--- title: "UK PSTI Default Password Requirements" canonical_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/default-password-requirements" source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/default-password-requirements" author: "Sorena AI" description: "A source-linked guide to the UK PSTI default password rule for consumer connectable products: unique passwords, user-defined setup, prohibited patterns, and evidence to keep." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK PSTI default passwords" - "PSTI password requirements" - "consumer connectable product passwords" - "unique per product passwords" - "UK PSTI" - "Default passwords" - "Consumer connectable products" - "Product security" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK PSTI Default Password Requirements A source-linked guide to the UK PSTI default password rule for consumer connectable products: unique passwords, user-defined setup, prohibited patterns, and evidence to keep. *Artifact Guide* *UK PSTI* *Default Passwords* ## UK PSTI default password requirements UK PSTI requires relevant consumer connectable products to avoid universal default passwords by using passwords that are unique per product or defined by the user. This page converts password requirements into implementation checks with owner assignment, evidence artifacts, and release verification gates. It is guidance for building controls, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This guide explains the UK Product Security and Telecommunications Infrastructure default-password requirement for relevant connectable products. It focuses on what the password rule requires, what patterns create risk, what product evidence is useful, and how the answer should connect to the statement of compliance that accompanies products made available in the UK. ## What the PSTI default-password rule requires For relevant connectable products, the UK PSTI security requirements include a password rule: passwords must be unique per product or capable of being defined by the user of the product. The rule is part of Schedule 1 to the 2023 Security Requirements Regulations, which the UK government guidance describes as applying to manufacturers of relevant connectable products. The practical design question is therefore narrow: does any shipped, reset, recovery, local-interface, remote-interface, app, cloud, service, or machine-to-machine path rely on a password that is not unique per product and is not forced through a user-defined setup flow before use? If yes, that path needs remediation or a documented, source-linked reason why it is outside the password requirement. - Inventory every password-based authentication path that can be used against the product or an associated product service. - Classify each password as user-defined, unique per product, not a password, or out of scope for a documented reason. - Confirm that any non-user-defined password used after factory default is unique to the individual product. - Keep the password-control evidence with the product's UK scope decision and statement-of-compliance records. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This GOV.UK policy paper states the PSTI password requirement and explains that Schedule 1 to the 2023 Regulations sets out security requirements for relevant connectable products. - [The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents/made?ref=sorena.io) - The 2023 Regulations are the legal instrument that specifies the security requirements and statement-of-compliance information for relevant connectable products. ## Password designs that need special scrutiny The UK government guidance gives extra constraints for passwords that are unique per product. They must not be based on incremental counters, publicly available information, or unique product identifiers such as serial numbers unless the identifier-derived approach uses accepted encryption or keyed hashing, and they must not otherwise be easily guessable. A product can still fail this requirement even when every unit has a different label on the box. The evidence has to show that the generation method does not create obvious patterns, common strings, public-information relationships, or low-complexity values that make automated attacks practical across a product class. - Reject shared factory credentials such as the same administrator password across a model, production batch, or SKU. - Reject serial-number, MAC-address, SSID, model-name, date-code, or counter-derived passwords unless the supported keyed/encrypted derivation is documented. - Treat factory reset and refurbishing flows as separate checks because they can reintroduce a predictable default credential. - For setup flows, prove that the user must define the password before the password-protected function can be used. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - GOV.UK explains the prohibited bases for unique-per-product passwords, including counters, public information, and product identifiers without accepted cryptographic treatment. - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - The UK regime guidance links the PSTI security requirements to ETSI EN 303 645, whose no-universal-default-password provisions describe unique-per-device or user-defined passwords. - [ETSI TS 103 701 V1.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf?ref=sorena.io) - The ETSI assessment specification provides concrete assessment checks for pre-installed password generation mechanisms, including obvious regularities and public-information relationships. ## Evidence to keep for product release and review Useful PSTI password evidence is product-specific. A generic secure-development policy does not show whether the product that will be supplied in the UK avoids universal default passwords. Keep the interface inventory, setup behavior, password-generation design, test results, and release approval together so reviewers can trace each credential path to the PSTI rule. For pre-installed unique passwords, the evidence should explain the generation mechanism at a level that lets a reviewer see why it avoids automated attacks across a class of products. For user-defined passwords, the evidence should show that the user is required to define the password before the relevant authentication mechanism is used. - Authentication inventory covering local UI, app, web, API, cloud, service, maintenance, recovery, and machine-to-machine paths. - Password classification for each path: user-defined, unique per product, non-password authentication, or documented out-of-scope path. - Generation-mechanism description for pre-installed passwords, including how uniqueness, randomness or keyed derivation is achieved. - Test evidence showing no undocumented password-based network interface and no mismatch between the implemented password behavior and the documented generation mechanism. - Release gate showing the password evidence was reviewed before the product or product variant was made available in the UK. Sources for this answer: - [ETSI TS 103 701 V1.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf?ref=sorena.io) - The conformance assessment specification identifies the IXIT authentication-mechanism evidence used to assess password-based authentication and password-generation mechanisms. - [ETSI TS 103 701 V1.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf?ref=sorena.io) - The same ETSI assessment text supports keeping functional evidence that implemented pre-installed passwords match the documented generation mechanism. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK guidance confirms that manufacturers, importers, and distributors have duties under the PSTI Act and 2023 Regulations, including statement-of-compliance duties. *Recommended next step* *Placement: after the practical guidance* ## Review UK PSTI default-password evidence Use Sorena to map password authentication paths, source-linked PSTI checks, statement-of-compliance evidence, and remediation owners before UK release. - [Open Assessment Autopilot for UK PSTI](/solutions/assessment.md): Turn the password rule into scoped product questions, evidence fields, and review tasks. - [Review PSTI source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited official and standards material. - [Talk through default-password remediation](/contact.md): Review product scope, credential flows, statement-of-compliance evidence, and next actions with Sorena. ## How the password rule links to the statement of compliance Default-password work should feed the product's statement-of-compliance pack because the PSTI regime requires the statement of compliance to accompany the product, and importers and distributors have duties not to make a product available unless it is accompanied by that statement. The password evidence is not the whole statement, but it supports the manufacturer's position that the product meets the relevant security requirements. The statement-of-compliance record should point to the exact product version, the password-control evidence, the defined support period, the responsible manufacturer, and any importer review. The 2023 Regulations also require manufacturer and importer retention of the statement for the longer of 10 years from issue or the defined support period set out in the statement. - Link each statement-of-compliance approval to the product model, firmware or software version, and market configuration reviewed. - Attach the default-password evidence rather than relying on a high-level assertion that the product follows ETSI EN 303 645. - Make importer and distributor checks practical: they should be able to verify that the statement accompanies the product and that the password evidence exists. - Re-review the password evidence after credential-flow changes, factory-reset changes, onboarding redesigns, refurbishing changes, or supplier changes. Sources for this answer: - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - The regime guidance explains that Regulation 7 requires Schedule 4 information in the statement of compliance and that importers and distributors must not make products available unless it accompanies the product. - [The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents/made?ref=sorena.io) - Regulations 8 and 9 support the retention guidance for manufacturer and importer copies of the statement of compliance. - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - The GOV.UK guidance explains that the Statement of Compliance may be physical or digital, but must accompany the product and meet PSTI legal requirements. ## OPSS-facing risk signals for default passwords OPSS is identified in the UK government guidance as the enforcement authority for the PSTI product-security regime. A default-password issue can therefore become more than a design defect: it can create statement-of-compliance, importer, distributor, recall, stop-notice, or monetary-penalty exposure depending on the facts and the enforcement response. Do not wait for an enforcement notice to assemble the password evidence. The practical response file should show the affected products, shipped versions, credential paths, customer impact, remediation plan, communications, and whether the statement of compliance or supply-chain checks need correction. - Escalate if any product has a universal admin password, predictable factory-reset credential, or undocumented password-protected network interface. - Preserve evidence of when the issue was found, which products were affected, and what customer or supply-chain action was taken. - Check whether the statement of compliance, importer records, distributor records, user documentation, or product packaging needs to be updated. - Keep OPSS response ownership clear because enforcement guidance describes compliance notices, stop notices, recall notices, monetary penalties, forfeiture, and information notices. Sources for this answer: - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - GOV.UK identifies OPSS as the enforcement authority for PSTI compliance on behalf of the Department for Science, Innovation and Technology. - [Consumer connectable product security regulations: enforcement actions](https://www.gov.uk/government/publications/opss-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - The OPSS enforcement-actions guidance describes notices and monetary penalties available in response to PSTI compliance failures. ## Primary sources - [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Used for the default-password rule, Schedule 1 context, relevant-person duties, statement-of-compliance linkage, and OPSS role summary. - Quote: "Passwords must be unique per product; or capable of being defined by the user of the product." - [The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents/made?ref=sorena.io) - Used as the primary regulations source for manufacturer security requirements and statement-of-compliance retention duties. - Quote: "Schedule 1 specifies security requirements that apply to manufacturers of relevant connectable products" - [Regulations: consumer connectable product security](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Used for the GOV.UK compliance overview, duty-holder framing, OPSS enforcement role, and statement-of-compliance guidance. - Quote: "OPSS is the enforcement authority" - [ETSI EN 303 645 V2.1.1](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Used for the underlying consumer-IoT no-universal-default-password provisions referenced by the UK regime guidance. - Quote: "all consumer IoT device passwords shall be unique per device or defined by the user" - [ETSI TS 103 701 V1.1.1](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/01.01.01_60/ts_103701v010101p.pdf?ref=sorena.io) - Used for concrete assessment evidence: authentication inventory, user-defined password checks, and pre-installed password generation checks. - Quote: "every discovered password-based authentication mechanism is documented in the IXIT" - [Consumer connectable product security regulations: enforcement actions](https://www.gov.uk/government/publications/opss-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Used for enforcement-response context, including notices and monetary penalties for PSTI compliance failures. - Quote: "OPSS may serve a Monetary Penalty Notice" ## Related Topic Guides - [UK PSTI Act relevant connectable products: full scope and category definitions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): UK PSTI Product Security guidance for Relevant Connectable Products Scope, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act statement of compliance: evidence requirements and audit documentation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): UK PSTI Product Security guidance for Statement Of Compliance And Evidence, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act statement of compliance: what must the SoC contain?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance.md): UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: is your product a relevant connectable product? scope test](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-product-scope.md): UK PSTI Product Security guidance for Relevant Connectable Product Scope, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: step-by-step statement of compliance preparation workflow](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-workflow.md): UK PSTI Product Security guidance for Statement Of Compliance Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: step-by-step vulnerability disclosure process workflow](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-workflow.md): UK PSTI Product Security guidance for Vulnerability Disclosure Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Act: vulnerability disclosure policy requirements and template](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-policy.md): UK PSTI Product Security guidance for Vulnerability Disclosure Policy, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Applicability Test Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Practical guidance for the UK PSTI Product Security applicability test, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Checklist](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Practical guidance for the UK PSTI Product Security checklist, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Compliance Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Practical guidance for the UK PSTI Product Security compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Deadlines and Compliance Calendar Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): UK PSTI Product Security guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security ETSI Evidence Mapping Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/etsi-evidence-mapping.md): UK PSTI Product Security guidance for ETSI Evidence Mapping, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security FAQ](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Importer And Distributor Duties Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/importer-and-distributor-duties.md): UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Minimum Support Period And Update Transparency Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/minimum-support-period-and-update-transparency.md): UK PSTI Product Security guidance for Minimum Support Period And Update Transparency, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security OPSS Enforcement and Penalties Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): UK PSTI Product Security guidance for OPSS enforcement and penalties, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security OPSS Notices Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-notices.md): UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security penalties and fines Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): UK PSTI Product Security guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI Password And Update Policy Requirements Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): UK PSTI Product Security guidance for PSTI Password And Update Policy Requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI Scope Classifier Workflow Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-scope-classifier-workflow.md): UK PSTI Product Security guidance for PSTI Scope Classifier Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI Statement Of Compliance Template Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): UK PSTI Product Security guidance for PSTI Statement Of Compliance Template, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI vs CRA Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-cra.md): UK PSTI Product Security guidance for PSTI vs CRA, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI vs ETSI EN 303 645 Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-etsi-en-303-645.md): UK PSTI Product Security guidance for PSTI vs ETSI EN 303 645, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security PSTI vs EU Cyber Resilience Act Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): UK PSTI Product Security guidance for PSTI vs EU Cyber Resilience Act, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Requirements Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Practical guidance for the UK PSTI Product Security requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Requirements In Practice Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): UK PSTI Product Security guidance for Security Requirements In Practice, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Supply Chain Roles Manufacturer Importer Distributor Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): UK PSTI Product Security guidance for Supply Chain Roles Manufacturer Importer Distributor, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI Product Security Support Period Evidence Workflow Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/support-period-evidence-workflow.md): UK PSTI Product Security guidance for Support Period Evidence Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK PSTI vs Australia Cyber Security Act Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-australia-cyber-security-act.md): UK PSTI Product Security guidance for PSTI vs Australia Cyber Security Act, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md): UK PSTI Product Security guidance for Default Passwords, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md): UK PSTI Product Security guidance for ETSI Evidence, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md): UK PSTI Product Security guidance for Excepted Products, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md): UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md): UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md): UK PSTI Product Security guidance for Relevant Connectable Products, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md): UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md): UK PSTI Product Security guidance for Support Periods, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md): UK PSTI Product Security guidance for Update Transparency, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md): UK PSTI Product Security guidance for Vulnerability Disclosure, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/default-password-requirements