Editorial

Passwords Passwords Passwords

Published on:

April 26, 2013

Passwords remain a crucial vulnerability despite the best security measures. Even with technologies like TLS, SRTP, and certificates securing phone calls, weak passwords still expose systems to attacks. Hackers use automated scanners to find open SIP ports and exploit weak passwords. To address this, snom ONE 5.0.9 now highlights accounts with weak passwords and shows what's vulnerable. While the system can generate secure passwords, administrators must avoid “No Security” settings to prevent exposure. Implementing strong password policies is a key defense against unauthorized access and potential system misuse.

For those who have a flashback when they see the title: you are right. This is not the first time I'm writing about passwords.

But passwords remain a major problem. We add fancy things like TLS, certificates, SRTP, and all kinds of things to make phone calls as secure as possible, then users use passwords like “password”. Passwords remain the Achilles' heel of securing the system.

As long as you run the PBX in a trusted environment, trivial passwords are convenient and usually nothing happens. But once you expose the system to the public internet, things can change. There are scanners out there that act like sharks smelling blood. Once they find an open SIP port, they try out accounts - once they find one, they try out passwords - everything automated and password lists like “password”, “secure”, “verysecure” and so on. Once they're able to get access, they reprogram their least cost routers and route the traffic through your system. Innocent people making calls to some expensive destinations might be using your system.

In 5.0.9 we added a feature, and then improved it, that shows which accounts have weak passwords. We don’t only show which account may be exposed, but we also show what's vulnerable. This all depends on the password policy of the system. Again, if you decide to set that to “accept anything”, there isn't much the system can do.

We also have other features that make extensions secure - for example, a dropdown in the accounts view that generates long passwords and PINs that are difficult to guess. Also, when the system starts up, it generates initial passwords that are also quite random. Entering new passwords is governed by the global system setting of the password policy. This is set to “medium”. Administrators changing this to “No Security” must know they are potentially exposing the system to scanners, just for the convenience of entering simple passwords.

Large IT companies like Google are in discussions about introducing new authentication methods (such as two-factor authentication). If you think about how many email accounts a company has and how much work it will be to change the authentication for all of them, you'll understand how serious the problem is and how serious these companies take the problem. Passwords and PINs are something the PBX user knows; when it comes to something the user has, however, things get trickier in PBX environments. Many users have a VoIP phone with a certificate, and we are already using the certificate built into the phone to authenticate the device. So when a user is using a phone provisioned using a manufacturer certificate in the phone, and the user has to enter a PIN when making an international call, then we have a two-factor authentication. This can already be the reality today with snom ONE. It doesn't solve the problem, however, of customers using soft phones or phones that don’t have a certificate built-in. Also, realistically, entering a PIN for every outbound call would make a user's life harder than it has to be.

We will have to see in the future if we, for example, allow international calls only from devices with a built-in certificate. Or at least something like international calls can be made only from phones automatically provisioned and with a security token loaded into the device.

The bottom line for me is administrators should keep their password policy at “medium”. Strong passwords are a huge step in the right direction.

Latest Articles

View All

Transforming Customer Service: Vodia PBX Integrates Seamlessly with Freshdesk

Vodia PBX now integrates seamlessly with Freshdesk, an AI-powered customer service platform used by over 73,000 companies worldwide. This integration combines intelligent ticketing and automation with enterprise-grade telephony, enabling automatic contact creation, detailed call tracking, and streamlined agent workflows. By improving call center efficiency and customer interaction management, it helps businesses enhance productivity and customer satisfaction. Vodia continues to strengthen its ecosystem with integrations to leading business software, delivering top-tier cloud PBX solutions.

July 29, 2025

Prepaid Cloud Instances: The Future of PBX Deployment

Prepaid cloud instances are transforming how PBX systems are deployed by offering a faster, simpler, and more flexible approach. With Vodia PBX now available on AWS, Azure, and DigitalOcean, businesses can launch a fully licensed, production-ready phone system in just minutes, without complicated setup or licensing delays. These preconfigured environments allow IT teams, decision-makers, and MSPs to test real-world VoIP performance, MS Teams integration, and mobile apps directly within their own cloud account. By removing traditional friction and offering full control, Vodia’s prepaid cloud instances provide a smarter and more efficient way to evaluate and deploy a modern PBX.

July 25, 2025

Vodia to Attend ChannelCon 2025

Vodia will participate in ChannelCon 2025, taking place in Nashville, TN, from July 29 to 31, with Sales Engineer Eric Altman attending on behalf of the company. ChannelCon, hosted by the Global Technology Industry Alliance (GTIA), is the premier vendor-neutral event dedicated to the worldwide IT channel. It brings together MSPs, service providers, vendors, and distributors for three days of expert panels, networking sessions, and special events designed to foster innovation and collaboration in the tech industry. Altman will highlight Vodia’s latest CRM integrations underscoring Vodia’s commitment to equipping partners with dynamic, enterprise-grade phone systems.

July 24, 2025