something with lower security requirements.

Biometrics have become pretty popular lately, not because they are more secure (they aren’t secret!) but because they are more convenient. In my limited understanding of Microsoft’s “passwordless” approach, it’s more of a two-factor authentication. They are relying on a combination of “something you are” and “something you have” (your computer) to then unlock a strong secret linked to that hardware. That link to the hardware and this move to password authentication is an explanation they give for why Windows 11 will require TPM (that this requirement also gives them strong control over what software customers are allowed to use on the hardware is a side benefit they don’t talk about as much).

Once this is rolled out everywhere, it will be interesting to see how many more suspects who use that platform will be compelled to produce biometrics to unlock their computers and cloud accounts. One advantage of passwords is that up to this point (with some exceptions), a majority of judges have ruled that a person can’t be compelled to disclose a password. The same can’t be said for biometrics or “something you have”.

I read both, but my response was about the second article.

Thanks @Kyle_Rankin. Everyone so far seems to be on the same plan or close to it.

The following is just my take on biometrics based on what slipped through my tinfoil hat.

I feel it should be no one’s business if people use a password, a variety of multi-steps or squeezing a bio-reader just to let one check the weather.

I trust biomet purveyors the least, like Walmart and Amazon testing our health as we shop. It’s a load of bovine plop when Walmart says it’s for a “connected shopping cart handle that can detect heart rate, palm temperature, grip force, and walking speed.” It’s for our safety - of course. They are not doctors, and should not be dabbling with our privacy, especially our health. Same applies to biometrics on a ‘device’. It costs more, it’s invasive, and easily shared.

Amazons bio-reader helps the “Alexa feature that would allow the device to passively detect signs of illness and recommend remedies.??” Pardon - “recommend remedies”???
I thought Bezos was a astro-nut, not a doctor too.

Can you imagine 5 years from now - you arrive home, speak to your door with “Open my door Alexa” but the door says, “Sorry Sharon, I can’t do that - you need to take a stress pill before entering”. Or I grab the steering wheel and “I won’t start the car Sharon. You’ve had too much to drink. I have ordered you a cab.” (I never have too much to drink… no matter how hard I try).

To me, Purism and L-products are about our rights to privacy, which is why I asked how M$ and others invasion of our privacy will affect Purism and L-products.

SIDEBAR: I had to call my bank. After finally reaching a human, the human informed me that “voice recognition” was active](https://www.investmentexecutive.com/news/industry-news/voice-recognition-technology/). I told them to disable it, and the Human said it disabled it. That “disabled” sounded just as good as Google and Facebook saying they respect our privacy.

I guess we’ll see where it all goes. They no doubt want to target those born with a IP address first - they’ll not care what happens, and the rest, we will just have to go without or give up more rights in order to access the leash.

I am concerned that the industry will work to mandate biometrics on all devices. Those who live on Big Macs and pop may be told what and when they can eat. A slight fever may have the COVID-Cops knocking down our door with yet another booster for the boosted booster. An employer can check to see if you really do have a fever or have hang-over symptoms, or in bed with a mad clown (spell checkers - right!).

When the god’s of the Internet took over, our rights went out the Windows. I hope Purism and L-5 products will save us.

~s~
p.s,. I really like the replies so far - informative, thought-provoking, and much less paranoid than me.

IMO - If that fingerprint scan can recognize the user once it is first entered, then it must be stored somewhere, and there ain’t anywhere that can be truly secure.

I realize in my case that taking full responsibility for your own security can be scarry. I once read about one guy who had millions of dollars in bitcoin and then forgot his password that is needed to access your bitcoin account. No one could help him. He lost his money. I am a somewhat afraid to buy a fully secured Purism laptop because it is more likely that I will forget my password than it is likely that my laptop will get lost or stolen. At least I can go in to my bank to get my money if I get locked out of my account online. If necessary, I can physically crack my own unencrypted hard drive if I have physical possession of it. What happens if I buy Purism’s most secure encrypted laptop that requires a dongle to get in and then I get locked out (lose the dingle or forget the password) with valuable data locked inside? What happens if I write my passwords down and then someone robs my house and finds them? When you’re forced to change passwords often and use only complex passwords, sooner or later a fully secured laptop will lock you out for good.

Speaking only for myself … if you want to discuss two topics, create two topics. So:

Yes.

… in the US. There are proto-police-states (coughAustraliacough) where passwords already have no such protection and hence don’t have that advantage.

We give this sort of thing a lot of thought and design things to allow people to recover from something like a lost dongle, which is pretty common. If you unlocked your disk with a Librem Key, you can always fall back to “recovery boot” which lets you type in your regular password instead. The idea here is that you can pick a very strong password to fall back on, and back it up somewhere safe in case you forget it (since you won’t be recalling it very often). We don’t want people to be locked out of their machines.

If your passwords get compromised in some way, you can change them. I’ve written and spoken a lot about password policy over the years. In summary: use long memorable passphrases for passwords you have to remember (unlocking laptop, unlocking password manager), use long complex passwords for everything else, stored in a password manager. Between that, and backing up your passwords somewhere safe, most people should be relatively safe from being locked out of their computer.

@irvinewade. But replying to two people over two topics in one post is the better way?

I take it back…

I’m not apologizing for what some might construe as being two topics in one. Both quoted headlines are dealing with device security and access with/without passwords.

As was pointed out, it’s U.K.'s problem and has nothing to do with the U.S. which kind of threw me. I thought Purism was part of the World-Wide web. Microsoft is global so passwordless affects the U.K. and it’s silly approach to hard passwords.

I and one other read the Microsoft “passwordless” article. The two articles do belong together. The have, and have-not passwords.

If anyone, I included, doesn’t want to read anyone’s whole OP, that is fine too. It’s our choice… our loss.

I’ll mute-out of this topic and will just have to wait and see what L-Products plans, if anything, to do about passwordless L-Products.

Thanks for the lesson,
~s~