I've heard of vendors putting routines in their firmware which allow login based upon an acccount/password generated off the item's mac address.
Herospeed (firmware developers for Longse/CantonK/Besafe etc) have something like this built into their 7.x series firmware to enable the telnet daemon, which is no longer running by default.
It takes the camera MAC address, the version of firmware installed, does a bit of shuffling, including an XOR with the characters of the word "KCUF" (!).
I assume they have made an app that does the same manipulation so that the challenge to the UserID Lucky787 on HTTP port 787 can be answered.
Then you'd have to know the root password, unless you've cracked the hash you can get from the firmware download.
And all a bit pointless really, as due to poor implementation logic you need none of that to re-enable telnet.
I did chuckle a bit when I looked at that - after buying a Besafe IMX290 varifocal camera and finding telnet access had been removed.
I do like to be able to get inside and have a look around, it gives you a strange feeling when you can't.