natedev Posted January 6, 2009 Report Share Posted January 6, 2009 I've noticed that all the extension passwords (website, SIP, and PINs) are stored in clear text on the pbxnsip server. I'd like to suggest that you store a hash of the website and PIN passwords. I know the SIP password has to be able to be transmitted to the phones. It could use a reversible encryption. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted January 6, 2009 Report Share Posted January 6, 2009 I've noticed that all the extension passwords (website, SIP, and PINs) are stored in clear text on the pbxnsip server. I'd like to suggest that you store a hash of the website and PIN passwords. I know the SIP password has to be able to be transmitted to the phones. It could use a reversible encryption. We thought about that also. However, when you change a domain name or change one of the alias names than a hash would not work any more. Encrypting it with a hardcoded key only "obscures" the passwords (until someone gets the bit secret out of the code). Encrypting it using the private key of the PBX (used for TLS) would be a possibility. At least the sys admin login uses a hash for the password! And of course, file system access should be strict. This is not a public area. Quote Link to comment Share on other sites More sharing options...
natedev Posted January 6, 2009 Author Report Share Posted January 6, 2009 We thought about that also. However, when you change a domain name or change one of the alias names than a hash would not work any more. Encrypting it with a hardcoded key only "obscures" the passwords (until someone gets the bit secret out of the code). Encrypting it using the private key of the PBX (used for TLS) would be a possibility. At least the sys admin login uses a hash for the password! And of course, file system access should be strict. This is not a public area. If you're storing a hash (like a simple MD5) of the user's web password and PIN, I wouldn't expect the hash to break if the alias or domain name is changed so long as you don't use the alias or domain name to calculate the has. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted January 7, 2009 Report Share Posted January 7, 2009 If you're storing a hash (like a simple MD5) of the user's web password and PIN, I wouldn't expect the hash to break if the alias or domain name is changed so long as you don't use the alias or domain name to calculate the has. Well the problem is when the user decides to change the username you cannot generate a new hash. If we are using the hash method we have to request users to re-enter their passwords. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.