Forgotten Password Problem Importance (Statistics)

By Michael Budalich, Published Sep 15, 2017, 08:03am EDT

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

Lost ********* ****** ****** ***********

*********** ******* ***** ********* passwords ** ** *************:

**** **** **** **** not **** **** ********* never forget *********, *** **** integrators ********** ****, *** manage *** ******* ** advance, ** ********* ***** show. *** *** **** common ********** **** ***** backup ********, ** *********** user ***********.

Solved **** ****** *******

*** **** ****** ******** (~66% ** *********** ****** problem **** ***********) ** managing **** ********* *** to ******** * ****** account, ** ******** *** of *** ***** *******. Instead ** ****** ***** admin ******, **** ******* users **** ***** *** accounts. **** ******* *** integrators ** ***** **** these ******** *** ***** the ********** ***** ********.

  • "*** * **** ******* as ** ******* **** out ************* ******** ***** so ** *** ****** the **** *** ***** their ********. ** ****** happens, *** **** ** does ** ** *** same ********* **** *** over."
  • "** ** *** * significant ******* *** ** tend ** ** ****** systems ******* * ***** see ** ****** **** in ******* ******* (** residential ** ***** ** do **** ******). **** a *** ********** *** large ********** ******* ***** managed **********, ** ******* have *** *** ***** account."
  • "**** **** *** ****** very *****, *** **** it **** ** ** for *** ******* *************. I ***** ** ** because **** ***'* *** it ***** **** **** it. ***** *** *** many ***** ** ***'* have ****** ****** **, so ** **** ****** in *** ***** *** password. **** ****** *** find **** ** **** remote ****** ***** **** our *** ******** *** password **** ***** ******."
  • "****** ********. ** ******** set ********* ** **** an ******* ** ** will ****** ***-** *** create/change ***** ******** ** work **** *** ************ tech ******* ** ***** the **** ** * worst **** ********."
  • "** ****** ****** ** extra **** **** ***** rights *** ******* ***** forgeten ******** *****."
  • "** ** *** **** out ***** ******** ****. If ****** ******** ****** mgr ******** ** ******."
  • "** ****** **** * series ** ************** ******** including ******** ******** ** all ******* ** ******. We ******** * ****** internal ******** ****** ** retain *** ******* ** a ******* ****** ********* client *********, ********** ********* and ************** *********."
  • "** ****** **** * separate ***** ******** ** we *** ****** ****** if ******. **** ** the ******** ** ** Admin ** **** **** separate."
  • "*** *****, *** **'* a *** ******* **** it ****. ** ********* have *** *** ***** password, ********* ************ ****** or **** **** (** Hik :*)"
  • "** ********* ***'* **** this ***** ** ** create * ***** *** them *** *** *** us **** *** ** can ****** *** **** the ******. ********* ****** sure ** **** *** config **** ** ** have ** ******* *** system."
  • "** **** * ****** of *** ********* ** admin ***** ******** ** customer ****** ************ *********. We **** ******** ** admin ***** ***** ******* by *** *****. ** remotely ******* **** ***** and ** **** **** both **** *** ****** it ******* * *********** cost ** **** *** attendance *** ********."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "********* ***** ** ********** specific ***** ***** *** password ** *** ********. This ****** ** ** resent ***** ********."
  • "*** ******* ** ***** when ** ** ********* that ** ******* ******* we *** ** * standard ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~33% ** ***** *** felt **** ********* **** not * *********** *****, was ** **** ************* of *********, ** **** customers ***** ** ******** what ***** ******** ***.

  • "** **** *** *** recorder ** *** ** and *** ******** ******* can ****** ******."
  • "******* ** **** ** our *******. **** **** the ******** ** ******** on *** **** ** digitally."
  • "*********... ** **** ** you **** **** ******* of *** ************* ** a ******* ******** **** as **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** call **. ** *** to **** * ******** record ** *** *****."
  • "*** * ****** *******. We ** ******* **** a ****** ** ******* password ** **** ** they ** ****** **** they ****."
  • "** **** * ****** of *** *********, ** doesn't ****** ***** ******."
  • "* ***'* ******** * single ********. ** ****** document *** ***********"
  • "*** *******. * ****** the ************, **** **** how ********** ***** *** print *** * ***** with *** *** ******* of *** ******. * tell **** **** **** information *** ***** *********** are ********* *** ** keep ** * **** place. ****** * **** nearly ******** ******* ***** login *********** *** ***** the ***** **** *** the **** ** *** system. ***********, * ******** everything *** *** **** them **** **** *******."

Rarely *******

*** **** ***********, ********* passwords *** * **** occurrence. **** *** ** due ** ******* **** use ****** *********, ** other ************** ******* **** Active ********* ************, ***** forgotten ********* ***** ****** be ******* ** *** customers ** **********, ******* of *** **********.

  • "*** ***** ** ***. But **** **** **, it's * ******* ****. We *** *** ******** to ******* ********** *********** subscriptions ***** *** ******* us ****** **** **** management ** *** ***** system."
  • "*% ****, ** **** use *** ****** ******** except *** **** ******* premise ***** **** ** not ***** ****."
  • "*** *********** ** *** clients ****** **** *** client **** ** ***** devices. ***** ******* *** usually ******** *********, ** we ******* *** ****** to ** **** ** auto *** **."
  • "** *** *** **** a *********** *****."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "*** ***********; ** *** a ********* ******** ** each *******, *** **** customers ** *** ****** it."
  • "*************. ****** *** ************* are ********** **** ******* Active *********."
  • "*** ***** *** **** it **** ** ****** in ********* ** *** them."

Significant ******* *********

*********** *** **** **** passwords ** * *********** problem ***** ****** ** manufacturer ******* ** ***** to ***** **** ******** problems:

  • "**** ******. ** **** on ************* ** **** some **** ** ******** program. * **** ***** initiating * ******* ********** where ** *** ********** hold *** *** ***** password ** ** *** always ****** *** *********, but **** ********* ** not **** **** ****."
  • "*****. ** **** ***** I *** ** ****** them ** ***** ****** which **** ******** ************* and ****** ** *** be ******** **** **** to ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** application ** **** *** up ** ************* ****** and ******** *** ***** the **** **** *** password."
  • "***********, ** **** ****** for *** *****. *** user ***** *** ********* for ******** ** **** of ************. ******* ******** with ************* *** **** on ****. ** *** provide ** ******** *****, typically **** ** *** cellphone. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** check *** ******* **** where ** ******** *** password. **** ** ***** unless *** ******** *** decided ** ****** ** on ***** ***. ** that **** ** ******* the *** ************ *** assistance ** * ******** reset."
  • "****** ******** **.* ** had **** ******* *** day ***** ***. ** was * **** *********. Now **** ******** ** just **** **** ** hit ****** ******** *** they *** ***** * new ******** *** ***** cloud *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** for ******** ******** ** a ********* ******** ****-********. Storing **** *********** (** other ********* ****) ** backup ************* ***** *** lead ** ********** ********** of **** ***********, *** ** generally *** * *********** approach. ** * *******, information ****** **** *** should ** ********* **** a ****** ***, *** not **** ** ********-********** systems.

Manufacturer ******** ******** ******* *********** 

******** ******** '********', **** as ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** needless **** ** ******. A ***** ********** ** integrators ********** ****-********* ** creating ********* ***** ******** to ****** **** **** user *********, *** ********** manufacturer ********* ** **** would **** ****** *** message *******. ************* **** provide *****/******** ** ******* lost ***** ********* ** so ** *** ******* of *** ******* ******** of ***** *******, *** by *********, ***** *****. Integrators, ** *****, **** are ********* ***** *** cyber ******** ** ***** systems ****** ******** ************* on *** ********* ** password ******** *********/*******, *** give ******* ************* ** those ******** **** ***** this.

Comments (10)

Bob McCarvill

09/15/17 01:34pm

Right now we use Microsoft Excel to document admins, passwords, and MAC addresses but we are discussing new software options that have the ability to have all of our clients in one place. Does anyone have any suggestions they have implemented with success? 

Avatar

Joshua Hendricks

Milestone Systems
In reply to Bob McCarvill | 09/17/17 09:14pm

I'm a big fan of LastPass for personal use, and I could easily see using it for keeping documentation of customer equipment passwords as an integrator. It's cloud based and supports 2 factor authentication, and you can share passwords between accounts as needed.

Keepass is a great offline alternative too, just make sure to keep a backup!

Avatar

Ricardo Souza

IndigoVision Ltd
IPVMU Certified | In reply to Joshua Hendricks | 09/18/17 01:38pm

I started using Lastpass since it's inception but moved to KeePass since the first hack and have been happy ever since.

Lastpass has been hacked multiple times or suffered multiple attempts already =(

Undisclosed Integrator #1

09/15/17 07:18pm

Hi

also we are looking for a software for keep client database with IP, ports and password from devices...but somethink that we can acces remote, from smartphone, etc and with different security acces levels for security 

Undisclosed Manufacturer #2

09/16/17 08:10pm

I use a strongly encrypted "Keepass" databases,  stored in Dropbox.

For Android there's are nice apps which can access the database directly from cloud sevices, check e.g.  "Keepass2Android". I guess there are apps for iOS too. All desktop OS are supported also. 

It works for me ☺️

 

Deepak C Shankar

eSecProfession
09/18/17 03:45am

Latest Hikvision products are using a different method, its using forget password option SADP tool /iVMS 4200 software,export a file (example: DS-760XNI-EX_8P0X2014112AAARR491942694WCVU-20170XXX1554.xml ) and send same to local Hikvision support team, they will revert you with reset file (example:Encryptkey.xml). Import this and reset you devices. NO Question asked.

Avatar

Ricardo Souza

IndigoVision Ltd
IPVMU Certified | 09/18/17 01:37pm

I would recommend you to check for more commercial/enterprise Password Management solutions, that you can also use to secure servers, etc...

 

Examples:

  • Zoho
  • OnionID
  • Thycotic
  • Keeper

 

Undisclosed Manufacturer #3

09/18/17 03:36pm

The issue is not unique to our industry, right?

Example1. You can restore linux root access if you have physical access to the machine.

Example2. You can restore software password if you have "administrator" type access to the OS. Example: http://smallbusiness.chron.com/reset-mailbox-password-exchange-server-57287.html 

So, why in the industry integrators create "backup accounts" ( I assume using the same password for every customer) or save passwords in shared text files?

Are you sure, your software does not allow to restore admin password having OS admin password? 

I'm one of VMS manufactures:-) We allow to restore admin password if(and only if) you have admin access to the machine OS. Btw, if you have it, you practically can do anything anyway... Are we doing it wrong?

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #3 | 09/18/17 03:48pm

I agree with you. If you have root access to the machine, you can do everything.

But in many cases (e.g. Embedded Linux based NVR/DVR), you have no access to the system shell (given that the manufacturer thought about IT-Security), in this case you need backup accounts or a good password storage to support your customers on the phone.

Undisclosed Manufacturer #3

In reply to Undisclosed Manufacturer #2 | 09/18/17 03:53pm

I would understand if those answers are mostly for NRV/DVR. 

Read this IPVM report for free.

This article is part of IPVM's 6,819 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports