As reported by the China Money Network, an English-language financial news site, the new legislation that regulates the world of cryptography in China has become fully operational since yesterday; the law had been approved on 26th October by the permanent committee of the 13th national congress and, from this moment, it goes to regulate in particular the management of passwords.
The new regulation is considered crucial for the issue of the new Chinese CBDC, which, according to rumors for some time, should take place precisely during this year. After all, blockchain technology is closely linked to cryptography as a discipline, consequently the new regulation demonstrates the foresight of the Chinese who, pending the launch of the digital yuan, have taken precautions to introduce a first regulation specific to cryptography and the way in which they go. manage your passwords.
We can make a series of reflections based on what we know.
As every year, therefore, in January the IT security companies distribute various reports on the use of the most commonly used passwords and, inevitably, it turns out that one of the most used passwords by users is still "123456" with all the different variants (for example example 1q2w3e4r5t6y); the inability to create secure passwords is a feature that unites many people, both in the private and in the workplace and, unfortunately, inevitably also in the institutional sphere.
Now, I doubt that the new Chinese law also includes a model for the generation of secure passwords, more likely it simply defines the way in which passwords are to be kept by various companies and the type of encryption to be used in their storage, however this type of regulation , however fundamental, it is then debased by the fact that users are not able to generate secure passwords.
Regardless of how accurately user passwords are protected, in other words, if you choose "123456" as your password, you are inevitably at risk. Given that it would be foolish to pretend to establish a law that places obligations on ordinary people on how to generate their passwords (it is clearly a cultural and educational issue), however, this provision could be more than sensible in the institutional context; if another official, a minister, or in any case people in top positions, had to choose passwords that were too trivial and therefore insecure to protect the accounts they work with, this would inevitably end up jeopardizing the institutions themselves and this is behavior that we could consider omitting the conduct minimum security and, in this case, we could imagine punishing such behavior by instituting an ad hoc crime.
Imagine, trivially, a defense minister who chooses something like "123456" as the password of his email accounts, clearly would expose his country to incalculable risks, consequently if his accounts were punctured it would be correct to hypothesize an ad hoc charge to punish conduct that effectively jeopardizes the country's security.
Obviously, such proposals are not even in the least questioned, moreover the ruling class, always unyielding when it comes to regulating the daily life of ordinary citizens, is careful not to take even the slightest responsibility for its work.