is there a way to let admin know of insecure passwords?

[mattlandis]

Hello,

 

I'm curious if there is a way to say such and such an extension changed one of there pw's to a simple password?

 

I'm not sure how to implement but i would be nice to be able to know some user didn't change password to simple password.

 

any thots?

 

matt

[Vodia PBX]

In the latest, we actually changed a few things regarding passwords due to the obvious problems with default passwords.

 

When the PBX takes the default configuration, the default passwords for extensions (also PIN) and domain provisioning are just "*". That means the PBX will generate automatically some random passwords for these extensions (12 alphanumeric or so), so that someone from outside will have a real hard time guessing them. You can still do PnP and the PBX will provision the passwords fine (depending on the MAC trust level and the client certificate that the device presents).

 

The only open door is still the admin password. But somehow you have to log in the first time! If admins don't change that password then I also dont know. I think when you try to save global settings (which also contains the admin password) by default the JavaScript will complain about the empty admin password, so you have the chance to change that as well.

 

We added a warning symbol in the account page that lights up when the account has no password set. But it is not as critical as before, as the PBX does not accept registrations without passwords any more (another change we did a few months ago).

 

The biggest security risk as users that don't like to use good passwords, that remains the core problem.

[mattlandis]

suggestion:

 

in the account list have some red notice. when you hold mouse over it or click it tells which is the offending password.

 

idea

Matt