UK PSTI default password requirements

For relevant connectable products, the UK PSTI security requirements include a password rule: passwords must be unique per product or capable of being defined by the user of the product. The rule is part of Schedule 1 to the 2023 Security Requirements Regulations, which the UK government guidance describes as applying to manufacturers of relevant connectable products.

The practical design question is therefore narrow: does any shipped, reset, recovery, local-interface, remote-interface, app, cloud, service, or machine-to-machine path rely on a password that is not unique per product and is not forced through a user-defined setup flow before use? If yes, that path needs remediation or a documented, source-linked reason why it is outside the password requirement.

The UK government guidance gives extra constraints for passwords that are unique per product. They must not be based on incremental counters, publicly available information, or unique product identifiers such as serial numbers unless the identifier-derived approach uses accepted encryption or keyed hashing, and they must not otherwise be easily guessable.

A product can still fail this requirement even when every unit has a different label on the box. The evidence has to show that the generation method does not create obvious patterns, common strings, public-information relationships, or low-complexity values that make automated attacks practical across a product class.

Useful PSTI password evidence is product-specific. A generic secure-development policy does not show whether the product that will be supplied in the UK avoids universal default passwords. Keep the interface inventory, setup behavior, password-generation design, test results, and release approval together so reviewers can trace each credential path to the PSTI rule.

For pre-installed unique passwords, the evidence should explain the generation mechanism at a level that lets a reviewer see why it avoids automated attacks across a class of products. For user-defined passwords, the evidence should show that the user is required to define the password before the relevant authentication mechanism is used.

Default-password work should feed the product's statement-of-compliance pack because the PSTI regime requires the statement of compliance to accompany the product, and importers and distributors have duties not to make a product available unless it is accompanied by that statement. The password evidence is not the whole statement, but it supports the manufacturer's position that the product meets the relevant security requirements.

The statement-of-compliance record should point to the exact product version, the password-control evidence, the defined support period, the responsible manufacturer, and any importer review. The 2023 Regulations also require manufacturer and importer retention of the statement for the longer of 10 years from issue or the defined support period set out in the statement.

OPSS is identified in the UK government guidance as the enforcement authority for the PSTI product-security regime. A default-password issue can therefore become more than a design defect: it can create statement-of-compliance, importer, distributor, recall, stop-notice, or monetary-penalty exposure depending on the facts and the enforcement response.

Do not wait for an enforcement notice to assemble the password evidence. The practical response file should show the affected products, shipped versions, credential paths, customer impact, remediation plan, communications, and whether the statement of compliance or supply-chain checks need correction.