Forgotten Password Problem Importance

Author: Brian Karas, Published on Sep 15, 2017

Forgotten passwords has become a major industry topic.

For example, Hikvision has been emailing admin passwords in plain text until IPVM's reporting prompted them to stop it.

And XiongMai, famous for its role in 2016's massive Mirai botnet attacks, allows mass emailing master password lists, like so:

Dahua and Hikvision still send out passwords, even after Hikvision's previous tool was cracked.

How Big A Problem Is This?

The great lengths that these companies go clearly implies that some people are having significant problems with forgotten passwords.

But how big of a problem is it overall?

150 integrators responded to IPVM's survey question:

How significant of a problem is your customers forgetting their recorder's password? What do you typically do when it happens?

In this report we examine the problem of lost admin passwords, how integrators manage this problem, and why manufacturer support for recoverable admin passwords is poor design.

********* ********* *** ****** * ***** ******** *****.

*** *******,********* *** **** ******** ***** ********* ** ***** ********* ****'* ********* ******** **** ** **** **.

***********, ****** *** *** **** ** ****'* ******* ***** *************, ********** ******** ****** ******** *****, **** **:

***** *** ********* ***** **** *** *********, **** **************'* ******** **** *** *******.

How *** * ******* ** ****?

*** ***** ******* **** ***** ********* ** ******* ******* **** some ****** *** ****** *********** ******** **** ********* *********.

*** *** *** ** * ******* ** ** *******?

*** *********** ********* ** ****'* ****** ********:

*** *********** ** * ******* ** **** ********* ********** ***** recorder's ********? **** ** *** ********* ** **** ** *******?

** **** ****** ** ******* *** ******* ** **** ***** passwords, *** *********** ****** **** *******, *** *** ************ ******* for *********** ***** ********* ** **** ******.

[***************]

Lost ********* ****** ****** ***********

*********** ******* ***** ********* ********* ** ** *************:

**** **** **** **** *** **** **** ********* ***** ****** passwords, *** **** *********** ********** ****, *** ****** *** ******* in *******, ** ********* ***** ****. *** *** **** ****** approaches **** ***** ****** ********, ** *********** **** ***********.

Solved **** ****** *******

*** **** ****** ******** (~**% ** *********** ****** ******* **** significant) ** ******** **** ********* *** ** ******** * ****** account, ** ******** *** ** *** ***** *******. ******* ** giving ***** ***** ******, **** ******* ***** **** ***** *** accounts. **** ******* *** *********** ** ***** **** ***** ******** and ***** *** ********** ***** ********.

  • "*** * **** ******* ** ** ******* **** *** ************* password ***** ** ** *** ****** *** **** *** ***** their ********. ** ****** *******, *** **** ** **** ** is *** **** ********* **** *** ****."
  • "** ** *** * *********** ******* *** ** **** ** do ****** ******* ******* * ***** *** ** ****** **** in ******* ******* (** *********** ** ***** ** ** **** little). **** * *** ********** *** ***** ********** ******* ***** managed **********, ** ******* **** *** *** ***** *******."
  • "**** **** *** ****** **** *****, *** **** ** **** it ** *** *** ******* *************. * ***** ** ** because **** ***'* *** ** ***** **** **** **. ***** are *** **** ***** ** ***'* **** ****** ****** **, so ** **** ****** ** *** ***** *** ********. **** places *** **** **** ** **** ****** ****** ***** **** our *** ******** *** ******** **** ***** ******."
  • "****** ********. ** ******** *** ********* ** **** ** ******* so ** **** ****** ***-** *** ******/****** ***** ******** ** work **** *** ************ **** ******* ** ***** *** **** as * ***** **** ********."
  • "** ****** ****** ** ***** **** **** ***** ****** *** solving ***** ******** ******** *****."
  • "** ** *** **** *** ***** ******** ****. ** ****** remotely ****** *** ******** ** ******."
  • "** ****** **** * ****** ** ************** ******** ********* ******** recovery ** *** ******* ** ******. ** ******** * ****** internal ******** ****** ** ****** *** ******* ** * ******* system ********* ****** *********, ********** ********* *** ************** *********."
  • "** ****** **** * ******** ***** ******** ** ** *** change ****** ** ******. **** ** *** ******** ** ** Admin ** **** **** ********."
  • "*** *****, *** **'* * *** ******* **** ** ****. We ********* **** *** *** ***** ********, ********* ************ ****** or **** **** (** *** :*)"
  • "** ********* ***'* **** **** ***** ** ** ****** * login *** **** *** *** *** ** **** *** ** can ****** *** **** *** ******. ********* ****** **** ** have *** ****** **** ** ** **** ** ******* *** system."
  • "** **** * ****** ** *** ********* ** ***** ***** password ** ******** ****** ************ *********. ** **** ******** ** admin ***** ***** ******* ** *** *****. ** ******** ******* most ***** *** ** **** **** **** **** *** ****** it ******* * *********** **** ** **** *** ********** *** recovery."
  • "*** ********* ****** ******. ** **** ** ** **** * password *** *** ***** ***** ******** **** *********."
  • "********* ***** ** ********** ******** ***** ***** *** ******** ** the ********. **** ****** ** ** ****** ***** ********."
  • "*** ******* ** ***** **** ** ** ********* **** ** install ******* ** *** ** * ******** ***** ******* *** our *******"

Solved **** *************

*** ***** ****** ********, ~**% ** ***** *** **** **** passwords **** *** * *********** *****, *** ** **** ************* of *********, ** **** ********* ***** ** ******** **** ***** password ***.

  • "** **** *** *** ******** ** *** ** *** *** customer ******* *** ****** ******."
  • "******* ** **** ** *** *******. **** **** *** ******** we ******** ** *** **** ** *********."
  • "*********... ** **** ** *** **** **** ******* ** *** installations ** * ******* ******** **** ** **** ***...*** **** can **** **** ********"
  • "**** ************ ****** *** **** **. ** *** ** **** a ******** ****** ** *** *****."
  • "*** * ****** *******. ** ** ******* **** * ****** of ******* ******** ** **** ** **** ** ****** **** they ****."
  • "** **** * ****** ** *** *********, ** *****'* ****** often ******."
  • "* ***'* ******** * ****** ********. ** ****** ******** *** credentials"
  • "*** *******. * ****** *** ************, **** **** *** ********** works *** ***** *** * ***** **** *** *** ******* of *** ******. * **** **** **** **** *********** *** login *********** *** ********* *** ** **** ** * **** place. ****** * **** ****** ******** ******* ***** ***** *********** and ***** *** ***** **** *** *** **** ** *** system. ***********, * ******** ********** *** *** **** **** **** this *******."

Rarely *******

*** **** ***********, ********* ********* *** * **** **********. **** may ** *** ** ******* **** *** ****** *********, ** other ************** ******* **** ****** ********* ************, ***** ********* ********* would ****** ** ******* ** *** ********* ** **********, ******* of *** **********.

  • "*** ***** ** ***. *** **** **** **, **'* * service ****. ** *** *** ******** ** ******* ********** *********** subscriptions ***** *** ******* ** ****** **** **** ********** ** the ***** ******."
  • "*% ****, ** **** *** *** ****** ******** ****** *** high ******* ******* ***** **** ** *** ***** ****."
  • "*** *********** ** *** ******* ****** **** *** ****** **** on ***** *******. ***** ******* *** ******* ******** *********, ** we ******* *** ****** ** ** **** ** **** *** in."
  • "** *** *** **** * *********** *****."
  • "*** ********* ****** ******. ** **** ** ** **** * password *** *** ***** ***** ******** **** *********."
  • "*** ***********; ** *** * ********* ******** ** **** *******, and **** ********* ** *** ****** **."
  • "*************. ****** *** ************* *** ********** **** ******* ****** *********."
  • "*** ***** *** **** ** **** ** ****** ** ********* it *** ****."

Significant ******* *********

*********** *** **** **** ********* ** * *********** ******* ***** relied ** ************ ******* ** ***** ** ***** **** ******** problems:

  • "**** ******. ** **** ** ************* ** **** **** **** of ******** *******. * **** ***** ********** * ******* ********** where ** *** ********** **** *** *** ***** ******** ** we *** ****** ****** *** *********, *** **** ********* ** not **** **** ****."
  • "*****. ** **** ***** * *** ** ****** **** ** their ****** ***** **** ******** ************* *** ****** ** *** be ******** **** **** ** ****."
  • "*** *** ************ *******"
  • "**** ***********, ** **** *********** ** **** *** ** ** automatically ****** *** ******** *** ***** *** **** **** *** password."
  • "***********, ** **** ****** *** *** *****. *** **** ***** and ********* *** ******** ** **** ** ************. ******* ******** with ************* *** **** ** ****. ** *** ******* ** customer *****, ********* **** ** *** *********. ****** ****** ****** typically ******* **** *********."
  • "**** **** ****** ** ***** *** ******* **** ***** ** document *** ********. **** ** ***** ****** *** ******** *** decided ** ****** ** ** ***** ***. ** **** **** we ******* *** *** ************ *** ********** ** * ******** reset."
  • "****** ******** **.* ** *** **** ******* *** *** ***** day. ** *** * **** *********. *** **** ******** ** just **** **** ** *** ****** ******** *** **** *** setup * *** ******** *** ***** ***** *******. "

Backup ***** ******* **** ****** ********

*********** ******** *****/*****-***** ******** *** ******** ******** ** * ********* accepted ****-********. ******* **** *********** (** ***** ********* ****) ** backup ************* ***** *** **** ** ********** ********** ** **** information, *** ** ********* *** * *********** ********. ** * minimum, *********** ****** **** *** ****** ** ********* **** * strong ***, *** *** **** ** ********-********** *******.

Manufacturer ******** ******** ******* ***********

******** ******** '********', **** ** ***********'* ****-**** ******** ********, ******** ******** *****, ****** ***** ** ******** **** ** ******. * ***** percentage ** *********** ********** ****-********* ** ******** ********* ***** ******** to ****** **** **** **** *********, *** ********** ************ ********* on **** ***** **** ****** *** ******* *******. ************* **** provide *****/******** ** ******* **** ***** ********* ** ** ** the ******* ** *** ******* ******** ** ***** *******, *** by *********, ***** *****. ***********, ** *****, **** *** ********* about *** ***** ******** ** ***** ******* ****** ******** ************* on *** ********* ** ******** ******** *********/*******, *** **** ******* consideration ** ***** ******** **** ***** ****.

Comments (10)

Alex Hackworth

09/15/17 01:34pm

***** *** ** *** ********* ***** ** ******** ******, *********, and *** ********* *** ** *** ********** *** ******** ******* that **** *** ******* ** **** *** ** *** ******* in *** *****. **** ****** **** *** *********** **** **** implemented **** *******?

Thumbnail 13391423 10154199592809754 9133287598977875009 o

Joshua Hendricks

Milestone Systems | In reply to Alex Hackworth | 09/17/17 09:14pm

*'* * *** *** ** ******** *** ******** ***, *** I ***** ****** *** ***** ** *** ******* ************* ** customer ********* ********* ** ** **********. **'* ***** ***** *** supports * ****** **************, *** *** *** ***** ********* ******* accounts ** ******.

******* ** * ***** ******* *********** ***, **** **** **** to **** * ******!

Thumbnail 395fbc4

Ricardo Souza

IndigoVision Ltd | IPVMU Certified | In reply to Joshua Hendricks | 09/18/17 01:38pm

* ******* ***** ******** ***** **'* ********* *** ***** ** KeePass ***** *** ***** **** *** **** **** ***** **** since.

******** *** **** ****** ******** ***** ** ******** ******** ******** already =(

Undisclosed Integrator #1

09/15/17 02:18pm

**

**** ** *** ******* *** * ******** *** **** ****** database **** **, ***** *** ******** **** *******...*** ********* **** we *** ***** ******, **** **********, *** *** **** ********* security ***** ****** *** ********

Undisclosed Manufacturer #2

09/16/17 08:10pm

* *** * ******** ********* "*******" *********, ****** ** *******.

*** ******* *****'* *** **** **** ***** *** ****** *** database ******** **** ***** *******, ***** *.*. "***************". * ***** there *** **** *** *** ***. *** ******* ** *** supported ****.

** ***** *** ** ☺️

Deepak C Shankar

eSecProfession | 09/17/17 08:45pm

****** ********* ******** *** ***** * ********* ******, *** ***** forget ******** ****** **** **** /**** **** ********,****** * **** (example: **-******-********************************-************.*** ) *** **** **** ** ***** ********* ******* team, **** **** ****** *** **** ***** **** (*******:**********.***). ****** this *** ***** *** *******. ** ******** *****.

Thumbnail 395fbc4

Ricardo Souza

IndigoVision Ltd | IPVMU Certified | 09/18/17 01:37pm

* ***** ********* *** ** ***** *** **** **********/********** ******** Management *********, **** *** *** **** *** ** ****** *******, etc...

********:

  • ****
  • *******
  • ********
  • ******

Undisclosed Manufacturer #3

09/18/17 09:36am

*** ***** ** *** ****** ** *** ********, *****?

********. *** *** ******* ***** **** ****** ** *** **** physical ****** ** *** *******.

********. *** *** ******* ******** ******** ** *** **** "*************" type ****** ** *** **. *******: ****://*************.*****.***/*****-*******-********-********-******-*****.****

**, *** ** *** ******** *********** ****** "****** ********" ( I ****** ***** *** **** ******** *** ***** ********) ** save ********* ** ****** **** *****?

*** *** ****, **** ******** **** *** ***** ** ******* admin ******** ****** ** ***** ********?

*'* *** ** *** ************:-) ** ***** ** ******* ***** password **(*** **** **) *** **** ***** ****** ** *** machine **. ***, ** *** **** **, *** *********** *** do ******** ******... *** ** ***** ** *****?

Undisclosed Manufacturer #2

In reply to Undisclosed Manufacturer #3 | 09/18/17 09:48am

* ***** **** ***. ** *** **** **** ****** ** the *******, *** *** ** **********.

*** ** **** ***** (*.*. ******** ***** ***** ***/***), *** have ** ****** ** *** ****** ***** (***** **** *** manufacturer ******* ***** **-********), ** **** **** *** **** ****** accounts ** * **** ******** ******* ** ******* **** ********* on *** *****.

Undisclosed Manufacturer #3

In reply to Undisclosed Manufacturer #2 | 09/18/17 09:53am

* ***** ********** ** ***** ******* *** ****** *** ***/***.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
Dedicated Vs Converged IP Video Networks Statistics on Sep 12, 2017
'Convergence' has been a major industry theme for many years. All organizations have IP networks today with laptops, tablets, phones and more...
Favorite Integrator Tablets 2017 on Sep 11, 2017
What percentage of integrators use tablets? Which tablets do they prefer? Apple? Android? Windows? Tablets have become popular integrator tools...
Favorite Network Termination Tools on Sep 06, 2017
Thomas Carlyle said "Man is a tool-using animal. Without tools he is nothing, with tools he is all." For security integrators, their tools are...
CNL PSIM Profile on Sep 06, 2017
CNL has been one of the strongest advocates for PSIM, as one of the earliest entrants into the market releasing their command and control software...
Low Cost, Low-End Competitors Challenge SMB Surveillance Market on Sep 01, 2017
SMB video surveillance systems are a tough market. From IPVM's new survey results of 135 integrator responses, we have identified the key...
Favorite SMB Recorder Manufacturers 2017 on Aug 28, 2017
Low cost cameras have been a major force in the small to medium business (SMB) market (as our 2015 SMB favorites and 2017 SMB camera favorites)...
Favorite SMB Camera Manufacturers 2017 on Aug 25, 2017
Small to Medium Businesses (SMB) have been hotly pursued by lower-cost entrants over the past few years. Nowhere has that been as strong a factor...
IP Camera Cabling Testing Statistics on Aug 22, 2017
Test and certify, or crimp and pray? Some integrators certify every cable they run, while others only inspect cables that have video issues. 130...

Most Recent Industry Reports

Reseting IP Cameras - 30 Manufacturer Directory on Sep 22, 2017
Every camera has a reset button (well, almost) but it is not always clear what these buttons do, how long they need to be held, what settings they...
80+ OEMs Verified Vulnerable To Hikvision Backdoor on Sep 22, 2017
Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the...
Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
New IPVM Calculator V3 Released on Sep 20, 2017
The New IPVM Calculator V3 is released. An entirely new architecture delivers the following benefits: Turbo The calculator is now ~50% faster in...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact