Hikvision Adds Self Serve Password Reset

By Ethan Ace, Published Nov 01, 2016, 09:14am EDT (Research)

Lost passwords can be a big problem, forcing users to factory default, losing configurations and recorded video, or spend time dealing with tech support.

Now, Hikvision has introduced self serve password reset, using challenge questions similar to many online services. We tested this new feature, examined how it works, what to watch out for, and how it compares to other manufacturers.

Security Question Setup

These features are found in firmware 3.4.90 and above, available now on many Hikvision recorders. This process is not yet available for IP cameras.

Users set up their security questions via the User Management menu of the device's web interface. Note that this process cannot be performed via the local (monitor/mouse connected) interface. Users with local access only may export a "GUID" file which can later be used to reset the password via USB thumb drive (this may also be done via the web interface, seen below).

Users must select three questions, from a list of 15 different options, seen below. Note that questions are selected from a pre-defined list. No custom questions may be created.

The list of questions is typical of many challenge question systems, asking personal questions of the user. Some of this information is relatively easy to find about a given individual (such as father or mother's name or even teacher names). However, some options are unlikely to be known, found, or guessed.

Responses to these questions may be multiple words, as shown in the demo below. Users should be careful to check spelling, as there is no verification of these answers.

Password Reset

Users reset their password by clicking the "forgot password" link on the device's login page or SADP. After answering the challenge questions, users enter a new password and are returned to the login screen, demonstrated below.

GUID File Use

Users may also reset password by uploading a "GUID" file exported when the password was created. This is the only self serve option offered for those using the recorder's local interface (mouse and monitor). Users choose "forgot password" and upload this file via USB drive to the recorder, which then allows them to create a new password.

However, note that this GUID file must be created each time the admin password is changed. Otherwise, the process will not work and users must contact tech support. 

Compared to Past Process

In the case of lost password, Hikvision has historically required users to contact tech support with the serial number of the device (or an emailed .xml file containing this information). Users are then issued a reset code which restores the admin password to default. However, in some cases, this process has been known to fail, requiring additional time on calls with support. 

In preparation for this test, we contacted Hikvision tech support with this very issue, and found that resolution took about ~1.5 hours total, including initial emails, calls, and hold time.

Compared to Others

Few other manufacturers include a password reset process like this. Manufacturers typically require users to contact tech support (as Hikvision has in the past), which can consume significant time depending on hold time, or resetting the device to factory default, which may delete recordings. 

The self serve method is not without risk, mainly of someone guessing answers to security questions. However, the vast majority of users are likely to prefer this risk to potentially losing video or extended hold times with tech support.

Dahua Self Serve - Local Interface Only

New Dahua recorders include security question setup, as well, but with key weaknesses compared to Hikvision.

This setup requires only two questions, and allows you to enter a custom question (which Hikvision does not allow).

However, this setup can be done only via the local interface, using a mouse only, as keyboards are not supported. This setup is not found in the web interface.

 

Poll - Vote

2 reports cite this report:

Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new...
XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive...
Comments (10) : Subscribers only. Login. or Join.
Loading Related Reports