The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.
It demands that each gadget be given a unique password when it is made.
Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.
The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
Writing on tech news site the Register Kieren McCarthy said the law was “a step forward” but also a “massive missed opportunity”.
California should have added clauses that required manufacturers to take a more rounded approach, he said, to limit how much access malicious hackers can get to all kinds of devices.
Many recent cyber-attacks have taken advantage of the default and easy-to-guess passwords on the devices found in millions of homes and offices.
In late 2016, Twitter, Spotify, and Reddit were among sites taken offline by an attack that took advantage of poor passwords on lots of net-connected gadgets including webcams and other so-called smart home hardware.