Should IP Cameras Force Passwords To Be Changed On First Login?

Most IP cameras allow users to leave the default password forever. This increases the risk that someone else can easily access the camera (e.g., 3000 public surveillance cameras on 1 site). On the other hand, many feel this is a nuisance and can cause issues later accessing the camera (forget what password they changed it to).

Ok, vote on the poll:

And share your comments below.


From the previous discussion, here is a con:

CON - "For professional brands, forcing you to change/set passwords on first logins would not be the right thing to do, IMO. It should be safe to assume the installer handles that task as part of a professional install.

As an example, the customer might want to set passwords and not give knowledge to the installer, or the installer might be checking some units beforehand (maybe they are installing 20 cameras, 15 they are familiar with and 5 are new models, so they bench test those to get familiar with them). Forcing password changes arbitrarily shouldn't be necessary when dealing with a "professional". So, I would not blame Exacq or others for now following that process, I would blame the installer OR the customer, that is THEIR job, not the manufacturers."

The system owner (not the integrator) should have the passwords; the passwords need to be rotated periodically to meet norms of enterprise network behavior; in reality this stuff should be hanging off RADIUS or some other centralized authentication mechanism. Using the out-of-the-box password to pass video at all is a security issue. If your VMS implementation is so cool, it should facilitate dealing with this in a reasonable manner that doesn't burden the integrator/installer or the end user.

If your Axis cameras are still on root/pass then shame on you when you fail your next network audit.

Of course, the key question is can the cameras be viewed by outside entities. In a closed system, who cares?

It's just such a royal pain for manufacturers to stock shelves with both an 'inside and outside entity' and a 'inside only entity' version. :)

Very much do care "in a closed system". The "hard shell, soft center" cyber defense logic might have worked last century but definitely not today, with advanced persistent threats, expert virus writers, and overly casual integrators lugging around infected usb fobs. If your integrator has an inside-only a/k/a sloppy deployment style, find another integrator.

Rodney, I fail to see your point. Please explain how changing the password of IP cameras would protect a Surveillance system from a cyber attack or unauthorized access any more than having the system totally disconnected from the outside world in the first place and whose network infrastructure is separate from the corporate network with physical access tightly controlled in the second place?

Please explain how changing the password of IP cameras would protect a Surveillance system from a cyber attack or unauthorized access any more than having the system totally disconnected

Carl, it wouldn't of course. But we are talking about what state a camera should be in before it knows to where it is destined. So the topic is really just: should it leave the factory with a default password or not. So how do you feel about default passwords in networks that are NOT totally isolated?

And then the question becomes: is the greater possible security offered by eliminating defaults in the open networks worth the inconvience of having to change them unecessarily in the closed ones?

Rukmini, I assume the cameras have to come with something. Or are you saying they could come from the manufacturer with no usrename/password?

Basically yes, they have a root account but don't have a password yet. The first time you bring up the web interface it makes you choose one. This is how Axis cameras work now.

Has that changed recently? The last time I tested an Axis camera, the login was "root" "admin", as I recall. I also don't remember being asked to change the password. That was only a couple of months ago.

2 years or more. Here's an excerpt from the Axis user manual:

Odd, I didn't see that page on any of the 4 Axis cameras we evaluated.

R.e current (5.4x) Axis cameras, no. you do not have to touch the web ui to capture video. IF you go to the web UI THEN you get asked about passwords. If you just hang the camera on the wall and hook it up to a VMS and never interact with the camera directoly, you can still do video. Yes I think that's a security issue, yes, Axis knows I think that, yes, I"ve heard all the "dog died" stories about how the poor little VMS vendors would have to change their code to stop using that kinda scandalously insecure feature.

Basically, not changing the password is a bad habit to get into, even if it isn't strictly necessary in a given instance.

Do you stop at stop signs on deserted roads? Do you signal lane changes when you know there aren't any other cars areound? I do, and not because I'm worried about getting a ticket either.

I do not signal lane changes if there is nobody there to receive the signal of my intentions to begin doing so. I find it silly. :)

Also, once actually within a turn-only lane, I will disengage my turn signal as this is now redundant information no longer required by my fellow travelers.

Virus writers can see http://ipvm.com/report/ip_cameras_default_passwords_directory. Threats within the computers and other network devices in your (i don't care how closed) network can compromise devices. If I can get to the camera i can cause loss of video, etc. Also, it's current practice. Your network attached security devices need to follow the rules like everyone else. having a system totally disconnected from the outside world does not prevent a cyber attack - it prevents a random drive-by attack by some bored high school kid in Rumania. Physical access being tightly controlled does't do it. People carry computers in and out of these areas all the time.

LOL. You're grasping at straws.

Our IDF closets are access controlled and have cameras. Our edge switches are in lock boxes inside the locked and camera'd IDF closets. Being a 7/24/365 operation, we know who goes into our closets via alarms and the alarms pull up the cameras automatically. Outside cameras are, and will remain analog so no access there. Indoor cameras are also mostly analog and the ones that are IP are not located where anyone can access them without raising huge red flags.

We follow good IT practices for the rest of our domain. I don't believe that changing camera passwords would substantially improve security. If you think otherwise, you are more than welcome to attempt to access any one of our systems. I'll visit you in jail...

If you think otherwise, you are more than welcome to attempt to access any one of our systems.

Watch out Rodney, its a trap!

In my opinion, Donald Rumsfeld's 'unknown unknowns' quote apolitically applies to password discipline here. It's not that you think you're vulnerable that inspires you change the password. It's because you don't know what abuse could potentially be stopped because you did.

Hah! You are all welcome to change the passwords on approximately 1,100 devices for us. All reasonable (read free) offers considered.

Camera manufactuers often have tools to let you change passwords of a batch of cameras at once. For example, Axis Camera Management.

If you have sane login management attached to the devices you can change 1100 devices' passwords. That's what RADIUS is for, as an example. No, that's not common. That'd be part of why us IT folks (and the hackers) laugh at your primitive light sensors hanging off our network...

It only takes one compromised camera to make a network vulnerable.