Forgotten Password Problem Importance

Author: Brian Karas, Published on Sep 15, 2017

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

********* ********* *** ****** * ***** ******** *****.

*** *******,********* *** **** ******** ***** ********* ** ***** ********* ****'* ********* ******** **** ** **** **.

***********, ****** *** *** **** ** ****'* ******* ***** *************, ********** ******** ****** ******** *****, **** **:

***** *** ********* ***** **** *** *********, **** **************'* ******** **** *** *******.

How *** * ******* ** ****?

*** ***** ******* **** ***** ********* ** ******* ******* **** some ****** *** ****** *********** ******** **** ********* *********.

*** *** *** ** * ******* ** ** *******?

*** *********** ********* ** ****'* ****** ********:

*** *********** ** * ******* ** **** ********* ********** ***** recorder's ********? **** ** *** ********* ** **** ** *******?

** **** ****** ** ******* *** ******* ** **** ***** passwords, *** *********** ****** **** *******, *** *** ************ ******* for *********** ***** ********* ** **** ******.

[***************]

Lost ********* ****** ****** ***********

*********** ******* ***** ********* ********* ** ** *************:

**** **** **** **** *** **** **** ********* ***** ****** passwords, *** **** *********** ********** ****, *** ****** *** ******* in *******, ** ********* ***** ****. *** *** **** ****** approaches **** ***** ****** ********, ** *********** **** ***********.

Solved **** ****** *******

*** **** ****** ******** (~**% ** *********** ****** ******* **** significant) ** ******** **** ********* *** ** ******** * ****** account, ** ******** *** ** *** ***** *******. ******* ** giving ***** ***** ******, **** ******* ***** **** ***** *** accounts. **** ******* *** *********** ** ***** **** ***** ******** and ***** *** ********** ***** ********.

  • "*** * **** ******* ** ** ******* **** *** ************* password ***** ** ** *** ****** *** **** *** ***** their ********. ** ****** *******, *** **** ** **** ** is *** **** ********* **** *** ****."
  • "** ** *** * *********** ******* *** ** **** ** do ****** ******* ******* * ***** *** ** ****** **** in ******* ******* (** *********** ** ***** ** ** **** little). **** * *** ********** *** ***** ********** ******* ***** managed **********, ** ******* **** *** *** ***** *******."
  • "**** **** *** ****** **** *****, *** **** ** **** it ** *** *** ******* *************. * ***** ** ** because **** ***'* *** ** ***** **** **** **. ***** are *** **** ***** ** ***'* **** ****** ****** **, so ** **** ****** ** *** ***** *** ********. **** places *** **** **** ** **** ****** ****** ***** **** our *** ******** *** ******** **** ***** ******."
  • "****** ********. ** ******** *** ********* ** **** ** ******* so ** **** ****** ***-** *** ******/****** ***** ******** ** work **** *** ************ **** ******* ** ***** *** **** as * ***** **** ********."
  • "** ****** ****** ** ***** **** **** ***** ****** *** solving ***** ******** ******** *****."
  • "** ** *** **** *** ***** ******** ****. ** ****** remotely ****** *** ******** ** ******."
  • "** ****** **** * ****** ** ************** ******** ********* ******** recovery ** *** ******* ** ******. ** ******** * ****** internal ******** ****** ** ****** *** ******* ** * ******* system ********* ****** *********, ********** ********* *** ************** *********."
  • "** ****** **** * ******** ***** ******** ** ** *** change ****** ** ******. **** ** *** ******** ** ** Admin ** **** **** ********."
  • "*** *****, *** **'* * *** ******* **** ** ****. We ********* **** *** *** ***** ********, ********* ************ ****** or **** **** (** *** :*)"
  • "** ********* ***'* **** **** ***** ** ** ****** * login *** **** *** *** *** ** **** *** ** can ****** *** **** *** ******. ********* ****** **** ** have *** ****** **** ** ** **** ** ******* *** system."
  • "** **** * ****** ** *** ********* ** ***** ***** password ** ******** ****** ************ *********. ** **** ******** ** admin ***** ***** ******* ** *** *****. ** ******** ******* most ***** *** ** **** **** **** **** *** ****** it ******* * *********** **** ** **** *** ********** *** recovery."
  • "*** ********* ****** ******. ** **** ** ** **** * password *** *** ***** ***** ******** **** *********."
  • "********* ***** ** ********** ******** ***** ***** *** ******** ** the ********. **** ****** ** ** ****** ***** ********."
  • "*** ******* ** ***** **** ** ** ********* **** ** install ******* ** *** ** * ******** ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~**% ** ***** *** **** **** passwords **** *** * *********** *****, *** ** **** ************* of *********, ** **** ********* ***** ** ******** **** ***** password ***.

  • "** **** *** *** ******** ** *** ** *** *** customer ******* *** ****** ******."
  • "******* ** **** ** *** *******. **** **** *** ******** we ******** ** *** **** ** *********."
  • "*********... ** **** ** *** **** **** ******* ** *** installations ** * ******* ******** **** ** **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** **** **. ** *** ** **** a ******** ****** ** *** *****."
  • "*** * ****** *******. ** ** ******* **** * ****** of ******* ******** ** **** ** **** ** ****** **** they ****."
  • "** **** * ****** ** *** *********, ** *****'* ****** often ******."
  • "* ***'* ******** * ****** ********. ** ****** ******** *** credentials"
  • "*** *******. * ****** *** ************, **** **** *** ********** works *** ***** *** * ***** **** *** *** ******* of *** ******. * **** **** **** **** *********** *** login *********** *** ********* *** ** **** ** * **** place. ****** * **** ****** ******** ******* ***** ***** *********** and ***** *** ***** **** *** *** **** ** *** system. ***********, * ******** ********** *** *** **** **** **** this *******."

Rarely *******

*** **** ***********, ********* ********* *** * **** **********. **** may ** *** ** ******* **** *** ****** *********, ** other ************** ******* **** ****** ********* ************, ***** ********* ********* would ****** ** ******* ** *** ********* ** **********, ******* of *** **********.

  • "*** ***** ** ***. *** **** **** **, **'* * service ****. ** *** *** ******** ** ******* ********** *********** subscriptions ***** *** ******* ** ****** **** **** ********** ** the ***** ******."
  • "*% ****, ** **** *** *** ****** ******** ****** *** high ******* ******* ***** **** ** *** ***** ****."
  • "*** *********** ** *** ******* ****** **** *** ****** **** on ***** *******. ***** ******* *** ******* ******** *********, ** we ******* *** ****** ** ** **** ** **** *** in."
  • "** *** *** **** * *********** *****."
  • "*** ********* ****** ******. ** **** ** ** **** * password *** *** ***** ***** ******** **** *********."
  • "*** ***********; ** *** * ********* ******** ** **** *******, and **** ********* ** *** ****** **."
  • "*************. ****** *** ************* *** ********** **** ******* ****** *********."
  • "*** ***** *** **** ** **** ** ****** ** ********* it *** ****."

Significant ******* *********

*********** *** **** **** ********* ** * *********** ******* ***** relied ** ************ ******* ** ***** ** ***** **** ******** problems:

  • "**** ******. ** **** ** ************* ** **** **** **** of ******** *******. * **** ***** ********** * ******* ********** where ** *** ********** **** *** *** ***** ******** ** we *** ****** ****** *** *********, *** **** ********* ** not **** **** ****."
  • "*****. ** **** ***** * *** ** ****** **** ** their ****** ***** **** ******** ************* *** ****** ** *** be ******** **** **** ** ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** *********** ** **** *** ** ** automatically ****** *** ******** *** ***** *** **** **** *** password."
  • "***********, ** **** ****** *** *** *****. *** **** ***** and ********* *** ******** ** **** ** ************. ******* ******** with ************* *** **** ** ****. ** *** ******* ** customer *****, ********* **** ** *** *********. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** ***** *** ******* **** ***** ** document *** ********. **** ** ***** ****** *** ******** *** decided ** ****** ** ** ***** ***. ** **** **** we ******* *** *** ************ *** ********** ** * ******** reset."
  • "****** ******** **.* ** *** **** ******* *** *** ***** day. ** *** * **** *********. *** **** ******** ** just **** **** ** *** ****** ******** *** **** *** setup * *** ******** *** ***** ***** *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** *** ******** ******** ** * ********* accepted ****-********. ******* **** *********** (** ***** ********* ****) ** backup ************* ***** *** **** ** ********** ********** ** **** information, *** ** ********* *** * *********** ********. ** * minimum, *********** ****** **** *** ****** ** ********* **** * strong ***, *** *** **** ** ********-********** *******.

Manufacturer ******** ******** ******* ***********

******** ******** '********', **** ** ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** ******** **** ** ******. * ***** percentage ** *********** ********** ****-********* ** ******** ********* ***** ******** to ****** **** **** **** *********, *** ********** ************ ********* on **** ***** **** ****** *** ******* *******. ************* **** provide *****/******** ** ******* **** ***** ********* ** ** ** the ******* ** *** ******* ******** ** ***** *******, *** by *********, ***** *****. ***********, ** *****, **** *** ********* about *** ***** ******** ** ***** ******* ****** ******** ************* on *** ********* ** ******** ******** *********/*******, *** **** ******* consideration ** ***** ******** **** ***** ****.

Comments (10)

***** *** ** *** ********* ***** ** ******** ******, *********, and *** ********* *** ** *** ********** *** ******** ******* that **** *** ******* ** **** *** ** *** ******* in *** *****. **** ****** **** *** *********** **** **** implemented **** *******?

*'* * *** *** ** ******** *** ******** ***, *** I ***** ****** *** ***** ** *** ******* ************* ** customer ********* ********* ** ** **********. **'* ***** ***** *** supports * ****** **************, *** *** *** ***** ********* ******* accounts ** ******.

******* ** * ***** ******* *********** ***, **** **** **** to **** * ******!

* ******* ***** ******** ***** **'* ********* *** ***** ** KeePass ***** *** ***** **** *** **** **** ***** **** since.

******** *** **** ****** ******** ***** ** ******** ******** ******** already =(

**

**** ** *** ******* *** * ******** *** **** ****** database **** **, ***** *** ******** **** *******...*** ********* **** we *** ***** ******, **** **********, *** *** **** ********* security ***** ****** *** ********

* *** * ******** ********* "*******" *********, ****** ** *******.

*** ******* *****'* *** **** **** ***** *** ****** *** database ******** **** ***** *******, ***** *.*. "***************". * ***** there *** **** *** *** ***. *** ******* ** *** supported ****.

** ***** *** ** ☺️

****** ********* ******** *** ***** * ********* ******, *** ***** forget ******** ****** **** **** /**** **** ********,****** * **** (example: **-******-********************************-************.*** ) *** **** **** ** ***** ********* ******* team, **** **** ****** *** **** ***** **** (*******:**********.***). ****** this *** ***** *** *******. ** ******** *****.

* ***** ********* *** ** ***** *** **** **********/********** ******** Management *********, **** *** *** **** *** ** ****** *******, etc...

********:

  • ****
  • *******
  • ********
  • ******

*** ***** ** *** ****** ** *** ********, *****?

********. *** *** ******* ***** **** ****** ** *** **** physical ****** ** *** *******.

********. *** *** ******* ******** ******** ** *** **** "*************" type ****** ** *** **. *******: ****://*************.*****.***/*****-*******-********-********-******-*****.****

**, *** ** *** ******** *********** ****** "****** ********" ( I ****** ***** *** **** ******** *** ***** ********) ** save ********* ** ****** **** *****?

*** *** ****, **** ******** **** *** ***** ** ******* admin ******** ****** ** ***** ********?

*'* *** ** *** ************:-) ** ***** ** ******* ***** password **(*** **** **) *** **** ***** ****** ** *** machine **. ***, ** *** **** **, *** *********** *** do ******** ******... *** ** ***** ** *****?

* ***** **** ***. ** *** **** **** ****** ** the *******, *** *** ** **********.

*** ** **** ***** (*.*. ******** ***** ***** ***/***), *** have ** ****** ** *** ****** ***** (***** **** *** manufacturer ******* ***** **-********), ** **** **** *** **** ****** accounts ** * **** ******** ******* ** ******* **** ********* on *** *****.

* ***** ********** ** ***** ******* *** ****** *** ***/***.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

VSaaS Usage Statistics 2018 on Jan 18, 2018
VSaaS has been a 'next big thing' for more than a decade. The prospect of managing, storing and streaming video from the cloud rather than...
This High Schooler Is Excited About His Future Security Career on Jan 15, 2018
A common lament is that smart, young people have little interest in surveillance systems. In fact, discussions like Should Talented Young People...
Security Integrator Project Management Certifications on Jan 10, 2018
Certifications are a common option for technology professionals looking to improve skills and gain validation. But how about for project...
Strong Outlook For 2018 on Dec 27, 2017
Integrators entered 2017 with a positive outlook on the industry. During 2017 we saw the race to the bottom hit bottom, cyber security...
NVRs - Embedded vs Separate PoE Switch (Statistics) on Dec 21, 2017
Many NVRs now offer PoE switches embedded, allowing IP cameras to be connected directly to the recorder. On the plus side, these units can...
Industry Vet Buying Integrators For New Conglomerate (DFENDUS) on Dec 21, 2017
Industry veteran Dan Marston has started a new company, DFENDUS, with the specific goal of buying up integrators to form an operating...
2018 Top Sales Interest For Integrators on Dec 20, 2017
130+ integrators answered: This is a key question, especially for manufacturers, as it impacts what areas to focus more on and what...
Integrator Managing Projects Statistics (Project Manager) on Dec 14, 2017
Who actually manages projects for security integrators? Does the average security integrator have dedicated project managers, or are technicians,...
Integrator GPS Vehicle Tracking Statistics and Success Examined on Dec 08, 2017
GPS vehicle tracking is a growing but somewhat controversial topic. On the plus side, tracking may increases productivity by providing greater...
Security Integrator IT Expertise Statistics on Dec 07, 2017
20 years ago, putting physical security systems on IP networks was just emerging. Today, almost every system is networked in some way, IP cameras...

Most Recent Industry Reports

Vivint Streety Video Strengthens Door Knocking on Jan 17, 2018
Vivint is famous (or infamous depending on your perspective) for mastering large scale door to door selling. The company has skyrocketed from a...
Axis: "It’s A Question Of Trust And Who You Want To Be Associated With" on Jan 17, 2018
Who do you trust? Who do you want to be associated with? Axis is raising hard questions to start 2018. In this note, we examine these questions,...
Software House Vulnerability Allows Inside Attacker To Open Doors on Jan 17, 2018
A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems....
'Defiant' Hikvision 'Strikes Back' At WSJ And US on Jan 16, 2018
The fight is on. Hikvision and their owner, the Chinese government, 'strikes back' against the Wall Street Journal and US politicians raising...
Camera Course - Last Day - Save $50 on Jan 16, 2018
Today is the last day to save $50 - register now. Learn video surveillance and get certified. Save $50 on the course, ending this Thursday the...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
Edward Snowden Haven App Tested on Jan 16, 2018
Global coverage followed the December 2017 announcement that Edward Snowden was leading a team developing Haven, an app "that leverages on-device...
This High Schooler Is Excited About His Future Security Career on Jan 15, 2018
A common lament is that smart, young people have little interest in surveillance systems. In fact, discussions like Should Talented Young People...
"First Of Its Kind" Stove Knob Alarm Sensor (2GIG) on Jan 15, 2018
At CES 2018, 2Gig/Nortek announced the Stove & Grill Guard, a "first of its kind" sensor in the security industry, allowing users to be...
Amazon Deep Learning Partnership With AgentVi on Jan 15, 2018
Amazon is aiming to grow its Kinesis Video Streams offering that "enables you to quickly build computer vision and ML applications" in the cloud....

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact