Dave Platt wrote: >> SIP was written in such a way that the hashes it sends for passwords >> could, with only a trivial rewrite of the server code, be SHA1 instead >> of MD5 -- which would increase security to the level that, currently, it >> would be far more trouble than it's worth to even bother to attempt to >> crack. >> > > I strongly doubt that the known weaknesses in the MD5 hash are > the "weak point" in SIP account security. > > Weak passwords are almost certainly much more of a problem. Performing > a dictionary attack is going to be a lot faster than attempting > a brute-force mathematical attack against MD5... and switching from > MD5 to SHA-1 provides no significant defense against dictionary > attacks. > > The only good way to keep passwords secure against dictionary attacks, > is to make sure that the passwords aren't guessable by that means... > no common words, no names, no simple permutations or birthdates or > anything like that. Use a decent random-number generator and > number-to-character conversion algorithm to generate SIP passwords > that are sufficiently long and very dtr8fbwf_==...@\.-+!n$ and you'll > be well defended. > > >
I'm referring to the weak link in the SIP protocol. Not in Asterisk's SIP accounts. The question was whether or not SIP itself was secure. -- Neil Fusillo CEO Infinideas, inc. http://www.ideasip.com _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
