IPVMU Certified | 03/18/16 10:20pm
I think 'strong passwords' are a prudent step that mitigates most risk, except in the case of backdoors *cough*.
However, setting up an IP whitelist is fairly easy and absolute way of controlling access. I'm not sure why it isn't a more common step to take?
IPVMU Certified | 03/22/16 12:41am
I'm wondering how effective using obscure ports would be in addition to a strong password.
It seems that someone trying to gain access to the system, would have to go through a lot more effort, if you setup non standard ports.
wouldn't listing the things you do be a vulnerability in itself?
*puts on tin foil hat* if you were trying to get into someone's system, a thread like this would be my first step to look for idea's :)
keep in mind I'm only half serious when I post this.
IPVMU Certified | 03/22/16 04:44pm
We have a few different methods we use depending on the system and customers budget.
1.) The system is 100% offline. With Strong passwords.
2.) Strong passwords and obscure ports (I understand this doesn't do much but for a budget system its better than using factory defaults). We also retain the password for administrator and limit their login to only a few essential capabilities.
3.) More recently, customers who subscribe to our remote services use 2048 RSA to log in, and video stream is encrypted using 256 AES.
10-character app and browser passwords, with complex combination of non-alpha characters
Three invalid codes entered will log users out
Video stream IDs frequently change, with URLs randomly generated at time of viewing
All video streams over closed and encrypted VPN, and requires authentication at the camera
Panel user-code, email address and password authentication required for login
Touch ID supported as an option to launch the app
Account enumeration prohibited
2048-bit RSA and 256-bit AES used for encryption
No user feedback provided to users regarding email address validity
I'm a little surprised that the "obscure ports" hasn't gotten more votes, but I think people are doing strong password + obscure ports in many cases, but voting for "Strong Password" because it's the more effective of the two options.