The United Kingdom is cracking down on manufacturers’ habit of including weak, easy-to-guess default passwords on IoT devices.

Many device manufacturers ship their devices with laughably bad default passwords—think “admin” or “password” or “12345”—expecting the user to change them. Unfortunately, many users never do, leaving the devices vulnerable to attack.

The UK government outlined its requirements in a press release:

Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity – from smartphones to games consoles and connected fridges – as the UK becomes the first country in the world to introduce these laws.

Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up. This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers.

Companies that fail to comply with the new rules could have their offending products recalled and be subject to a fine of up to £10 million or 4% of their worldwide revenue, whichever is greater.

“As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater,” said Viscount Camrose, Minister for Cyber.

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.

“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”

Although the US has yet to implement such a law, the UK’s enforcement may help boost IoT device security globally.