Search Legislation

Advanced Search

The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

Help about what version

What Version

  • Latest available (Revised)
  • Original (As made)

Status:

This is the original version (as it was originally made). This item of legislation is currently only available in its original format.

Passwords

This section has no associated Explanatory Memorandum

1.—(1) The following sub-paragraphs apply to—

(a)hardware of the product when that product is not in the factory default state;

(b)software which is pre-installed on the product at the point at which the product is supplied to a customer when the product is not in the factory default state;

(c)software which is not pre-installed on the product at the point at which the product is supplied to a customer and which must be installed on the product for all manufacturer’s intended purposes of the product that use—

(i)hardware;

(ii)software that is pre-installed at the point at which the product is supplied to a customer; or

(iii)software that is installable.

(2) Passwords must be—

(a)unique per product; or

(b)defined by the user of the product.

(3) Passwords which are unique per product must not be—

(a)based on incremental counters;

(b)based on or derived from publicly available information;

(c)based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

(d)otherwise guessable in a manner unacceptable as part of good industry practice.

(4) In this paragraph, passwords do not include—

(a)cryptographic keys;

(b)personal identification numbers used for pairing in communication protocols which do not form part of the internet protocol suite; or

(c)application programming interface keys.

(5) In this paragraph—

application programming interface key” means a string of characters used to identify and authenticate a particular user, product, or application so that it can access the application programming interface;

cryptographic key” means data used to encrypt and decrypt data;

factory default state” means the state of the product after factory reset or after final production or assembly;

good industry practice” means the exercise of that degree of skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced cryptographer engaged in the same type of activity;

incremental counter” means a method of password generation in which multiple passwords are the same save for a small amount of characters which change per password to make them unique (such as ‘password1’ and ‘password2’);

keyed hashing algorithm” means an algorithm that uses a data input (“D”) and a secret key (“K”) to produce a value which cannot be guessed or reproduced without knowledge of both D and K;

secret key” means a cryptographic key intended to be known only by the person (“P”) who encrypted or authorised the encrypting of the data, and any person authorised by P;

unique per product” means unique for each individual product of a given product class or type.

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Memorandum

Explanatory Memorandum sets out a brief statement of the purpose of a Statutory Instrument and provides information about its policy objective and policy implications. They aim to make the Statutory Instrument accessible to readers who are not legally qualified and accompany any Statutory Instrument or Draft Statutory Instrument laid before Parliament from June 2004 onwards.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Impact Assessments

Impact Assessments generally accompany all UK Government interventions of a regulatory nature that affect the private sector, civil society organisations and public services. They apply regardless of whether the regulation originates from a domestic or international source and can accompany primary (Acts etc) and secondary legislation (SIs). An Impact Assessment allows those with an interest in the policy area to understand:

  • Why the government is proposing to intervene;
  • The main options the government is considering, and which one is preferred;
  • How and to what extent new policies may impact on them; and,
  • The estimated costs and benefits of proposed measures.
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as made version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources