California, however, is looking to change this and has passed a law that would require all internet-connected device sold in the state to have a unique "strong" password. This unique password would be obtained in one of two ways as outlined by the "Information Privacy: Connected Devices" bill.
Manufacturers can choose to give each individual device a unique password that is assigned at the time of production. The user would then use that password to login to the device, and then could change it (if they so choose) after the initial setup. The second method would be to require the user to create a password when they perform the initial, mandatory setup of the internet-connected device.
Given that most users don't both to change their password after setting up their devices (which is why botnets are able to spread with reckless abandon), it seems as though the first option with a unique OEM-provided password would be the most secure. If the end-user is forced to create his or her own password (and if a hard-to-guess strong password isn't required), chances are that users could still input an air-password like "password" or "12345", much to President Skroob's displeasure.
According to the law, "'Connected device' means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
As the law outlines, it will be illegal for manufacturers to ship devices with default passwords like "admin" or "password" starting on January 1st, 2020.