Infosec people, you have all seen issues with default passwords. Device ships with something like admin/admin per default, vendor says everything is fine, because the docs say users should change password. That's obviously bad practice. But: Do you think it's obvious to non-infosec folks? Any good explanation for non-techies? Do you know of "official" recommendations from gov bodies saying anything about this? Also there's SB-327 in california. Anyone knows how that went? Any precedent?