On Jul 28, 2012, at 6:32 , Mircea Carasel wrote: > As long as sipxecs/openuc doesn't ship with a well known default > password. Hackers would write scripts to test logins with those > passwords. If the feature didn't work until an admin specified a > default password, that would be fine. > Yes, so when sipxecs is shipped, there won't be any default password set. The > admin is the only that can specify the default password > When sipxecs is shipped, the default policy will be blank password (admin > will have to write passwords) > Other thing that we can do is to drop default password thing, and the default > password policy just to enable a rule of creating passwords, for example: > extension followed by character 0 up to 4 characters for voicemail pin, up to > 8 characters for password
Rule-based defaults will still get hacked, even by casual users within the organization. As long as the admin can define either a static or rule-based system default I think this works.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
