Forgotten Password Problem Importance (Statistics)

By: Michael Budalich, Published on Sep 15, 2017

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

********* ********* *** ****** a ***** ******** *****.

*** *******,********* *** **** ******** admin ********* ** ***** text***** ****'* ********* ******** them ** **** **.

***********, ****** *** *** role ** ****'* ******* Mirai ****** *******, ****** **** ******** ****** ******** lists, **** **:

***** *** ********* ***** send *** *********, **** after*********'* ******** **** *** cracked.

How *** * ******* ** ****?

*** ***** ******* **** these ********* ** ******* implies **** **** ****** are ****** *********** ******** with ********* *********.

*** *** *** ** a ******* ** ** overall?

*** *********** ********* ** IPVM's ****** ********:

*** *********** ** * problem ** **** ********* forgetting ***** ********'* ********? What ** *** ********* do **** ** *******?

** **** ****** ** examine *** ******* ** lost ***** *********, *** integrators ****** **** *******, and *** ************ ******* for *********** ***** ********* is **** ******.

[***************]

Lost ********* ****** ****** ***********

*********** ******* ***** ********* passwords ** ** *************:

**** **** **** **** not **** **** ********* never forget *********, *** **** integrators ********** ****, *** manage *** ******* ** advance, ** ********* ***** show. *** *** **** common ********** **** ***** backup ********, ** *********** user ***********.

Solved **** ****** *******

*** **** ****** ******** (~66% ** *********** ****** problem **** ***********) ** managing **** ********* *** to ******** * ****** account, ** ******** *** of *** ***** *******. Instead ** ****** ***** admin ******, **** ******* users **** ***** *** accounts. **** ******* *** integrators ** ***** **** these ******** *** ***** the ********** ***** ********.

  • "*** * **** ******* as ** ******* **** out ************* ******** ***** so ** *** ****** the **** *** ***** their ********. ** ****** happens, *** **** ** does ** ** *** same ********* **** *** over."
  • "** ** *** * significant ******* *** ** tend ** ** ****** systems ******* * ***** see ** ****** **** in ******* ******* (** residential ** ***** ** do **** ******). **** a *** ********** *** large ********** ******* ***** managed **********, ** ******* have *** *** ***** account."
  • "**** **** *** ****** very *****, *** **** it **** ** ** for *** ******* *************. I ***** ** ** because **** ***'* *** it ***** **** **** it. ***** *** *** many ***** ** ***'* have ****** ****** **, so ** **** ****** in *** ***** *** password. **** ****** *** find **** ** **** remote ****** ***** **** our *** ******** *** password **** ***** ******."
  • "****** ********. ** ******** set ********* ** **** an ******* ** ** will ****** ***-** *** create/change ***** ******** ** work **** *** ************ tech ******* ** ***** the **** ** * worst **** ********."
  • "** ****** ****** ** extra **** **** ***** rights *** ******* ***** forgeten ******** *****."
  • "** ** *** **** out ***** ******** ****. If ****** ******** ****** mgr ******** ** ******."
  • "** ****** **** * series ** ************** ******** including ******** ******** ** all ******* ** ******. We ******** * ****** internal ******** ****** ** retain *** ******* ** a ******* ****** ********* client *********, ********** ********* and ************** *********."
  • "** ****** **** * separate ***** ******** ** we *** ****** ****** if ******. **** ** the ******** ** ** Admin ** **** **** separate."
  • "*** *****, *** **'* a *** ******* **** it ****. ** ********* have *** *** ***** password, ********* ************ ****** or **** **** (** Hik :*)"
  • "** ********* ***'* **** this ***** ** ** create * ***** *** them *** *** *** us **** *** ** can ****** *** **** the ******. ********* ****** sure ** **** *** config **** ** ** have ** ******* *** system."
  • "** **** * ****** of *** ********* ** admin ***** ******** ** customer ****** ************ *********. We **** ******** ** admin ***** ***** ******* by *** *****. ** remotely ******* **** ***** and ** **** **** both **** *** ****** it ******* * *********** cost ** **** *** attendance *** ********."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "********* ***** ** ********** specific ***** ***** *** password ** *** ********. This ****** ** ** resent ***** ********."
  • "*** ******* ** ***** when ** ** ********* that ** ******* ******* we *** ** * standard ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~33% ** ***** *** felt **** ********* **** not * *********** *****, was ** **** ************* of *********, ** **** customers ***** ** ******** what ***** ******** ***.

  • "** **** *** *** recorder ** *** ** and *** ******** ******* can ****** ******."
  • "******* ** **** ** our *******. **** **** the ******** ** ******** on *** **** ** digitally."
  • "*********... ** **** ** you **** **** ******* of *** ************* ** a ******* ******** **** as **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** call **. ** *** to **** * ******** record ** *** *****."
  • "*** * ****** *******. We ** ******* **** a ****** ** ******* password ** **** ** they ** ****** **** they ****."
  • "** **** * ****** of *** *********, ** doesn't ****** ***** ******."
  • "* ***'* ******** * single ********. ** ****** document *** ***********"
  • "*** *******. * ****** the ************, **** **** how ********** ***** *** print *** * ***** with *** *** ******* of *** ******. * tell **** **** **** information *** ***** *********** are ********* *** ** keep ** * **** place. ****** * **** nearly ******** ******* ***** login *********** *** ***** the ***** **** *** the **** ** *** system. ***********, * ******** everything *** *** **** them **** **** *******."

Rarely *******

*** **** ***********, ********* passwords *** * **** occurrence. **** *** ** due ** ******* **** use ****** *********, ** other ************** ******* **** Active ********* ************, ***** forgotten ********* ***** ****** be ******* ** *** customers ** **********, ******* of *** **********.

  • "*** ***** ** ***. But **** **** **, it's * ******* ****. We *** *** ******** to ******* ********** *********** subscriptions ***** *** ******* us ****** **** **** management ** *** ***** system."
  • "*% ****, ** **** use *** ****** ******** except *** **** ******* premise ***** **** ** not ***** ****."
  • "*** *********** ** *** clients ****** **** *** client **** ** ***** devices. ***** ******* *** usually ******** *********, ** we ******* *** ****** to ** **** ** auto *** **."
  • "** *** *** **** a *********** *****."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "*** ***********; ** *** a ********* ******** ** each *******, *** **** customers ** *** ****** it."
  • "*************. ****** *** ************* are ********** **** ******* Active *********."
  • "*** ***** *** **** it **** ** ****** in ********* ** *** them."

Significant ******* *********

*********** *** **** **** passwords ** * *********** problem ***** ****** ** manufacturer ******* ** ***** to ***** **** ******** problems:

  • "**** ******. ** **** on ************* ** **** some **** ** ******** program. * **** ***** initiating * ******* ********** where ** *** ********** hold *** *** ***** password ** ** *** always ****** *** *********, but **** ********* ** not **** **** ****."
  • "*****. ** **** ***** I *** ** ****** them ** ***** ****** which **** ******** ************* and ****** ** *** be ******** **** **** to ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** application ** **** *** up ** ************* ****** and ******** *** ***** the **** **** *** password."
  • "***********, ** **** ****** for *** *****. *** user ***** *** ********* for ******** ** **** of ************. ******* ******** with ************* *** **** on ****. ** *** provide ** ******** *****, typically **** ** *** cellphone. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** check *** ******* **** where ** ******** *** password. **** ** ***** unless *** ******** *** decided ** ****** ** on ***** ***. ** that **** ** ******* the *** ************ *** assistance ** * ******** reset."
  • "****** ******** **.* ** had **** ******* *** day ***** ***. ** was * **** *********. Now **** ******** ** just **** **** ** hit ****** ******** *** they *** ***** * new ******** *** ***** cloud *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** for ******** ******** ** a ********* ******** ****-********. Storing **** *********** (** other ********* ****) ** backup ************* ***** *** lead ** ********** ********** of **** ***********, *** ** generally *** * *********** approach. ** * *******, information ****** **** *** should ** ********* **** a ****** ***, *** not **** ** ********-********** systems.

Manufacturer ******** ******** ******* *********** 

******** ******** '********', **** as ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** needless **** ** ******. A ***** ********** ** integrators ********** ****-********* ** creating ********* ***** ******** to ****** **** **** user *********, *** ********** manufacturer ********* ** **** would **** ****** *** message *******. ************* **** provide *****/******** ** ******* lost ***** ********* ** so ** *** ******* of *** ******* ******** of ***** *******, *** by *********, ***** *****. Integrators, ** *****, **** are ********* ***** *** cyber ******** ** ***** systems ****** ******** ************* on *** ********* ** password ******** *********/*******, *** give ******* ************* ** those ******** **** ***** this.

Comments (10)

Right now we use Microsoft Excel to document admins, passwords, and MAC addresses but we are discussing new software options that have the ability to have all of our clients in one place. Does anyone have any suggestions they have implemented with success? 

I'm a big fan of LastPass for personal use, and I could easily see using it for keeping documentation of customer equipment passwords as an integrator. It's cloud based and supports 2 factor authentication, and you can share passwords between accounts as needed.

Keepass is a great offline alternative too, just make sure to keep a backup!

I started using Lastpass since it's inception but moved to KeePass since the first hack and have been happy ever since.

Lastpass has been hacked multiple times or suffered multiple attempts already =(

Hi

also we are looking for a software for keep client database with IP, ports and password from devices...but somethink that we can acces remote, from smartphone, etc and with different security acces levels for security 

I use a strongly encrypted "Keepass" databases,  stored in Dropbox.

For Android there's are nice apps which can access the database directly from cloud sevices, check e.g.  "Keepass2Android". I guess there are apps for iOS too. All desktop OS are supported also. 

It works for me ☺️

 

Latest Hikvision products are using a different method, its using forget password option SADP tool /iVMS 4200 software,export a file (example: DS-760XNI-EX_8P0X2014112AAARR491942694WCVU-20170XXX1554.xml ) and send same to local Hikvision support team, they will revert you with reset file (example:Encryptkey.xml). Import this and reset you devices. NO Question asked.

I would recommend you to check for more commercial/enterprise Password Management solutions, that you can also use to secure servers, etc...

 

Examples:

  • Zoho
  • OnionID
  • Thycotic
  • Keeper

 

The issue is not unique to our industry, right?

Example1. You can restore linux root access if you have physical access to the machine.

Example2. You can restore software password if you have "administrator" type access to the OS. Example: http://smallbusiness.chron.com/reset-mailbox-password-exchange-server-57287.html 

So, why in the industry integrators create "backup accounts" ( I assume using the same password for every customer) or save passwords in shared text files?

Are you sure, your software does not allow to restore admin password having OS admin password? 

I'm one of VMS manufactures:-) We allow to restore admin password if(and only if) you have admin access to the machine OS. Btw, if you have it, you practically can do anything anyway... Are we doing it wrong?

I agree with you. If you have root access to the machine, you can do everything.

But in many cases (e.g. Embedded Linux based NVR/DVR), you have no access to the system shell (given that the manufacturer thought about IT-Security), in this case you need backup accounts or a good password storage to support your customers on the phone.

I would understand if those answers are mostly for NRV/DVR. 

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2019 on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...

Most Recent Industry Reports

"Fever Camera" Show Starts Tuesday on May 31, 2020
IPVM is excited for the world's first "Fever Camera" show, to be held this Tuesday, June 2nd and Wednesday the 3rd from 11am to 3pm EDT, giving you...
Proxy Presents Mobile Credentials For BLE Devices and Access on May 29, 2020
Proxy presented Mobile Credentials For BLE Devices and Access at the May 2020 IPVM Startups show. Inside this report: A 30-minute video...
ISC West 2020 Moves To The Basement on May 29, 2020
The twice cancelled/postponed show will now not only be held in a different month (October) but on a different floor, moving down to the...
Integrators Avoiding Coronavirus Air Travel on May 29, 2020
IPVM asked integrators if air travel is part of their 2020 plans to see how significantly Coronavirus will impact future...
Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...
Seek Scan Thermal Temperature Screening System ReTested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to Seek, the first blackbody system we tested and retested it with our...
Directory of 110 "Fever" Camera Suppliers on May 28, 2020
This directory provides a list of "Fever" scanning thermal camera providers to help you see and research what options are available. There are...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers use. The US FDA clearly categorizes them as medical devices and...
Wyze Raises $10 Million And Seeks Services Expansion on May 27, 2020
Wyze has raised $10 million, the company's first disclosed raise since the $20 million announced at the beginning of 2019. Inside this note,...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups show. A 30-minute video from Videoloft including IPVM...