Subscriber Discussion

Integrators, How Do You Manage Device Passwords Across Hundreds Of Different Clients/Networks?

UI
Undisclosed Integrator #1
Jul 30, 2016

Reading the Axis exploit prompted me to admit that I am guilty of leaving defaults for many of my smaller customers, particularly when they are on a closed LAN. I'm sure you like I have had customers come in and change the admin password, then forget it or that key employee left and no one knows what it is. I'm very open to a system that would be more secure passwords yet not cumbersome to implement nor vulnerable to forgetting what I changed it to.

Now that HIK is mandating longer more complex passwords, it's easy to do just that. Just the other day I tried to log into a small 4 channel IP NVR that I created some unique 8 character password when I installed it and for the life of me I can't remember it. Going to have to go through the reset process to access it.

I wish the manufacturer could set up a secure web site where the device could resend it's password via a secure connection and the integrator could retrieve it.

MM
Michael Miller
Jul 30, 2016

I think you will fine most people use spreadsheets for system documentation. This works well for smaller company with smaller systems but IMO doesn't scale very well once you have customers with thousands of devices. We now use a solution that lets us track every device we install as an asset which allows us to document each device and track the service history once the product is installed.

UI
Undisclosed Integrator #1
Jul 30, 2016

May I ask what software you are using for this? Thanks

Avatar
Marty Major
Jul 30, 2016
Teledyne FLIR

I frequently ask this question to the integrators in my classes.... and I think Michael is right on the money about the size of their operations and scaling.

Breaking it down into 4 anecdotal levels - from practices used by the smallest to the largest:

1 - Leave device defaults in place (boo. hiss.)

2 - Set the same company-wide default for all devices (somewhat better. not the safest method)

3 - Spreadsheets (better. safer.)

4 - Asset Management Systems (each device can have a unique pw. safest.)

Avatar
Marty Major
Jul 30, 2016
Teledyne FLIR

...of course 3 can do 4 - it just doesn't scale as well. :)

U
Undisclosed #3
Jul 30, 2016
IPVMU Certified

2 - Set the same company-wide default for all devices...

Of course within just this technique, there is a range of protection:

R5#i9Ezxw^ is better than FranksSlammers is better than hoochiemama

Avatar
Marty Major
Jul 30, 2016
Teledyne FLIR

I would maintain that hoochiemama (or maybe H00chiemama to satisfy conventions) is as safe as R5#i9Ezxw - at least excepting for admins who are Seinfeld fans or who have an IPVM membership.

U
Undisclosed #3
Jul 30, 2016
IPVMU Certified

Though Jerry himself prefers Jor-el.

MM
Michael Miller
Jul 30, 2016

Undisclosed 1 Integrator we using Connectwise

MC
Marty Calhoun
Jul 30, 2016
IPVMU Certified

We do quarterly (some) semi-annual (most) maintenance visits to all customers with scaled VMS Systems.We change Passwords during those maintenance visits. We cannot insure that someone,anyone no matter the reason has their password exposed where it should not be.

At first customers thought we were overreacting, then we had (2) incidents that were "inside" jobs where the customers faced significant losses. They now REQUIRE that the passwords are changed.

(1)
U
Undisclosed #2
Jul 30, 2016

MM
Michael Miller
Jul 30, 2016

@marty so you change the passwords on all devices for your customers minimum twice a year?

MC
Marty Calhoun
Jul 31, 2016
IPVMU Certified

We change passwords on all customers that have Service/Maintenance contracts at scheduled intervals. We update firmware (if needed) and change passwords if we are at a site for a service related issue and the customer agrees to the change. We explain why it is a good idea to change passwords regularly. And no we do not change ALL of the passwords. 98% of customers never know the password to directly get into a camera, they dont need it. I would venture to guess another 75% never access an NVR appliance directly either.

Its just good business to support customers.I can only say the word of mouth has been our absolute best advertisement.

Hope this answers your question, thank you

(1)
MM
Michael Miller
Jul 30, 2016

2 - Set the same company-wide default for all devices...

Of course within just this technique, there is a range of protection:

R5#i9Ezxw^ is better than FranksSlammers is better than hoochiemama

So anytime an employee leaves do you change all of your customers passwords?

MC
Marty Calhoun
Jul 31, 2016
IPVMU Certified

We set administrative passwords when we accept inventory into our facility. We have established codes for our technical staff members, technical training staff and Sales. The customer receives special codes as well. As long as we warrant or maintain a system we (Admin staff) have the top shelf code ONLY. No staff members have the ability to see or change the administrative codes, therefore when or if a technician leaves our company we are not left with a problem of sorts.

Again, all systems are built for differing customer tastes so there are exceptions to rules but 99.9% of customers never see the admin level code structure.

Michael I hope this helps answer your question, thanks

Marty

(1)
UI
Undisclosed Integrator #4
Jul 30, 2016

An option that i think could be explored more is the use of Yubi Neo keys with Google Authenticator) in close partnership with your VMS and camera manufactures to manage two-factor authentication to IP devices. We are exploring this angle but are in the early stages. The use of keys or dongles to access and program alarm panels are not too uncommon.

MC
Marty Calhoun
Jul 31, 2016
IPVMU Certified

Are you using Version 3.0.0.2 SADP?

Avatar
Gert Molkens
Jul 31, 2016
IPVMU Certified

i use Lastpass with two factor authentication (Yubikey) to store my and customers passwords. Seems better than plain text in a speadsheet.

(2)
JH
John Honovich
Jul 31, 2016
IPVM

Gert, does Lastpass work with VMSes? In other words, how do you manage that when the VMS needs to have passwords manually entered for each camera?

Avatar
Gert Molkens
Aug 01, 2016
IPVMU Certified

John,

No, unfortunately it doesn't. It's just a password manager to keep your passwords in one place and safe. What i do is generate a password for all cameras of the same customer and then different passwords for admin access of the VMS and Windows on the VMS server (if that doesn't have to be synced with the customer)

Initially in the beginning i used to document everything in excel, also the paswords but i felt that was not the way to go for passwords and hence looked for a more conveniant and safe way to store them. Since there's an iPhone app for Lastpass, i have all necessary passwords at hand all the time. If needed, i can share those with others on an as needed base

There are eseveral other solutions like Lastpass such as 1Password, KeePass, SplashID etc etc

Avatar
Gert Molkens
Aug 01, 2016
IPVMU Certified

John,

What it can do is fill in login information into web sites automatically (now i think about it, this was probably your question anyway :-) ) if you have the plugin on your browser. I have this on my comissioning laptop and that sure helps to get logged in smoother.

However, there's one thing to keep in mind: if you have your cameras on difefrent customers sites in the same IP range it can become less intuitive. It will look into its database for the login info for eg 192.168.0.1 but might find several matches. It's up to you to pick the right sugestion so you'll need to keep this in mind when you add them to the database and name them accordingly so you can distinct them from one another in the dropdown. But, as i mentioned i keep it to 1 camera password per client and not a separate password for every camera

JH
John Honovich
Aug 01, 2016
IPVM

What it can do is fill in login information into web sites automatically

That was what I was wondering, i.e., if any VMSes integrated with Lastpass or other password management systems that queried / pulled the passwords from Lastpass. That might be interesting.

Avatar
Gert Molkens
Aug 01, 2016
IPVMU Certified

In Milestone terminology, that would work for the web client but not for the management client (untill they release it as a cloud service anyway :-), kind of like Aerohive, Meraki and Mojo Networks are doing for WiFi)

Avatar
Jon Dillabaugh
Aug 01, 2016
Pro Focus LLC

Spreadsheets don't have to be clear text. They can be locked using the built in Microsoft security. They can also be stored on an encrypted drive. There are many ways to keep even a .txt file safe.

Avatar
Gert Molkens
Aug 01, 2016
IPVMU Certified

Jon, i know but they still will be less userfriendly than a password manager but thats just my experience and opinion of course.

JE
Jim Elder
Sep 10, 2016
IPVMU Certified

I personally use a password manager called Dashlane. It was recommended by a very reputable source on "CSO After Dark" (cannot recall who). I pay $3 a month and it works across multiple devices pretty well. It will also generate complex passwords automatically and is well encrypted. No need to write it down, or you can simply print it out if you are insecure about it. Enter your master password and it autocompletes any login site you go to, taking you directly to the application. There are other apps that come with it such as contact sharing, payments, secure notes which I may use.

I think they have something that may may work or may be able to build something that will work. Certainly you are not the only one with this problem. I am not big on universal passwords. Everyone should have their own so when they leave, the account is deleted or better yet, inactivated (so you can tell if the terminated employee tries to use it). Try it for free.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions