Should Axis Prohibit Using Root/Pass?

JH
John Honovich
Nov 08, 2016
IPVM

For some time now, Axis has prompted users to set the password explicitly, rather than simply defaulting to root/pass as they did for many years prior to that.

However, it is likely that many users continue to use 'pass' as the password or other similarly trivial to guess passwords.

So, vote:

(1)
U
Undisclosed #1
Nov 08, 2016
IPVMU Certified

There's probably quite a few non-Axis cameras with root:pass as well. If you were an Axis shop 5 years ago slowly drifting to Hik, you might want everything the same, to make it easy.

(1)
U
Undisclosed
Nov 14, 2016

if you used default passwords five years ago you were doing things insecurely.

Avatar
Josh Hendricks
Nov 08, 2016
Milestone Systems

It would be smart for all manufacturers and software vendors to have a complex password policy by default (like Microsoft). If you want to disable the complex password policy, then you should ideally be forced to find the setting and disable it (again, like Microsoft).

That being said, as long as it is reasonably unlikely that the device can be compromised through any enabled-by-default interface with or without the web interface's administrative login, it should not matter if the web interface uses default credentials. Hopefully the web-based credentials are not the same as the root user account on the device...

Still, regardless of the liklihood that priviledge escalation or remote code execution will be possible by compromising the web interface, the attack surface grows once you have administrative access to the web interface, so having unique and complex passwords would obviously be ideal.

The risk of enforcing complex passwords is that the passwords are lost/forgotten or written down in a public place. These are controllable though, and the benefits outweigh the risk.

(3)
(1)
UE
Undisclosed End User #2
Nov 08, 2016

The problem with complex passwords (like Microsoft), is that you easily find them on some damn postit note next to the computer...

Defiantly be forced to change password, but to be complex (like Microsoft) will only push the "password problem" in another direction (read postit notes).

Personally, I curse all passwords (complex or not), i would prefer to use certificates together with personal pin code.

However, never mind my "password policy", it defiantly should be forced password change before moving ahead with any configuration (complex like Microsoft or not), this would more or less eliminated the Mirai worm.

U
Undisclosed #1
Nov 08, 2016
IPVMU Certified

The problem with complex passwords (like Microsoft), is that you easily find them on some damn postit note next to the computer...

Actually that's only true for the ones you have no problem remembering :)

(1)
UE
Undisclosed End User #3
Nov 11, 2016

Why are you so defiant about all this? You definitely should relax and not be so stressed out about this password junk. ;-)

(1)
(1)
U
Undisclosed #1
Nov 11, 2016
IPVMU Certified

Personally, I curse all passwords (complex or not)...

Complex are better suited to this, e.g. $h1the@d or even the common a**h***.

UE
Undisclosed End User #2
Nov 12, 2016

Bad stuff, you using same $h1t password as me... dammit

(2)
UE
Undisclosed End User #2
Nov 08, 2016

why write down something you remember, and not write write down that you don't remember? only to bugging helpdesk support or? ;)

Avatar
John Bazyk
Nov 08, 2016
Command Corporation • IPVMU Certified

We almost exclusively install Hikvision, now that they've introduced the activation and forced "complex" admin password there are no default credentials in new cameras.

Does anyone else do this? I think it's a common sense first step to creating more secure devices.

In light of all these recent attacks no one should be shipping cameras with default credentials. I got some Vivotek and Axis cameras in the other day with default credentials.

Avatar
Alberto Alonso
Nov 14, 2016

Axis cameras shipped with default credentials? Not from Axis for sure.We stopped to set default credentials years ago while other brands have just stopped that recently.

as Johnis point out Axis cameras prompt users to set password on start. The only discussion is to for e for a comp,ex pwd. I see that more as a recommendation rather than a forced type of credential. At the end the user may decide what to do (with the right info that's true)

Avatar
Josh Hendricks
Nov 09, 2016
Milestone Systems

Is there more, or is there less risk enforcing non-default passwords? If the password ends up on a postit, I think that's probably safer than if the password was the default. A remote system probing the camera is not going to see the postit.

On the other hand, if the password on the postit is also the Windows admin login, a lot of harm could be done by internal staff, and people rarely use unique passwords...

I think at a minimum, there should be no default password. If the installer uses an easily guessed password, that is their prerogative.

(1)
Avatar
Ross Vander Klok
Nov 11, 2016
IPVMU Certified

Root Pass should be OK during set up but be forced to change it on the next log in.

UM
Undisclosed Manufacturer #4
Nov 14, 2016

I am against prohibiting anything like this. My position is that if you don't change the password, you don't know what you're doing. If you don't know what you're doing, you should not be doing security. It's just that simple...

(2)
U
Undisclosed
Nov 14, 2016

Unless they changed it recently, you don't need to interact with the camera through the UI before using it. So products (like ONSSI maybe?) used to demand the password be left at root/pass and assumed that. And since there was no requirement for a human to visit the web UI nobody ever saw the "change the password" message.

The IT security (and current world) view is that it should not be possible to deploy into production with default credentials. So set-up would be fine but you should have to change it. In the case of a security camera it should not be possible to have it feed video to a VMS using default credentials.

Avatar
Randall Raszick
Nov 15, 2016

I don't think Axis should change a thing. At most, when the Web interface is invoked Axis could prompt users to change user and pass, but I don't see the need to force users. A good integrator will already do that, right? ;)

A VMS interface with the camera seems to be a better place to change the user name and password: hook up the whole project with defaults, then implement the security scheme you worked out pre-deployment.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions