The Hikvision discussion claims that you need to know the device's serial number, which vastly limits the ability to hack into remote systems. This is much different than what you are claiming for Dahua (not serial number dependent).
I have forwarded this to Dahua and Hikvision for comment.
Two weeks and no comments yet from manufacturers. Maybe some remarks from community?
Dahua provided the following:
"We are using our 3rd generation password and will strictly manage, not offering its rule to any customers." and that "NVR6000 series and other based on X86 structure are using third generation password."
I followed up with them asking for more details on which are X86 or not. However, it appears that many existing recorders can be accessed. I just sent them one more email to try to get any more information.
I think that having an easy to figure out master password that can be easily calculated is a big problem. I believe that you should need 1) physical access, such as a reset button, and 2) that it should wipe all settings. This way, a casual person scanning the network can't get in, and two that the person using the device will hopefully notice that all settings have been wiped.
Having a back door is just as bad as having a vulnerability...
'Baby Monitor Hack' Could Happen To 40,000 Other Foscam Users
If the password generator uses the time and date, if the clock is off then you are out of luck. I have seen cameras that are off by a day or weeks or years... If the generator uses the serial number, then usually you again need physical access to the device.
Once a password formula is know and out in the wild, you are at risk. A generator on the other hand that is controlled by the manufacturer, and uses the time/date so that it "expires" and the request is logged with who requested it, etc. that is better, but not great...
I tried this on two Dahua DVRs (an older generation HCVR7208 and a new tribrid HCVR7816S).
Local login (using a mouse and monitor connected directly to the DVR) worked on the HCVR7208, but not the HCVR7816S, using 888888 as the user and 425024 (password generated from today's date).
Remote login, via the web interface or PSS software, did not work for either.
So is this a security risk? Yes. Anyone with a calculator and local access to a DVR may use it.
However, considering you need to be physically at the DVR, with a mouse and monitor attached, it is much less of a security risk than it could be if it were enabled remotely. Many DVRs do not have mouse or keyboard attached, with users accessing them only via the web interface or remote software.