Default passwords such as “admin” and “password” will be illegal for electronics firms to use in California from 2020.
The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.
It demands that each gadget be given a unique password when it is made.
Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with “reasonable” security features.
This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.
The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
Writing on tech news site the Register Kieren McCarthy said the law was “a step forward” but also a “massive missed opportunity”.
A bigger problem than poor passwords was the creation of devices that could not be updated, he said.
California should have added clauses that required manufacturers to take a more rounded approach, he said, to limit how much access malicious hackers can get to all kinds of devices.
Many recent cyber-attacks have taken advantage of the default and easy-to-guess passwords on the devices found in millions of homes and offices.
In late 2016, Twitter, Spotify, and Reddit were among sites taken offline by an attack that took advantage of poor passwords on lots of net-connected gadgets including webcams and other so-called smart home hardware.
An attack by malware known as VPNFilter is currently targeting home routers and is believed to have infected more than 500,000 devices.