I believe the rule based password is not a bad idea. I don't believe you want a system configured with a rule base password, EXCEPT, at startup. If you are rolling out a system, you need a method to train end users, and a method of having them go back to their desk and log onto their new voicemail. It should be changed immediately by that end user. If a voicemail gets hacked because someone didn't change their password - they own the consequences. There comes a point where reasonable implementation strategies and responsible stewardship of your own user account have to meet.
From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Albershardt Sent: Saturday, July 28, 2012 10:11 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Default password / pin policy On Jul 28, 2012, at 6:32 , Mircea Carasel wrote: As long as sipxecs/openuc doesn't ship with a well known default password. Hackers would write scripts to test logins with those passwords. If the feature didn't work until an admin specified a default password, that would be fine. Yes, so when sipxecs is shipped, there won't be any default password set. The admin is the only that can specify the default password When sipxecs is shipped, the default policy will be blank password (admin will have to write passwords) Other thing that we can do is to drop default password thing, and the default password policy just to enable a rule of creating passwords, for example: extension followed by character 0 up to 4 characters for voicemail pin, up to 8 characters for password Rule-based defaults will still get hacked, even by casual users within the organization. As long as the admin can define either a static or rule-based system default I think this works.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
