Forgotten Password Problem Importance (Statistics)

By: Michael Budalich, Published on Sep 15, 2017

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

********* ********* *** ****** a ***** ******** *****.

*** *******,********* *** **** ******** admin ********* ** ***** text***** ****'* ********* ******** them ** **** **.

***********, ****** *** *** role ** ****'* ******* Mirai *************, ********** ******** ****** ******** lists, **** **:

***** *** ********* ***** send *** *********, **** after*********'* ******** **** *** cracked.

How *** * ******* ** ****?

*** ***** ******* **** these ********* ** ******* implies **** **** ****** are ****** *********** ******** with ********* *********.

*** *** *** ** a ******* ** ** overall?

*** *********** ********* ** IPVM's ****** ********:

*** *********** ** * problem ** **** ********* forgetting ***** ********'* ********? What ** *** ********* do **** ** *******?

** **** ****** ** examine *** ******* ** lost ***** *********, *** integrators ****** **** *******, and *** ************ ******* for *********** ***** ********* is **** ******.

[***************]

Lost ********* ****** ****** ***********

*********** ******* ***** ********* passwords ** ** *************:

**** **** **** **** not **** **** ********* never ****** *********, *** that *********** ********** ****, and ****** *** ******* in *******, ** ********* below ****. *** *** most ****** ********** **** using ****** ********, ** documenting **** ***********.

Solved **** ****** *******

*** **** ****** ******** (~66% ** *********** ****** problem **** ***********) ** managing **** ********* *** to ******** * ****** account, ** ******** *** of *** ***** *******. Instead ** ****** ***** admin ******, **** ******* users **** ***** *** accounts. **** ******* *** integrators ** ***** **** these ******** *** ***** the ********** ***** ********.

  • "*** * **** ******* as ** ******* **** out ************* ******** ***** so ** *** ****** the **** *** ***** their ********. ** ****** happens, *** **** ** does ** ** *** same ********* **** *** over."
  • "** ** *** * significant ******* *** ** tend ** ** ****** systems ******* * ***** see ** ****** **** in ******* ******* (** residential ** ***** ** do **** ******). **** a *** ********** *** large ********** ******* ***** managed **********, ** ******* have *** *** ***** account."
  • "**** **** *** ****** very *****, *** **** it **** ** ** for *** ******* *************. I ***** ** ** because **** ***'* *** it ***** **** **** it. ***** *** *** many ***** ** ***'* have ****** ****** **, so ** **** ****** in *** ***** *** password. **** ****** *** find **** ** **** remote ****** ***** **** our *** ******** *** password **** ***** ******."
  • "****** ********. ** ******** set ********* ** **** an ******* ** ** will ****** ***-** *** create/change ***** ******** ** work **** *** ************ tech ******* ** ***** the **** ** * worst **** ********."
  • "** ****** ****** ** extra **** **** ***** rights *** ******* ***** forgeten ******** *****."
  • "** ** *** **** out ***** ******** ****. If ****** ******** ****** mgr ******** ** ******."
  • "** ****** **** * series ** ************** ******** including ******** ******** ** all ******* ** ******. We ******** * ****** internal ******** ****** ** retain *** ******* ** a ******* ****** ********* client *********, ********** ********* and ************** *********."
  • "** ****** **** * separate ***** ******** ** we *** ****** ****** if ******. **** ** the ******** ** ** Admin ** **** **** separate."
  • "*** *****, *** **'* a *** ******* **** it ****. ** ********* have *** *** ***** password, ********* ************ ****** or **** **** (** Hik :*)"
  • "** ********* ***'* **** this ***** ** ** create * ***** *** them *** *** *** us **** *** ** can ****** *** **** the ******. ********* ****** sure ** **** *** config **** ** ** have ** ******* *** system."
  • "** **** * ****** of *** ********* ** admin ***** ******** ** customer ****** ************ *********. We **** ******** ** admin ***** ***** ******* by *** *****. ** remotely ******* **** ***** and ** **** **** both **** *** ****** it ******* * *********** cost ** **** *** attendance *** ********."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "********* ***** ** ********** specific ***** ***** *** password ** *** ********. This ****** ** ** resent ***** ********."
  • "*** ******* ** ***** when ** ** ********* that ** ******* ******* we *** ** * standard ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~33% ** ***** *** felt **** ********* **** not * *********** *****, was ** **** ************* of *********, ** **** customers ***** ** ******** what ***** ******** ***.

  • "** **** *** *** recorder ** *** ** and *** ******** ******* can ****** ******."
  • "******* ** **** ** our *******. **** **** the ******** ** ******** on *** **** ** digitally."
  • "*********... ** **** ** you **** **** ******* of *** ************* ** a ******* ******** **** as **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** call **. ** *** to **** * ******** record ** *** *****."
  • "*** * ****** *******. We ** ******* **** a ****** ** ******* password ** **** ** they ** ****** **** they ****."
  • "** **** * ****** of *** *********, ** doesn't ****** ***** ******."
  • "* ***'* ******** * single ********. ** ****** document *** ***********"
  • "*** *******. * ****** the ************, **** **** how ********** ***** *** print *** * ***** with *** *** ******* of *** ******. * tell **** **** **** information *** ***** *********** are ********* *** ** keep ** * **** place. ****** * **** nearly ******** ******* ***** login *********** *** ***** the ***** **** *** the **** ** *** system. ***********, * ******** everything *** *** **** them **** **** *******."

Rarely *******

*** **** ***********, ********* passwords *** * **** occurrence. **** *** ** due ** ******* **** use ****** *********, ** other ************** ******* **** Active ********* ************, ***** forgotten ********* ***** ****** be ******* ** *** customers ** **********, ******* of *** **********.

  • "*** ***** ** ***. But **** **** **, it's * ******* ****. We *** *** ******** to ******* ********** *********** subscriptions ***** *** ******* us ****** **** **** management ** *** ***** system."
  • "*% ****, ** **** use *** ****** ******** except *** **** ******* premise ***** **** ** not ***** ****."
  • "*** *********** ** *** clients ****** **** *** client **** ** ***** devices. ***** ******* *** usually ******** *********, ** we ******* *** ****** to ** **** ** auto *** **."
  • "** *** *** **** a *********** *****."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "*** ***********; ** *** a ********* ******** ** each *******, *** **** customers ** *** ****** it."
  • "*************. ****** *** ************* are ********** **** ******* Active *********."
  • "*** ***** *** **** it **** ** ****** in ********* ** *** them."

Significant ******* *********

*********** *** **** **** passwords ** * *********** problem ***** ****** ** manufacturer ******* ** ***** to ***** **** ******** problems:

  • "**** ******. ** **** on ************* ** **** some **** ** ******** program. * **** ***** initiating * ******* ********** where ** *** ********** hold *** *** ***** password ** ** *** always ****** *** *********, but **** ********* ** not **** **** ****."
  • "*****. ** **** ***** I *** ** ****** them ** ***** ****** which **** ******** ************* and ****** ** *** be ******** **** **** to ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** application ** **** *** up ** ************* ****** and ******** *** ***** the **** **** *** password."
  • "***********, ** **** ****** for *** *****. *** user ***** *** ********* for ******** ** **** of ************. ******* ******** with ************* *** **** on ****. ** *** provide ** ******** *****, typically **** ** *** cellphone. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** check *** ******* **** where ** ******** *** password. **** ** ***** unless *** ******** *** decided ** ****** ** on ***** ***. ** that **** ** ******* the *** ************ *** assistance ** * ******** reset."
  • "****** ******** **.* ** had **** ******* *** day ***** ***. ** was * **** *********. Now **** ******** ** just **** **** ** hit ****** ******** *** they *** ***** * new ******** *** ***** cloud *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** for ******** ******** ** a ********* ******** ****-********. Storing **** *********** (** other ********* ****) ** backup ************* ***** *** lead ** ********** ********** of **** ***********, *** is ********* *** * recommended ********. ** * minimum, *********** ****** **** way ****** ** ********* with * ****** ***, and *** **** ** publicly-accessible *******.

Manufacturer ******** ******** ******* ***********

******** ******** '********', **** as ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** needless **** ** ******. A ***** ********** ** integrators ********** ****-********* ** creating ********* ***** ******** to ****** **** **** user *********, *** ********** manufacturer ********* ** **** would **** ****** *** message *******. ************* **** provide *****/******** ** ******* lost ***** ********* ** so ** *** ******* of *** ******* ******** of ***** *******, *** by *********, ***** *****. Integrators, ** *****, **** are ********* ***** *** cyber ******** ** ***** systems ****** ******** ************* on *** ********* ** password ******** *********/*******, *** give ******* ************* ** those ******** **** ***** this.

Comments (10)

***** *** ** *** Microsoft ***** ** ******** admins, *********, *** *** addresses *** ** *** discussing *** ******** ******* that **** *** ******* to **** *** ** our ******* ** *** place. **** ****** **** any *********** **** **** implemented **** *******?

*'* * *** *** of ******** *** ******** use, *** * ***** easily *** ***** ** for ******* ************* ** customer ********* ********* ** an **********. **'* ***** based *** ******** * factor **************, *** *** can ***** ********* ******* accounts ** ******.

******* ** * ***** offline *********** ***, **** make **** ** **** a ******!

* ******* ***** ******** since **'* ********* *** moved ** ******* ***** the ***** **** *** have **** ***** **** since.

******** *** **** ****** multiple ***** ** ******** multiple ******** ******* =(

**

**** ** *** ******* *** * ******** *** **** ****** database **** **, ***** *** ******** **** *******...*** ********* **** we *** ***** ******, **** **********, *** *** **** ********* security ***** ****** *** ********

* *** * ******** encrypted "*******" *********, ****** in *******.

*** ******* *****'* *** nice **** ***** *** access *** ******** ******** from ***** *******, ***** e.g. "***************". * ***** there *** **** *** iOS ***. *** ******* OS *** ********* ****.

** ***** *** ** ☺️

****** ********* ******** *** using * ********* ******, its ***** ****** ******** option **** **** /**** 4200 ********,****** * **** (example: **-******-********************************-************.*** ) *** send **** ** ***** Hikvision ******* ****, **** will ****** *** **** reset **** (*******:**********.***). ****** this *** ***** *** devices. ** ******** *****.

* ***** ********* *** to ***** *** **** commercial/enterprise ******** ********** *********, that *** *** **** use ** ****** *******, etc...

********:

  • ****
  • *******
  • ********
  • ******

*** ***** ** *** unique ** *** ********, right?

********. *** *** ******* linux **** ****** ** you **** ******** ****** to *** *******.

********. *** *** ******* software ******** ** *** have "*************" **** ****** to *** **. *******: http://smallbusiness.chron.com/reset-mailbox-password-exchange-server-57287.html

**, *** ** *** industry *********** ****** "****** accounts" ( * ****** using *** **** ******** for ***** ********) ** save ********* ** ****** text *****?

*** *** ****, **** software **** *** ***** to ******* ***** ******** having ** ***** ********?

*'* *** ** *** manufactures:-) ** ***** ** restore ***** ******** **(*** only **) *** **** admin ****** ** *** machine **. ***, ** you **** **, *** practically *** ** ******** anyway... *** ** ***** it *****?

* ***** **** ***. If *** **** **** access ** *** *******, you *** ** **********.

*** ** **** ***** (e.g. ******** ***** ***** NVR/DVR), *** **** ** access ** *** ****** shell (***** **** *** manufacturer ******* ***** **-********), in **** **** *** need ****** ******** ** a **** ******** ******* to ******* **** ********* on *** *****.

* ***** ********** ** ***** ******* *** ****** *** ***/***.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...
ADT's Top Dealer "The Defenders" Sued 20+ Times on May 07, 2019
ADT's largest authorized dealer, The Defenders, has been sued more than 20 times since 2012, IPVM has verified through analyzing legal...
Ranking Manufacturer Favorability 2019 on May 06, 2019
24 manufacturer's favorability was ranked based on 170+ integrators feedback. Voting plus in-depth comments revealed insights on which brands were...
Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many years. The company is developing their own cameras, their own VMS, their...
Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
Arecont Favorability Results 2019 on Apr 22, 2019
Arecont's net negativity remained the same in IPVM's 2019 integrator study, though integrator's feeling became relatively more neutral compared to...
H.265 Usage Statistics on Apr 19, 2019
H.265 has been available in IP cameras for more than 5 years and, in the past few years, the number of manufacturers supporting this codec has...

Most Recent Industry Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
Verkada Video Quality Problems Tested on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy Plan on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact