Get rid of “Admin”! The UK is cracking down on IoT devices that use weak default passwords.

For years, security experts have told us to change the default passwords on smart home devices that are linked to the internet. Now, the UK is going even further and making it illegal to use weak passwords on IoT devices.

This week, the Product Security and Telecommunications Act (PSTIA) went into force. It says that companies can’t sell goods with simple passwords. A lot of devices can be hacked because the account and password for most routers are “admin” and “password,” respectively.

Because of this law, companies that make devices must either get rid of basic passwords that are easy to guess or make the user create a password when the device is first set up. In theory, those well-known default passwords would no longer let you into a gadget.

According to the UK consumer group Which?, the problem is that the law doesn’t require people who set up IoT devices to use a strong password.

“In our view, such an approach enables a manufacturer to delegate responsibility for good security onto the user,” says a spokesperson for Which? who said that “the act goes one step ahead addressing the issue of usual passwords, and that should be applauded.”

Someone from the UK’s Department for Science, Innovation, and Technology also said, “We are not forcing users to use passwords or do anything else.”

The PSTIA also says that companies must put out information on how people can report security threats, along with proof that the report was received and dealt with. Companies also need to make the information about how long a product will get security fixes “accessible and transparent.” Device makers can be fined or have their products recalled if they don’t follow the rules.

In the end, the law wants to stop things like the Mirai botnet DDoS attack in 2016. That attack used a short list of 62 popular default usernames and passwords to look for weak devices and infect nearly 300,000 of them.