PasswordChangeRequired and the California Law SB-327

AMI_alvin
Minnow

Posts: 20

PasswordChangeRequired and the California Law SB-327 Apr 30, 2020 8:50:43 GMT

Quote

Post by AMI_alvin on Apr 30, 2020 8:50:43 GMT

Hi all,

California Law SB-327 defines :

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

For my understanding, this law forces all users need to change password at first login. I think "PasswordChangeRequired" property might be designed for this law. Here is the defination about "PasswordChangeRequired" in ManagerAccount.v1.5.0.json Schema :

A manager account created with an initial PasswordChangeRequired value of `true` may force a password change before first access of the account.

However, I found one scenario may violate the California Law:

1. Create a new account(TestAccount), "PasswordChangeRequired" value is set as "true" by default.
2. Before TestAccount first time login, Administrator PATCH TestAccount "PasswordChangeRequired" value as "false"
3. TestAccount would not need to change password at first login.

So here are my questions :

1. Is "PasswordChangeRequired" designed for this California Law?
2. If the anwser is yes, should the manager accounts are allowd to PATCH "PasswordChangeRequired" as "false"?

Thanks,
Alvin

jautor
Administrator

Posts: 504

PasswordChangeRequired and the California Law SB-327 May 3, 2020 1:29:07 GMT

Quote

Post by jautor on May 3, 2020 1:29:07 GMT

Apr 30, 2020 8:50:43 GMT AMI_alvin said:

So here are my questions :

1. Is "PasswordChangeRequired" designed for this California Law?
2. If the anwser is yes, should the manager accounts are allowd to PATCH "PasswordChangeRequired" as "false"?

Thanks,
Alvin

These statements are not legal advice, and any compliance or legal questions should be addressed by your own legal counsel.

The "PasswordChangedRequired" was created to address these types of requirements. It also provides administrators with a mechanism to provide provisioned accounts to others, but ensuring that any default passwords they provide are changed.

In my opinion, the law in question was intended to address "preprogrammed" authentication credentials provided by the "manufacturer". In the case you suggest, this would not appear to apply as the account credentials were provided by the Administrator (not the "manufacturer").

Regardless, your implementation could certainly reject a PATCH of "false" to "PasswordChangeRequired" if you are concerned about that case. The requirement on the service is to set that value to "false" when the password is changed, so rejecting a PATCH to "false" would not cause any interoperability issues that I can see...

Jeff

josephreynolds1 Guppy Posts: 61	PasswordChangeRequired and the California Law SB-327 May 4, 2020 15:09:29 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by josephreynolds1 on May 4, 2020 15:09:29 GMT I am also not an attorney, and this is not legal advice. I underdstand CA law SB-327 apples to the manufacturer and not to any actions the admin may take.

PasswordChangeRequired and the California Law SB-327

Post by AMI_alvin on Apr 30, 2020 8:50:43 GMT

Post by jautor on May 3, 2020 1:29:07 GMT

Post by josephreynolds1 on May 4, 2020 15:09:29 GMT