Gadget-makers face ban on easy-to-guess passwords

Manufacturers could be forced to recall non-compliant products and may also be fined.

The UK government are now seeking feedback from consumer groups and industry experts to shape its final legislation.

Digital infrastructure minister Matt Warman said that until the law was passed, households should ensure they had changed all internet-linked devices' default passwords to "protect themselves from cyber-criminals".

Millions of so-called "internet-of things" (IoT) devices are already in use in the UK, ranging from smart speakers and thermostats to security cameras and televisions.

But the government is concerned that the brands behind these products sometimes pre-load them with one of a few dozen common passwords, which are not subsequently reset by the owners.

As a consequence, cyber-attackers can easily break in and steal personal data, spy on users and even remotely take control of the products.

In some cases, this involves hijacking the devices to stage follow-up attacks, as part of what is known as a "botnet".

In 2016, the Mirai botnet, made up of hundreds of thousands of hacked internet-of-things products, flooded targets with data, causing Reddit, Spotify and Twitter among other services to go offline.

The new rules propose financial penalties for businesses that fail to abide by the rules. Courts would also be able to order that their products be confiscated or destroyed.