[asterisk-bugs] [Asterisk 0014495]: [patch] Enforce password strengths

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Feb 19 05:18:24 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14495 
====================================================================== 
Reported By:                Corydon76
Assigned To:                jsmith
====================================================================== 
Project:                    Asterisk
Issue ID:                   14495
Category:                   Channels/chan_sip/General
Reproducibility:            N/A
Severity:                   feature
Priority:                   normal
Status:                     assigned
Asterisk Version:           SVN 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-02-17 16:54 CST
Last Modified:              2009-02-19 05:18 CST
====================================================================== 
Summary:                    [patch] Enforce password strengths
Description: 
[11:23:31] <Shaun2222> jsmith: the problem is that these newbies are going
to also set weak passwords
[11:24:15] <Shaun2222> that option these days should be "yes" by default.
[11:24:35] <jsmith> Shaun2222: We can't protect people from themselves...
at some point, they should be responsible for their own choices.
[11:24:36] <Shaun2222> security is far more important than some newbie
trying to figure out what he did wrong.
[11:25:09] <jsmith> Shaun2222: That's not to say security isn't
important... I'm just saying there's only so much we can do to prevent them
from being insecure in their choices.
[11:25:39] <Corydon76-dig> You mean like ALL NUMERIC PASSWORDS?
[11:26:17] <Corydon76-dig> All numeric usernames aren't much better.
[11:26:29] <Shaun2222> jsmith: somthing like that needs to be on by
default.   if a newbie cant figure out whats wrong with there sip phone
then he can enable that option.
[11:27:04]  Corydon76-dig thinks we should have an option called
"enablenumericpasswords" and the default should be "no"
[11:27:20] <Shaun2222> so.. how can we get this option enabled by
default.. do i need to submit a bug or somthing?
[11:27:42] <Corydon76-dig> Shaun2222: honestly, it would only be changed
in unreleased branches
[11:28:02] <Corydon76-dig> Changing defaults in the middle of a release
cycle is bad, mmmkay?
[11:28:18] <Corydon76-dig> so maybe 1.6.1
[11:28:20] <Shaun2222> Corydon76-dig: might as well make the change now
for the new installs....
[11:28:39] <Shaun2222> next release would have the change, as people
upgrade, it will be enabled.
[11:28:50] <Shaun2222> if they are already authing ok, it shouldnt affect
them
[11:29:09] <jsmith> Shaun2222: When people upgrade, they often don't start
from a new config file... they typically just copy over their old config
[11:29:34] <Shaun2222> jsmith: exactly why that should default to "yes" so
the option is enabled automatically.
[11:29:39] <jsmith> Corydon76-dig: I do like the idea of the
enablenumericpasswords setting.
[11:30:10] <jsmith> Corydon76-dig: Or even better, make it
"enableweakpasswords" and do some more sanity checking than just "is it
numeric and less than X digits long"
[11:31:05] <Corydon76-dig> jsmith: at least one capital letter, one
lowercase letter, a number, and a symbol... and no less than 8 characters
long
[11:31:22] <jsmith> WORKSFORME
====================================================================== 

---------------------------------------------------------------------- 
 (0100358) oej (manager) - 2009-02-19 05:18
 http://bugs.digium.com/view.php?id=14495#c100358 
---------------------------------------------------------------------- 
That's a good question, aragon. It goes all the way back to the HTTP MD5
digest RFC 2617. And possibly the MD5 algorithm by itself.

http://en.wikipedia.org/wiki/MD5

As MD5 is used to create checksums on any file, I guess it's all right
with just about anything.

RFC 3261 section 22 outlines the usage of HTTP auth within SIP

I can't find any specification of the actual secret used... Sorry.
I've seen SIP phones who can only have digits in the password, as well as
phones that choke on more than four characters. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-19 05:18 oej            Note Added: 0100358                          
======================================================================

More information about the asterisk-bugs mailing list