I wonder why anyone installs this stuff. I would of had an LTS tech on the phone in moments on teamviewer and even a password reset list that is sent to me every Monday morning with all the reset codes for the next 7 days. Am I just missing the number for the Marty hotline?
As I Sit Waiting For An Hour For A Hikvision Reset Code
And many with you...
even a password reset list that is sent to me every Monday morning with all the reset codes for the next 7 days.
Wait, is that a good thing or a bad thing? I am asking seriously.
Its depends on what angle your are viewing from. I would agree that a dealer support site with a secure log in would be better than spamming the info. Can a manufacture give a dealer or integrator too many tools or too much information?? In my opinion dealer and end user customer support is the only differentiator. You have to admit the equipment you test is all pretty good and it will continue to get better.
P.S. Its a good thing I installed team viewer 3 emails later, I finally received the correct reset codes at 7pm. That would of been one expensive service call or another truck roll.
What were the events that lead to the issue? I am not sure, but I don't remember needing to do a password reset on Hikvision devices before. I rarely take over sites and find Hik products there. I'm generally the one installing and I make sure to document passwords well.
Old DVR take over with new nvr and Integration to a new ivms 4200 installation. At least they changed the password from default.
Good news, they changed default creds...
Bad news, they didn't document them...
Our clients never document anything.
Common call:
"Hey this is Bob from Bob's plumbing, I got the new spiffy iPhone and I need to get the cameras on my phone"
"No problem Bob, just download the app and I will walk you through setting it up. Do you happen to know your user name and password?"
Pause
Pause
"Umm no"
"Don't worry Bob, we will get it taken care of"
Jay, thanks. Related, I've added survey questions on end user password practices to the queue.
Jay, if I may be so blunt, it's OUR job to document the installs, not the end user.
We have the customer setup their own passwords and we never see them or document them. If they lose then we can reset the password but we never see them all we have access to is the user names. Everything else gets documented and we also have started to roll out a customer portal where the customer can log in and see all of their system documentation along with all the quotes, invoices and support tickets.
Yes, but passwords are a separate kind of documentation, they should not be stored in any kind of system where the users plaintext password can be retrieved or known.
Typically, if you are providing ongoing support in the sense of user/password management, you would change the admin password to something complex/unrememberable/as strong as you can make it (max length, lots of mixed characters, etc), and it gets used only in case of an emergency.
Next, you create an account for yourself/each tech that has admin-level access and a strong password, but realistically manageable. This password should be unique for each customer.
For users, you create user-level passwords, with "good" passwords, not simple, but in all reality, probably not as strong as an ideal password, unless your users really get the cyber security risks.
Ideally, the user types in their own password, and you never know it. Also ideally, as an admin, the system gives you the ability to initiate a password reset for the user, or a 1-time password so they can login and change it, though many surveillance software platforms are not there yet.
This 3-tier scheme (admin account essentially locked, techs having admin access, users having user-level access) gives an audit log (depending on capabilities of the device), so that no admin-level actions can be performed anonymously, they are all done through specific accounts. The password for the actual admin account is available in case of "emergency", as an over-ride to any account, but for all practical purposes the admin account is never used and has a password that is not practical to guess in any way (brute-force attack, database leak, etc.).
We document our installs with items, ip addresses, locations, date installed, etc Needs some fine tuning but we get it most of the time.
We specifically do NOT keep passwords. I think in general most web sites, credit card companies etc can not retrieve passwords or at least not visible to a human.
I figured it was taboo to store passwords....
Is everyone else storing passwords? I assume this will be added to the future poll.
Btw John how do polls work? Do you send the email to the whole list? Is there a certain time frame to respond?
Btw John how do polls work? Do you send the email to the whole list? Is there a certain time frame to respond?
We have polls and surveys.
Polls are included in posts and discussions, e.g., the most recent poll on the Avigilon CEO post "Avigilon CEO Criticizing Asian Company Cyber Security" - Agree? Disagree? Polls run for 3 months on the site and are simple multiple choice questions with no input for comments.
Surveys are opened ended questionnaires that allow respondents to explain in detail. They are typically emailed to a list of ~2,000 integrators and we get 100+ responses in a few hours. The most recent published example is Cat 5e vs Cat 6 vs Cat 6a Network Cable Usage Statistics.
We have found polls useful for getting a feel for big, high-level issues but surveys are much better understanding reasons and more technical issues, like password practices.
We store creds in a password protected excel spreadsheet that is stored on a 2FA protected drive. We also stress that they don't use their "normal" password.
Hikvision and Northern and the HV knockoffs are the easiest to take over of them all...between the HV SADP tool and a few algorithms I found on websites like this one:
https://ipvm.com/reports/hikvision-code
I can usually take over a HV, Northern, or any other HV "knock off" NVR/Camera with the default/reset code at the login screen using the secret link in the corner of the login box that lets you put in the admin PW reset code...NVR or camera default login in under 10 minutes...without defaulting the whole unit.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.