[asterisk-users] Secure passwords, was LDAP integration
Tilghman Lesher
tlesher at digium.com
Tue Sep 29 11:23:26 CDT 2009
On Tuesday 29 September 2009 10:30:37 John A. Sullivan III wrote:
> Second, I believe we saw a way we could map the Asterisk password to the
> regular user password (it's been a while so I'm not sure about that) but
> were concerned about the problems of entering secure passwords from a
> phone keypad. We enforce fairly secure passwords - at least nine
> characters with some variety of characters and encourage much longer
> passwords. Having to enter lots of characters in both cases as well as
> symbols seemed difficult from a phone keypad. Thus, we decided
> (reluctantly) to use separate simple passwords for phone access instead
> of the very secure passwords we use to data access.
I would hope that you're at least restricting your peers to be limited to a
set of IPs distinctive to your phones. Otherwise, this is a recipe for
disaster, especially if a) your registration server is accessible externally,
and b) your phones are permitted to make toll calls, especially international
numbers.
Most good IP phones permit a method of configuration which does not require
typing a password into a keypad. You should probably learn to use that method
or switch to a phone with that ability, then use secure passwords. Phones are
just as important as data and should be supplied with complex passwords.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list