IP Camera Passwords - Axis, Dahua, SamsungBy Ethan Ace, Published Oct 15, 2014, 12:00am EDT
IP cameras are famous / infamous for weak default passwords that can lead to major problems. See our IP Cameras Default Passwords Directory for examples.
However, in the last few years that is starting to change.
In this note, we look at password procedures for Axis, Dahua and Samsung, explaining why and which are strong, moderate or weak.
In their most recent firmware updates, Samsung has done two things to improve password strength:
- First, users must create a password when the camera is first booted or whenever it is factory defaulted. There is no default password.
- Second, the admin password must be at least 8 characters and follow two complex rules, as seen in the image below. These rules do not allow Samsung's earlier default password ("4321") to be used.
Certainly many users may find these rules complex and make the admin password difficult to remember, but this is far more secure than simply defaulting to "4321."
Axis cameras now force the user to create a password upon first login. However, "pass" is still accepted, and still functions as a default password, with VMSes able to connect to the camera before the password creation stage is complete. This makes it very likely that many users simply enter "pass" without thought, and do not change it later.
Starting in 6.20 firmware, Bosch prompts users to set a password, with this popup appearing when connecting to the camera's web interface. Note that no password is set by default and none is required, unlike Samsung or Hikvision, which force users to set one.
Clicking ok takes users to the password setup page, with a meter showing password "strength." Note that the password in this example was 9 characters long and included uppercase and lowercase letters, numbers, and a special character, but was still only regarded as "medium." Strong passwords require 10 characters and a mix of these types.
Weak: Dahua (But Improving)
Dahua cameras default to admin/admin, poor security in itself, but unfortunately not at all uncommon among IP cameras. In previous releases, Dahua cameras (and DVRs) included two accounts which could not be deleted, named 888888 (with admin rights) and 666666 (view only). However, in newer firmware (Q2/Q3 2015), these accounts no longer exist, with admin the only account by default.
Dahua also now asks users to change the password during the first login, and provides password strength recommendations, seen below. However, passwords may only contain letters and numerals, no special characters, forcing users to increase length to create a strong password.
Additionally, Dahua cameras have an option to notify users if repeated failed logon attempts are made, seen below. This is uncommon in IP cameras, with very few notify on repeated attempts. This at least provides some security against unwanted access, assuming intruders do not have the correct passwords.
The vast majority of manufacturers still use default passwords without forcing users to change them on login, and none that we have seen require complex rules as Samsung does. The most common combination remains admin/admin.
These are only a few examples of improvements and differences in password security we've seen in our recent tests. Readers, feel free to not others in the comments below.
When we first released our IP Cameras Default Passwords Directory, nearly 50% of users said they at least sometimes use default passwords in a production deployment:
With that in mind, what do you think manufacturers should do (if anything) to keep IP camera passwords more secure?
6 reports cite this report:
Back to Top