SIP phone password best practice

[xdira]

How does everyone manage moves and passwords when migrating to SIP phones? In Cisco, you can swap 2 phones by swapping MAC addresses. In Avaya, it looks like someone has to be physically present at the phone to log it out and log it back in with the new extension and password. Do you typically give everyone the same password or do you make them unique? I would hesitate to give a user a master password but it would also be a pain to send a tech out to a remote location to swap 2 phones.

What is everyone else doing and what is best practice? AD is not a viable option.

 

[ZeroZeroOne]

It depends on how secure your network is. If you have remote workers that can log in their SIP phones from off-net, then you will want unique and somewhat difficult passwords. I've seen several systems that use the extension number as the password, which is really easy for moves and such but equally as easy for some nefarious actor to log in a remote SIP phone and make tons of international calls.

One university set up a spreadsheet with a formula to create a unique password for each extension. But I've seen a lot of "1234" or similar passwords, too. While you can use letters and characters in the SIP passwords, I recommend sticking with numbers to make everyone's life easier. Is that easier to brute-force? Sure, but as long as it's more than 4 digits and different from the extension, most phreakers will move on to easier targets.

But if you have SIP phones, why not just move the phone with the user? The phone will keep its extension and just pick up a new IP Address at the new location. Also, end users don't have to worry about disinfecting/cleaning their "new" phone.

 

[xdira]

Moving the phone with the user is probably out best option. I thought there might be a better way to move the user's extension without moving the phone since all of the cubicles already have a phone there.

 

[Instructor of Avaya]

Neither Communication Manager (for H.323 phones) nor Session Manager (for SIP phones) impose a penalty if a user inputs the wrong credentials too many times when logging into their phone. In other words, a hacker can try new passwords endlessly. Further, there are no alarms or reports about excessive login attempts.

A recent version of the Avaya Session Border Controller Enterprise introduced the ability to automatically block future login attempts when a threshold of incorrect attempts has been reached, but that ability only applies to Remote Workers.

The two most obvious problems with a hacker taking over a phone are: 1) Spear Phishing, where it looks like you are getting a call from a "reliable" source, such as the IT department, and unwittingly reveal useful about your environment. 2) Toll Fraud, where the callers can rack up a huge charge for lots of long international calls that your company must pay.

Hacker programs running on a standard PC can break even long numeric passwords within seconds. So, I would suggest imposing complex passwords (numbers, letters, & special characters) especially if users are not required to change them every 90 days.

 

[kyle555]

You can GET $MACADDR in the settings file and have something like SET FORCE_SIP_USERNAME and SET FORCE_SIP_PASSWORD in that named for the MAC address.

Users swapping desks wouldn't need to move their phones and the change process would be just updating the MAC txt file. That presupposes having a master list of SIP extensions and passwords which probably isn't a good idea, so the process would probably be updating the password in SMGR to something hard and then updating the text file named for the MAC address.

Having a MAC swap button in SMGR would just be too easy...