Forgotten Password Problem Importance (Statistics)

By: Michael Budalich, Published on Sep 15, 2017

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

********* ********* *** ****** a ***** ******** *****.

*** *******,********* *** **** ******** admin ********* ** ***** text***** ****'* ********* ******** them ** **** **.

***********, ****** *** *** role ** ****'* ******* Mirai ****** *******, ****** **** ******** ****** ******** lists, **** **:

***** *** ********* ***** send *** *********, **** after*********'* ******** **** *** cracked.

How *** * ******* ** ****?

*** ***** ******* **** these ********* ** ******* implies **** **** ****** are ****** *********** ******** with ********* *********.

*** *** *** ** a ******* ** ** overall?

*** *********** ********* ** IPVM's ****** ********:

*** *********** ** * problem ** **** ********* forgetting ***** ********'* ********? What ** *** ********* do **** ** *******?

** **** ****** ** examine *** ******* ** lost ***** *********, *** integrators ****** **** *******, and *** ************ ******* for *********** ***** ********* is **** ******.

[***************]

Lost ********* ****** ****** ***********

*********** ******* ***** ********* passwords ** ** *************:

**** **** **** **** not **** **** ********* never forget *********, *** **** integrators ********** ****, *** manage *** ******* ** advance, ** ********* ***** show. *** *** **** common ********** **** ***** backup ********, ** *********** user ***********.

Solved **** ****** *******

*** **** ****** ******** (~66% ** *********** ****** problem **** ***********) ** managing **** ********* *** to ******** * ****** account, ** ******** *** of *** ***** *******. Instead ** ****** ***** admin ******, **** ******* users **** ***** *** accounts. **** ******* *** integrators ** ***** **** these ******** *** ***** the ********** ***** ********.

  • "*** * **** ******* as ** ******* **** out ************* ******** ***** so ** *** ****** the **** *** ***** their ********. ** ****** happens, *** **** ** does ** ** *** same ********* **** *** over."
  • "** ** *** * significant ******* *** ** tend ** ** ****** systems ******* * ***** see ** ****** **** in ******* ******* (** residential ** ***** ** do **** ******). **** a *** ********** *** large ********** ******* ***** managed **********, ** ******* have *** *** ***** account."
  • "**** **** *** ****** very *****, *** **** it **** ** ** for *** ******* *************. I ***** ** ** because **** ***'* *** it ***** **** **** it. ***** *** *** many ***** ** ***'* have ****** ****** **, so ** **** ****** in *** ***** *** password. **** ****** *** find **** ** **** remote ****** ***** **** our *** ******** *** password **** ***** ******."
  • "****** ********. ** ******** set ********* ** **** an ******* ** ** will ****** ***-** *** create/change ***** ******** ** work **** *** ************ tech ******* ** ***** the **** ** * worst **** ********."
  • "** ****** ****** ** extra **** **** ***** rights *** ******* ***** forgeten ******** *****."
  • "** ** *** **** out ***** ******** ****. If ****** ******** ****** mgr ******** ** ******."
  • "** ****** **** * series ** ************** ******** including ******** ******** ** all ******* ** ******. We ******** * ****** internal ******** ****** ** retain *** ******* ** a ******* ****** ********* client *********, ********** ********* and ************** *********."
  • "** ****** **** * separate ***** ******** ** we *** ****** ****** if ******. **** ** the ******** ** ** Admin ** **** **** separate."
  • "*** *****, *** **'* a *** ******* **** it ****. ** ********* have *** *** ***** password, ********* ************ ****** or **** **** (** Hik :*)"
  • "** ********* ***'* **** this ***** ** ** create * ***** *** them *** *** *** us **** *** ** can ****** *** **** the ******. ********* ****** sure ** **** *** config **** ** ** have ** ******* *** system."
  • "** **** * ****** of *** ********* ** admin ***** ******** ** customer ****** ************ *********. We **** ******** ** admin ***** ***** ******* by *** *****. ** remotely ******* **** ***** and ** **** **** both **** *** ****** it ******* * *********** cost ** **** *** attendance *** ********."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "********* ***** ** ********** specific ***** ***** *** password ** *** ********. This ****** ** ** resent ***** ********."
  • "*** ******* ** ***** when ** ** ********* that ** ******* ******* we *** ** * standard ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~33% ** ***** *** felt **** ********* **** not * *********** *****, was ** **** ************* of *********, ** **** customers ***** ** ******** what ***** ******** ***.

  • "** **** *** *** recorder ** *** ** and *** ******** ******* can ****** ******."
  • "******* ** **** ** our *******. **** **** the ******** ** ******** on *** **** ** digitally."
  • "*********... ** **** ** you **** **** ******* of *** ************* ** a ******* ******** **** as **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** call **. ** *** to **** * ******** record ** *** *****."
  • "*** * ****** *******. We ** ******* **** a ****** ** ******* password ** **** ** they ** ****** **** they ****."
  • "** **** * ****** of *** *********, ** doesn't ****** ***** ******."
  • "* ***'* ******** * single ********. ** ****** document *** ***********"
  • "*** *******. * ****** the ************, **** **** how ********** ***** *** print *** * ***** with *** *** ******* of *** ******. * tell **** **** **** information *** ***** *********** are ********* *** ** keep ** * **** place. ****** * **** nearly ******** ******* ***** login *********** *** ***** the ***** **** *** the **** ** *** system. ***********, * ******** everything *** *** **** them **** **** *******."

Rarely *******

*** **** ***********, ********* passwords *** * **** occurrence. **** *** ** due ** ******* **** use ****** *********, ** other ************** ******* **** Active ********* ************, ***** forgotten ********* ***** ****** be ******* ** *** customers ** **********, ******* of *** **********.

  • "*** ***** ** ***. But **** **** **, it's * ******* ****. We *** *** ******** to ******* ********** *********** subscriptions ***** *** ******* us ****** **** **** management ** *** ***** system."
  • "*% ****, ** **** use *** ****** ******** except *** **** ******* premise ***** **** ** not ***** ****."
  • "*** *********** ** *** clients ****** **** *** client **** ** ***** devices. ***** ******* *** usually ******** *********, ** we ******* *** ****** to ** **** ** auto *** **."
  • "** *** *** **** a *********** *****."
  • "*** ********* ****** ******. If **** ** ** have * ******** *** can ***** ***** ******** when *********."
  • "*** ***********; ** *** a ********* ******** ** each *******, *** **** customers ** *** ****** it."
  • "*************. ****** *** ************* are ********** **** ******* Active *********."
  • "*** ***** *** **** it **** ** ****** in ********* ** *** them."

Significant ******* *********

*********** *** **** **** passwords ** * *********** problem ***** ****** ** manufacturer ******* ** ***** to ***** **** ******** problems:

  • "**** ******. ** **** on ************* ** **** some **** ** ******** program. * **** ***** initiating * ******* ********** where ** *** ********** hold *** *** ***** password ** ** *** always ****** *** *********, but **** ********* ** not **** **** ****."
  • "*****. ** **** ***** I *** ** ****** them ** ***** ****** which **** ******** ************* and ****** ** *** be ******** **** **** to ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** application ** **** *** up ** ************* ****** and ******** *** ***** the **** **** *** password."
  • "***********, ** **** ****** for *** *****. *** user ***** *** ********* for ******** ** **** of ************. ******* ******** with ************* *** **** on ****. ** *** provide ** ******** *****, typically **** ** *** cellphone. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** check *** ******* **** where ** ******** *** password. **** ** ***** unless *** ******** *** decided ** ****** ** on ***** ***. ** that **** ** ******* the *** ************ *** assistance ** * ******** reset."
  • "****** ******** **.* ** had **** ******* *** day ***** ***. ** was * **** *********. Now **** ******** ** just **** **** ** hit ****** ******** *** they *** ***** * new ******** *** ***** cloud *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** for ******** ******** ** a ********* ******** ****-********. Storing **** *********** (** other ********* ****) ** backup ************* ***** *** lead ** ********** ********** of **** ***********, *** ** generally *** * *********** approach. ** * *******, information ****** **** *** should ** ********* **** a ****** ***, *** not **** ** ********-********** systems.

Manufacturer ******** ******** ******* *********** 

******** ******** '********', **** as ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** needless **** ** ******. A ***** ********** ** integrators ********** ****-********* ** creating ********* ***** ******** to ****** **** **** user *********, *** ********** manufacturer ********* ** **** would **** ****** *** message *******. ************* **** provide *****/******** ** ******* lost ***** ********* ** so ** *** ******* of *** ******* ******** of ***** *******, *** by *********, ***** *****. Integrators, ** *****, **** are ********* ***** *** cyber ******** ** ***** systems ****** ******** ************* on *** ********* ** password ******** *********/*******, *** give ******* ************* ** those ******** **** ***** this.

Comments (10)

Right now we use Microsoft Excel to document admins, passwords, and MAC addresses but we are discussing new software options that have the ability to have all of our clients in one place. Does anyone have any suggestions they have implemented with success? 

I'm a big fan of LastPass for personal use, and I could easily see using it for keeping documentation of customer equipment passwords as an integrator. It's cloud based and supports 2 factor authentication, and you can share passwords between accounts as needed.

Keepass is a great offline alternative too, just make sure to keep a backup!

I started using Lastpass since it's inception but moved to KeePass since the first hack and have been happy ever since.

Lastpass has been hacked multiple times or suffered multiple attempts already =(

Hi

also we are looking for a software for keep client database with IP, ports and password from devices...but somethink that we can acces remote, from smartphone, etc and with different security acces levels for security 

I use a strongly encrypted "Keepass" databases,  stored in Dropbox.

For Android there's are nice apps which can access the database directly from cloud sevices, check e.g.  "Keepass2Android". I guess there are apps for iOS too. All desktop OS are supported also. 

It works for me ☺️

 

Latest Hikvision products are using a different method, its using forget password option SADP tool /iVMS 4200 software,export a file (example: DS-760XNI-EX_8P0X2014112AAARR491942694WCVU-20170XXX1554.xml ) and send same to local Hikvision support team, they will revert you with reset file (example:Encryptkey.xml). Import this and reset you devices. NO Question asked.

I would recommend you to check for more commercial/enterprise Password Management solutions, that you can also use to secure servers, etc...

 

Examples:

  • Zoho
  • OnionID
  • Thycotic
  • Keeper

 

The issue is not unique to our industry, right?

Example1. You can restore linux root access if you have physical access to the machine.

Example2. You can restore software password if you have "administrator" type access to the OS. Example: http://smallbusiness.chron.com/reset-mailbox-password-exchange-server-57287.html 

So, why in the industry integrators create "backup accounts" ( I assume using the same password for every customer) or save passwords in shared text files?

Are you sure, your software does not allow to restore admin password having OS admin password? 

I'm one of VMS manufactures:-) We allow to restore admin password if(and only if) you have admin access to the machine OS. Btw, if you have it, you practically can do anything anyway... Are we doing it wrong?

I agree with you. If you have root access to the machine, you can do everything.

But in many cases (e.g. Embedded Linux based NVR/DVR), you have no access to the system shell (given that the manufacturer thought about IT-Security), in this case you need backup accounts or a good password storage to support your customers on the phone.

I would understand if those answers are mostly for NRV/DVR. 

Read this IPVM report for free.

This article is part of IPVM's 6,438 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
2020 Mid Year Video Surveillance Industry Guide on Jul 27, 2020
The first half of 2020 has been shocking, for the world generally, and for...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts,...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Integrators Hard Hit By Coronavirus on Mar 18, 2020
Integrators are already being hard hit by Coronavirus as brand new IPVM...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Worst Camera Manufacturers 2020 on May 06, 2020
Which camera manufacturer have integrators had the worst experience with in...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new...
Don't Deceive. Lessons From Scott Schafer on Mar 20, 2020
Deception is bad. We can learn some important lessons from Scott Schafer, a...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Hikvision Global News Reports Directory on Jun 18, 2020
Hikvision has received the most global news reporting of any video...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...