For those who have a flashback when they see the title: you are right. This is not the first time I am writing about passwords.

But passwords remain to be a major problem. We add such fancy things like TLS, certificates, SRTP and all kinds of things to make phone calls as secure as possible and then users are using passwords like “password”. Passwords remain the Achilles' heel of securing the system.

As long as you run the PBX in a trusted environment, trivial passwords are convenient and usually nothing happens. But once that you start to expose the system to the public internet, things can change. There are scanners out there that act like sharks smelling blood. Once they found an open SIP port, they start trying out accounts and once they find one, they try out passwords. Everything automated, and including passwords lists like “password”, “secure”, “verysecure” and so on. Then once they were able to get access, they reprogram their least cost routers and route the traffic through your system. Innocent people making calls to some expensive destinations might be using your system.

In 5.0.9 we added a feature back and improved it that shows which accounts have weak passwords. We don’t only show which account may be exposed, but we also show which part is weak. This all depends on the password policy of the system. Again, if you decide to put that to “accept anything” there is not much the system can do.

We also have other features that make extensions secure—for example a dropdown in the accounts view that generates long passwords and PIN that are difficult to guess. Also, when the system starts up it generates initial passwords that are also quite random. Entering new passwords is governed by the global system setting of the password policy. This is set to “medium”. Administrators changing this to “No Security” must know that they are potentially exposing the system to scanners, just for the convenience of entering simple passwords.

Large IT companies like Google are discussion about introducing new authentication methods such as two-factor authentication. If you think how many email accounts has and how much work it will be to change the authentication for them, you will understand how serious the problem is and how serious those companies take the problem. Passwords and PIN are something that the PBX user knows; however when it comes to something that the user has things get trickier in the PBX environments. Many users have a VoIP phone with a certificate, and we are already using the certificate built into the phone to authenticate the device with that. So when a user is using a phone that was provisioned using a manufacturer certificate in the phone, and the user has to enter a PIN when making an international call, then we have a two-factor authentication. This can be the reality today with snom ONE already. However it does not solve the problem of customers using soft phones or phones that don’t have a certificate built-in. Also, realistically, entering a PIN for every outbound call is making users life harder than it has to be.

We will have to see in the future if we for example allow international calls only from devices that have a certificate built-in. Or at least something like international calls can be made only from phones that were automatically provisioned and a security token was loaded into the device.

For today, the bottom line for me is that administrators should keep their password policy at “medium”. Having good password would be already huge step in the right direction.