Secret and Weak Password Detection

sgilmour · January 29, 2010, 2:51pm

Hi,
I just installed Asterisks and was able to create two extensions
I used User extension 1000 secret 1000 and extension 2000 secret 2000
Now a few days later I go back to make a third extension 3000 secret 3000
I get a message The secret must be at minimum six characters in length.
Is there a way I can change that? Plus when I select the Module Weak Password Detection it shows my other two extensions and Secret with 4 characters. But for some reason it won’t let me create a new one with a secret less than 6 characters.
This is a test network so I am not worried about security.
Any help is appreciated.
Thanks
Scott

blanchae · February 22, 2010, 7:21am

Sounds to me like the module is working properly: it’s detecting weak passwords and preventing you from further creating weak passwords.

chufferd · March 30, 2010, 6:56am

I am currently installing FreePBX in to an active Asterisk system. The requirement of longer, more complicated, secrets are preventing the installation. We have several hundred phones already provisioned. Can the “feature” be disabled? The alternative is to edit all the phone config files and reboot each phone.

blanchae · March 30, 2010, 9:23pm

Go to Module Admin - System Administration section and disable Weak Password Detection:

mickecarlsson · March 31, 2010, 4:51am

You can use the bulkimport module to import extensions into FreePBX, that module wont check for weak passwords. However, my strongest advise is that you change the password on the phone.

Removing the Weak Password Detection does not remove the check for strong password as it is in the validation code when entering extensions.

blanchae · April 2, 2010, 3:17pm

Here’s an example of using weak passwords reported in PiaF forums:

“It only took 12 hours for a hacker to run up $45,582 in telephone charges for a local [North Carolina] furniture company. More than 10,000 minutes of phone calls were made from the phones at Sherrill Furniture on Highland Ave. NE from 9 p.m. on Friday, March 5 to 9 a.m. the following day.”

or this one:

"A company I was working for some years ago lost £69,000 GBP (Then about $140,000USD) between a Thursday night and Friday morning. The calls were routed into PBX systems in London via our switch, our fraud detection, nor did our carriers fraud detection software pick this up, because London numbers were being called, albeit, a lot of them, and to us they were local calls, costing less than a penny a minute.

The calls were then routed via various PBX systems, which had been phreaked earlier, and onwards via their PRI to some foreign expensive destinations. I think we got off lightly by comparison to the owners of the PBXs."

And another one reported here about hacked PBX in N.Z.

The important thing is that these 3 incidents were located on opposite ends of the planet.

yuvraj · July 27, 2010, 4:33pm

File: /var/www/html/admin/common/script.js.php
Line: 59

Comment few lines in the function as done below:

// Used on the extensions/devices page to make sure a strong password is used
function weakSecret()
{
  var password = document.getElementById('devinfo_secret').value;
  var origional_password = document.getElementById('devinfo_secret_origional').value;

  if (password == origional_password)
  {
    return false;
  }

  if (password.length <= 2)
  {
    alert('<?php echo _("The secret must be at minimum two characters in length."); ?>');
    return true;
  }

//  if (password.match(/[a-z].*[a-z]/i) == null || password.match(/\d\D*\d/) == null)
//  {
//    alert('<?php echo _("The secret must contain at least two numbers and two letters."); ?>');
//    return true;
//  }
  return false;
}

mickecarlsson · July 27, 2010, 6:22pm

And your point is?

The reason for a strong secret is a really good feature wanted by those unfortunate that have been hacked and lost thousands of dollars in phone bills due to bad secrets.

Dean_Collins · February 18, 2012, 10:56pm

i agree, this module is flawed.

if an admin turns off “enforce strong passwords” configuring extensions with weak passwords SHOUL WORK when the module is removed OR diabled.

having developers think they know better than admins is a problem.

sure enable detection by default BUT allow us to turn it off when we need to for whatever reason.

tonyclewis · February 19, 2012, 12:06am

In 2.9 we added in the Advanced Setting Feature to disable this. Its called Require Strong Secrets with a true or false. This thread is over 2 years old now and was resolved about 2 years ago already.

VoIPTek · February 21, 2012, 12:07am

use complex passwords and save the long time headaches.
the number password 1000 will only take a few minutes to get hacked.

If you are using end point manager you don’t even need to type your password, so pick a big long ridiculous password and be safe rather then sorry and none of the modules will complain.