Hikvision Adds Self Serve Password Reset

By: Ethan Ace, Published on Nov 01, 2016

Lost passwords can be a big problem, forcing users to factory default, losing configurations and recorded video, or spend time dealing with tech support.

Now, Hikvision has introduced self serve password reset, using challenge questions similar to many online services. We tested this new feature, examined how it works, what to watch out for, and how it compares to other manufacturers.

**** ********* *** ** a *** *******, ******* users ** ******* *******, losing ************** *** ******** video, ** ***** **** dealing **** **** *******.

***, ********* *** ********** self ***** ******** *****, using ********* ********* ******* to **** ****** ********. We ****** **** *** *******, examined *** ** *****, what ** ***** *** for, *** *** ** compares ** ***** *************.

[***************]

Security ******** *****

***** ******** *** ***** in ******** *.*.** *** above, ********* *** ** many ********* *********. **** process ** *** *** available *** ** *******.

***** *** ** ***** security ********* *** *** User ********** **** ** the ******'* *** *********. Note **** **** ******* cannot ** ********* *** the ***** (*******/***** *********) interface. ***** **** ***** access **** *** ****** a "****" **** ***** can ***** ** **** to ***** *** ******** via *** ***** ***** (this *** **** ** done *** *** *** interface, **** *****).

***** **** ****** ***** questions, **** * **** of ** ********* *******, seen *****. **** **** questions *** ******** **** a ***-******* ****. ** custom ********* *** ** created.

*** **** ** ********* is ******* ** **** challenge ******** *******, ****** personal ********* ** *** user. **** ** **** information ** ********** **** to **** ***** * given ********** (**** ** father ** ******'* **** or **** ******* *****). However, **** ******* *** unlikely ** ** *****, found, ** *******.

********* ** ***** ********* may ** ******** *****, as ***** ** *** demo *****. ***** ****** be ******* ** ***** spelling, ** ***** ** no ************ ** ***** answers.

Password *****

***** ***** ***** ******** by ******** *** "****** password" **** ** *** device's ***** **** ** SADP. ***** ********* *** challenge *********, ***** ***** a *** ******** *** are ******** ** *** login ******, ************ *****.

GUID **** ***

***** *** **** ***** password ** ********* * "GUID" **** ******** **** the ******** *** *******. This ** *** **** self ***** ****** ******* for ***** ***** *** recorder's ***** ********* (***** and *******). ***** ****** "forgot ********" *** ****** this **** *** *** drive ** *** ********, which **** ****** **** to ****** * *** password.

*******, **** **** **** GUID **** **** ** created **** **** *** admin ******** ** *******. Otherwise, *** ******* **** not **** *** ***** must ******* **** *******. 

Compared ** **** *******

** *** **** ** lost ********, ********* *** historically ******** ***** ** contact **** ******* **** the ****** ****** ** the ****** (** ** emailed .*** **** ********** this ***********). ***** *** then ****** * ***** code ***** ******** *** admin ******** ** *******. However, ** **** *****,**** ******* *** **** known ** ****, ********* ********** **** on ***** **** *******. 

** *********** *** **** test, ** ********* ********* tech ******* **** **** very *****, *** ***** that ********** **** ***** ~1.5 hours *****, ********* ******* emails, *****, *** **** time.

Compared ** ******

*** ***** ************* ******* * password ***** ******* **** ****. Manufacturers ********* ******* ***** to ******* **** ******* (as ********* *** ** the ****), ***** *** consume *********** **** ********* on **** ****, ** resetting *** ****** ** factory *******, ***** *** delete **********. 

*** **** ***** ****** is *** ******* ****, mainly ** ******* ******** answers ** ******** *********. However, *** **** ******** of ***** *** ****** to ****** **** **** to *********** ****** ***** or ******** **** ***** with **** *******.

Dahua **** ***** - ***** ********* ****

*** ***** ********* ******* security ******** *****, ** well, *** **** *** weaknesses compared ** *********.

**** ***** ******** **** two *********, *** ****** you ** ***** * custom ******** (***** ********* does *** *****).

*******, **** ***** *** be **** **** *** the ***** *********, ***** a ***** ****, ** keyboards *** *** *********. This ***** ** *** found ** *** *** interface.

 

Poll - ****

Comments (10)

Note, we just unboxed a Dahua CVI DVR for testing and were presented with security question options on the local monitor interface:

This setup requires only two questions, and allows you to enter a custom question (which Hikvision does not allow).

However, this setup can be done only via the local interface, using a mouse only, as keyboards are not supported. This setup is not found in the web interface.

...but with key weaknesses compared to Hikvision.

What are the key weaknesses compared to Hik? That it's local? Isn't that a lot safer?

Two custom questions sound more secure and easier to remember than three stock ones, no?

Sure, two custom questions sounds more secure. But self serve password reset isn't a security feature. It's a convenience feature. It makes the unit less secure, by nature.

So, because it's mouse only, the vast majority of users are unlikely to take the time to peck out two custom questions and answers using the mouse. I would bet the vast majority of users are unlikely to take the time to peck out answers to the standard questions, even, since you can just skip it.

If you make a feature this inconvenient to use, no one is going to use it. If they start supporting keyboards via USB, different story.

Ah, yes that does suck. Probably why my camera names are still unchanged. Maybe,

question: QWERTY
answer: ASDFGHJKL;

;)

I don't think this is positive. Users are alleeady reluctant to change default passwords, they'll almost allways go for the road with the least resistance.

Theseare supposed to be security devices so i don't mind it to be not to easy to recover a password. Should have stored it in a safe place to begin with no?

Cyber hardening and password management, this is good. We all got to start somewhere.

Why don't recorders have a random generated password option.

After it's creation, then why not just create as a OSD QR Code, so you can then decode onto smart phone, a copy/paste into a text file. Email to customer later, or keep in a notepad or something.

painful tricky annoying! you bet, it's a security device.

A lot of home grown P2P cameras have some QR code scan generator, even some will read code from a camera and then authorise for a connection. Something where you don't need use those rubbish mouse keyboards which delay using.

I think human error with passwords, especially when you grow older you never remember, except only weak ones!

Resetting a password needs some thought. XLM files creation email etc, is indeed annoying,

I'm not personally akin to having what's person info with what looks like a website kind of Q&A, Home use maybe not such an issue, professional use, does kind of make product feel like it's not destined for pro/corporate use.

Both D&H have respectable Apps, so why not knock up a simple device password App, for installers can assign groups / devices / customers etc, have a master set of data, be able to assist customers quickly simply.

Just to help developers here is a simple password generator code to get you on the right track!

http://stackoverflow.com/questions/1497481/javascript-password-generator

Last point would naturally be after such password is made, you are forced to try it, maybe after three fails you got reset it again! as how many times you swear the password you entered twice was one you set online!!

Is tech support still available?

Someone who's lost their KeePass may have lost their security questions as well.

That is the crux of the problem. Who know what info the installing Tech put in. If they don't remember the password they won't remember who entered the security questions. Is it the tech, the supervisor, the end user, the IT guy??

You know people will end up putting in dummy data for each onend: abc123 or 12345, if it lets you.

You know people will end up putting in dummy data for each onend: abc123 or 12345, if it lets you.

Yes, whenever possible I answer all security questions with one answer, Kilroy.

  • Name of High School - Kilroy
  • Mothers Maiden Name - Kilroy
  • Favorite Pet - Kilroy
  • Town you were born - Kilroy

Custom questions:

  • Who was Kilroy's brother? Kilroy
  • Who was here? Kilroy

No one can guess no matter how well they know you.

Don't tell anyone mine, plz.

Read this IPVM report for free.

This article is part of IPVM's 6,367 reports, 855 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
Low-Tech Access Control: Master Keying Explained on Jan 09, 2020
Mechanical keys are one of the most fundamental forms of access control. 'Master Keying' can allow individually different credential keys to...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Google Found Software House Vulnerability Allows Inside Attacker To Open Doors on Sep 04, 2018
A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems....
IP Cameras Default Passwords Directory on Feb 09, 2018
Below is a directory of 50+ manufacturer's default passwords. Note: Change Default Passwords Leaving default passwords is dangerous and makes it...
Genetec Now Detects Insecure Camera Firmware on Nov 29, 2017
Genetec is heavily emphasizing cyber security and cyber resilience. From initiatives like CHAVE to 2 Factor Authentication to Expelling...
Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text on Aug 28, 2017
Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond...
Hikvision Security Code Cracked on Aug 08, 2017
Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...

Most Recent Industry Reports

Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing campaign using NBCUniversal's assets was not allowed. Hikvision mass...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM is 'not a good look' and that 'IPVM should never be your source of...
Vintra Presents FulcrumAI Face Recognition on Jul 02, 2020
Vintra presented its FulcrumAI face recognition and mask detection offering at the May 2020 IPVM Startups show. Inside this report: A...
Uniview Wrist Temperature Reader Tested on Jul 02, 2020
Uniview is promoting measuring wrist temperatures whereas most others are just offering forehead or inner canthus measurements. But how well does...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the industry but an obvious one to the US FDA, that the thermal temperature...
Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...