Forgotten Password Problem Importance (Statistics)

By Michael Budalich, Published on Sep 15, 2017

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

Lost ********* ****** ****** ***********

*********** ******* ***** ********* passwords ** ** *************:

**** **** **** **** not **** **** ********* never forget *********, *** **** integrators ********** ****, *** manage *** ******* ** advance, ** ********* ***** show. *** *** **** common ********** **** ***** backup ********, ** *********** user ***********.

Solved **** ****** *******

*** **** ****** ******** (~66% ** *********** ****** problem **** ***********) ** managing **** ********* *** to ******** * ****** account, ** ******** *** of *** ***** *******. Instead ** ****** ***** admin ******, **** ******* users **** ***** *** accounts. **** ******* *** integrators ** ***** **** these ******** *** ***** the ********** ***** ********.

  • "*** * **** ******* as ** ******* **** out ************* ******** ***** so ** *** ****** the **** *** ***** their ********. ** ****** happens, *** **** ** does ** ** *** same ********* **** *** over."
  • "** ** *** * significant ******* *** ** tend ** ** ****** systems ******* * ***** see ** ****** **** in ******* ******* (** residential ** ***** ** do **** ******). **** a *** ********** *** large ********** ******* ***** managed **********, ** ******* have *** *** ***** account."
  • "**** **** *** ****** very *****, *** **** it **** ** ** for *** ******* *************. I ***** ** ** because **** ***'* *** it ***** **** **** it. ***** *** *** many ***** ** ***'* have ****** ****** **, so ** **** ****** in *** ***** *** password. **** ****** *** find **** ** **** remote ****** ***** **** our *** ******** *** password **** ***** ******."
  • "****** ********. ** ******** set ********* ** **** an ******* ** ** will ****** ***-** *** create/change ***** ******** ** work **** *** ************ tech ******* ** ***** the **** ** * worst **** ********."
  • "** ****** ****** ** extra **** **** ***** rights *** ******* ***** forgeten ******** *****."
  • "** ** *** **** out ***** ******** ****. If ****** ******** ****** mgr ******** ** ******."
  • "** ****** **** * series ** ************** ******** including ******** ******** ** all ******* ** ******. We ******** * ****** internal ******** ****** ** retain *** ******* ** a ******* ****** ********* client *********, ********** ********* and ************** *********."
  • "** ****** **** * separate ***** ******** ** we *** ****** ****** if ******. **** ** the ******** ** ** Admin ** **** **** separate."
  • "*** *****, *** **'* a *** ******* **** it ****. ** ********* have *** *** ***** password, ********* ************ ****** or **** **** (** Hik :*)"
  • "** ********* ***'* **** this ***** ** ** create * ***** *** them *** *** *** us **** *** ** can ****** *** **** the ******. ********* ****** sure ** **** *** config **** ** ** have ** ******* *** system."
  • "** **** * ****** of *** ********* ** admin ***** ******** ** customer ****** ************ *********. We **** ******** ** admin ***** ***** ******* by *** *****. ** remotely ******* **** ***** and ** **** **** both **** *** ****** it ******* * *********** cost ** **** *** attendance *** ********."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "********* ***** ** ********** specific ***** ***** *** password ** *** ********. This ****** ** ** resent ***** ********."
  • "*** ******* ** ***** when ** ** ********* that ** ******* ******* we *** ** * standard ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~33% ** ***** *** felt **** ********* **** not * *********** *****, was ** **** ************* of *********, ** **** customers ***** ** ******** what ***** ******** ***.

  • "** **** *** *** recorder ** *** ** and *** ******** ******* can ****** ******."
  • "******* ** **** ** our *******. **** **** the ******** ** ******** on *** **** ** digitally."
  • "*********... ** **** ** you **** **** ******* of *** ************* ** a ******* ******** **** as **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** call **. ** *** to **** * ******** record ** *** *****."
  • "*** * ****** *******. We ** ******* **** a ****** ** ******* password ** **** ** they ** ****** **** they ****."
  • "** **** * ****** of *** *********, ** doesn't ****** ***** ******."
  • "* ***'* ******** * single ********. ** ****** document *** ***********"
  • "*** *******. * ****** the ************, **** **** how ********** ***** *** print *** * ***** with *** *** ******* of *** ******. * tell **** **** **** information *** ***** *********** are ********* *** ** keep ** * **** place. ****** * **** nearly ******** ******* ***** login *********** *** ***** the ***** **** *** the **** ** *** system. ***********, * ******** everything *** *** **** them **** **** *******."

Rarely *******

*** **** ***********, ********* passwords *** * **** occurrence. **** *** ** due ** ******* **** use ****** *********, ** other ************** ******* **** Active ********* ************, ***** forgotten ********* ***** ****** be ******* ** *** customers ** **********, ******* of *** **********.

  • "*** ***** ** ***. But **** **** **, it's * ******* ****. We *** *** ******** to ******* ********** *********** subscriptions ***** *** ******* us ****** **** **** management ** *** ***** system."
  • "*% ****, ** **** use *** ****** ******** except *** **** ******* premise ***** **** ** not ***** ****."
  • "*** *********** ** *** clients ****** **** *** client **** ** ***** devices. ***** ******* *** usually ******** *********, ** we ******* *** ****** to ** **** ** auto *** **."
  • "** *** *** **** a *********** *****."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "*** ***********; ** *** a ********* ******** ** each *******, *** **** customers ** *** ****** it."
  • "*************. ****** *** ************* are ********** **** ******* Active *********."
  • "*** ***** *** **** it **** ** ****** in ********* ** *** them."

Significant ******* *********

*********** *** **** **** passwords ** * *********** problem ***** ****** ** manufacturer ******* ** ***** to ***** **** ******** problems:

  • "**** ******. ** **** on ************* ** **** some **** ** ******** program. * **** ***** initiating * ******* ********** where ** *** ********** hold *** *** ***** password ** ** *** always ****** *** *********, but **** ********* ** not **** **** ****."
  • "*****. ** **** ***** I *** ** ****** them ** ***** ****** which **** ******** ************* and ****** ** *** be ******** **** **** to ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** application ** **** *** up ** ************* ****** and ******** *** ***** the **** **** *** password."
  • "***********, ** **** ****** for *** *****. *** user ***** *** ********* for ******** ** **** of ************. ******* ******** with ************* *** **** on ****. ** *** provide ** ******** *****, typically **** ** *** cellphone. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** check *** ******* **** where ** ******** *** password. **** ** ***** unless *** ******** *** decided ** ****** ** on ***** ***. ** that **** ** ******* the *** ************ *** assistance ** * ******** reset."
  • "****** ******** **.* ** had **** ******* *** day ***** ***. ** was * **** *********. Now **** ******** ** just **** **** ** hit ****** ******** *** they *** ***** * new ******** *** ***** cloud *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** for ******** ******** ** a ********* ******** ****-********. Storing **** *********** (** other ********* ****) ** backup ************* ***** *** lead ** ********** ********** of **** ***********, *** ** generally *** * *********** approach. ** * *******, information ****** **** *** should ** ********* **** a ****** ***, *** not **** ** ********-********** systems.

Manufacturer ******** ******** ******* *********** 

******** ******** '********', **** as ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** needless **** ** ******. A ***** ********** ** integrators ********** ****-********* ** creating ********* ***** ******** to ****** **** **** user *********, *** ********** manufacturer ********* ** **** would **** ****** *** message *******. ************* **** provide *****/******** ** ******* lost ***** ********* ** so ** *** ******* of *** ******* ******** of ***** *******, *** by *********, ***** *****. Integrators, ** *****, **** are ********* ***** *** cyber ******** ** ***** systems ****** ******** ************* on *** ********* ** password ******** *********/*******, *** give ******* ************* ** those ******** **** ***** this.

Comments (10)

Right now we use Microsoft Excel to document admins, passwords, and MAC addresses but we are discussing new software options that have the ability to have all of our clients in one place. Does anyone have any suggestions they have implemented with success? 

I'm a big fan of LastPass for personal use, and I could easily see using it for keeping documentation of customer equipment passwords as an integrator. It's cloud based and supports 2 factor authentication, and you can share passwords between accounts as needed.

Keepass is a great offline alternative too, just make sure to keep a backup!

I started using Lastpass since it's inception but moved to KeePass since the first hack and have been happy ever since.

Lastpass has been hacked multiple times or suffered multiple attempts already =(

Hi

also we are looking for a software for keep client database with IP, ports and password from devices...but somethink that we can acces remote, from smartphone, etc and with different security acces levels for security 

I use a strongly encrypted "Keepass" databases,  stored in Dropbox.

For Android there's are nice apps which can access the database directly from cloud sevices, check e.g.  "Keepass2Android". I guess there are apps for iOS too. All desktop OS are supported also. 

It works for me ☺️

 

Latest Hikvision products are using a different method, its using forget password option SADP tool /iVMS 4200 software,export a file (example: DS-760XNI-EX_8P0X2014112AAARR491942694WCVU-20170XXX1554.xml ) and send same to local Hikvision support team, they will revert you with reset file (example:Encryptkey.xml). Import this and reset you devices. NO Question asked.

I would recommend you to check for more commercial/enterprise Password Management solutions, that you can also use to secure servers, etc...

 

Examples:

  • Zoho
  • OnionID
  • Thycotic
  • Keeper

 

The issue is not unique to our industry, right?

Example1. You can restore linux root access if you have physical access to the machine.

Example2. You can restore software password if you have "administrator" type access to the OS. Example: http://smallbusiness.chron.com/reset-mailbox-password-exchange-server-57287.html 

So, why in the industry integrators create "backup accounts" ( I assume using the same password for every customer) or save passwords in shared text files?

Are you sure, your software does not allow to restore admin password having OS admin password? 

I'm one of VMS manufactures:-) We allow to restore admin password if(and only if) you have admin access to the machine OS. Btw, if you have it, you practically can do anything anyway... Are we doing it wrong?

I agree with you. If you have root access to the machine, you can do everything.

But in many cases (e.g. Embedded Linux based NVR/DVR), you have no access to the system shell (given that the manufacturer thought about IT-Security), in this case you need backup accounts or a good password storage to support your customers on the phone.

I would understand if those answers are mostly for NRV/DVR. 

Read this IPVM report for free.

This article is part of IPVM's 6,592 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
2020 Mid Year Video Surveillance Industry Guide on Jul 27, 2020
The first half of 2020 has been shocking, for the world generally, and for...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop,...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Anyvision Raises $43 Million, Focusing on Access Control And Remote Authentication on Sep 04, 2020
While Anyvision has had a tumultuous 2020 with significant layoffs, the...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...

Recent Reports

ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...