IP Camera Passwords - Axis, Dahua, Samsung

By Ethan Ace, Published Oct 15, 2014, 12:00am EDT

IP cameras are famous / infamous for weak default passwords that can lead to major problems. See our IP Cameras Default Passwords Directory for examples.

However, in the last few years that is starting to change.

In this note, we look at password procedures for Axis, Dahua and Samsung, explaining why and which are strong, moderate or weak.

Strong: Samsung

In their most recent firmware updates, Samsung has done two things to improve password strength:

  • First, users must create a password when the camera is first booted or whenever it is factory defaulted. There is no default password.
  • Second, the admin password must be at least 8 characters and follow two complex rules, as seen in the image below. These rules do not allow Samsung's earlier default password ("4321") to be used.

Certainly many users may find these rules complex and make the admin password difficult to remember, but this is far more secure than simply defaulting to "4321."

Moderate: Axis

Axis cameras now force the user to create a password upon first login. However, "pass" is still accepted, and still functions as a default password, with VMSes able to connect to the camera before the password creation stage is complete. This makes it very likely that many users simply enter "pass" without thought, and do not change it later.

Bosch: Moderate

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Starting in 6.20 firmware, Bosch prompts users to set a password, with this popup appearing when connecting to the camera's web interface. Note that no password is set by default and none is required, unlike Samsung or Hikvision, which force users to set one.

Clicking ok takes users to the password setup page, with a meter showing password "strength." Note that the password in this example was 9 characters long and included uppercase and lowercase letters, numbers, and a special character, but was still only regarded as "medium." Strong passwords require 10 characters and a mix of these types.

Weak: Dahua (But Improving)

Dahua cameras default to admin/admin, poor security in itself, but unfortunately not at all uncommon among IP cameras. In previous releases, Dahua cameras (and DVRs) included two accounts which could not be deleted, named  888888 (with admin rights) and 666666 (view only). However, in newer firmware (Q2/Q3 2015), these accounts no longer exist, with admin the only account by default.

Dahua also now asks users to change the password during the first login, and provides password strength recommendations, seen below. However, passwords may only contain letters and numerals, no special characters, forcing users to increase length to create a strong password.

Additionally, Dahua cameras have an option to notify users if repeated failed logon attempts are made, seen below. This is uncommon in IP cameras, with very few notify on repeated attempts. This at least provides some security against unwanted access, assuming intruders do not have the correct passwords.


Others

The vast majority of manufacturers still use default passwords without forcing users to change them on login, and none that we have seen require complex rules as Samsung does. The most common combination remains admin/admin.

These are only a few examples of improvements and differences in password security we've seen in our recent tests. Readers, feel free to not others in the comments below.

Poll

When we first released our IP Cameras Default Passwords Directory, nearly 50% of users said they at least sometimes use default passwords in a production deployment:

With that in mind, what do you think manufacturers should do (if anything) to keep IP camera passwords more secure?

6 reports cite this report:

IP Cameras Default Passwords Directory on Feb 09, 2018
Below is a directory of 50+ manufacturer's default passwords. Note: Change...
10 Manufacturer Cyber Security Compared on Dec 13, 2016
With the rise in exploits and growing awareness of cyber security issues in...
Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the...
Axis Cybersecurity Hardening Guide Examined on Nov 19, 2015
In most IT areas, 'hardening' guides are commonplace, providing best...
Hikvision Anti Hacking Firmware Tested on Jun 03, 2015
Hikvision has had historic hacking problems, with DVRs turned into Bitcoin...
ONVIF Profile Q Aims To Change Discovery and Default Passwords on Jan 13, 2015
ONVIF is gearing up to release a new profile, called Q. They market it as...
Comments (19) : Members only. Login. or Join.
Loading Related Reports