Which URL did you try when accessing directly in the browser? The embedded username password (username:passwrd@192.168.1.120/XXX) is not longer supported in most modern browsers, so I was basically suggesting the URL without the the embedded credential before the ip address.
http://192.168.1.120/cgi-bin/snapshot.cgi?chn=1&u=admin&p=admin
http://192.168.1.120/cgi-bin/snapshot.cgi?loginuse=admin&loginpas=admin
It sounds like you were able to access the camera image after input your credential in the prompt, so you may have to reach out to Lorex support, if the username/password can be attached as parameters in the ULR and what the format is. (You will need to test it again in the incognito mode since the credential might be cached from your last successful login.)
The Mixed-Content issue occurs when non-SSL content (http:192.168.1.20 your local camera ip) is being rendered in a SSL enabled site (SharpTools.io), so you are likely to run into this if you are using Chrome v85+ in this case.
But I agree with you that you will need to resolve the login prompt issue first, then verify if you have the Mixed-Content issue.