v15 sp1 - Ext authentication password length

Discussion in '3CX Phone System - General' started by crsc, Aug 1, 2016.

Thread Status:
Not open for further replies.
  1. crsc

    Joined:
    Dec 1, 2007
    Messages:
    28
    Likes Received:
    0
    HI,

    Upgraded to v15 sp1 from v14. Trying to modify an extension is prevented by 3cx requiring a "stronger" password of 6 chars minimum length.

    Where do we control the minimum length of the password?

    Thanks.
     
  2. MichaelB

    MichaelB Member
    3CX Support

    Joined:
    Aug 25, 2009
    Messages:
    407
    Likes Received:
    8
    No, we need to force users to start using stronger passwords..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    daphi likes this.
  3. crsc

    Joined:
    Dec 1, 2007
    Messages:
    28
    Likes Received:
    0
    Thanks for the reply.

    Not a good strategy. We have users that have the same password on their extensions for more than 7 years and that is how we want to keep it. You should not hardcode things like password length. It is the responsibility of the system administrators to decide how they want to configure software that they are paying for.

    Again, how do we control the length of the extension password?

    Thanks.
     
  4. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,405
    Likes Received:
    274
    The Subject is Extension Authentication - but it seems the conversation is about Voicemail PIN?
    I have never given my users any type of option on selecting their Extension password and/or needing to use it for anything.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. crsc

    Joined:
    Dec 1, 2007
    Messages:
    28
    Likes Received:
    0
    Hi,

    It is about the password used to register the phones and client. Having to change the password to six characters forces to have the phone re-provisioned for them to register again. As someone still dealing with a number a Polycom phones that refuse to provision from a remote server, this is a potential nightmare.

    Thanks.
     
  6. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,405
    Likes Received:
    274
    I understand your dilema. Now I see why I was not understanding...
    And if not open to the outside world - not a big deal.
    But I've seen many a systems get hacked and money consumed from weak passwords.
    Good luck on your quest.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. rwiertz

    Joined:
    Oct 1, 2013
    Messages:
    3
    Likes Received:
    0
    Hi,

    I completely agree with CRSC. It's up to the administrator to control password strategy and length. Even Microsoft does not treat administrators as childen and give the option to change the defaults. Most of our systems are closed and have no need for a stron g password, So please give us the ability to control this ourselves.

    Kind regards,

    Ron Wiertz
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. coertvc

    Joined:
    Jan 23, 2014
    Messages:
    26
    Likes Received:
    0
    That is basically why this product is not enterprise ready, I have Avaya phones where I need to work differently with authentication and this is stopping me to adopt a version v15. pity.
     
  9. Bunce

    Joined:
    Sep 19, 2012
    Messages:
    19
    Likes Received:
    0
    One of many reasons. Appear to be in that phase where they put together a product that finds a niche market, begin to experience growth and the $$ focus takes over- reasonably qa'd releases are overtaken with rapid 'new feature' releases that arent close to being production ready, in effort to pick up new customers (4 service packs in v15 and still features missing) and be able to quickly retire previously releases to avoid support obligations.

    End result being existing customers are neglected - Every 2nd blog post becomes a marketing push about some partner signing on the other side of the world as opposed to providing useful product information.

    I'm pretty sure they just don't see enterprise/corporate as a target market. We had our auditors look at it and they basically laughed - security was abysmal- extension and tunnel passwords sent in clear text in a provisioning email? Really?

    Add to that archaic licensing approaches, deluded branding decisions and feature removals from product releases - any SysAdmin with a brain will turn up their nose quite quickly. Complete re-install for an IP change?? How does that get past QA in a V1 product..

    Partners in our area are 'frustrated' to say the least and suggest short-term $$ growth is detrimentally impacting on future product direction, and isolating potential target markets such as enterprise that could bring greater longer term growth.

    Agreed- pity.
     
    #9 Bunce, Jan 21, 2017
    Last edited: Jan 22, 2017
  10. bwalker@tektone.net

    Joined:
    Nov 23, 2011
    Messages:
    2
    Likes Received:
    0
    I agree completely. As a Network Administrator, setting aside time to upgrade the PBX, it would be much appreciated to have this information beforehand - instead of being strong-armed into changing the password of several hundred extensions. I'd also like to add that taking away the user-configuration of daylight savings time is insane. Your system has it set for 3 days beforehand.

    I'm certain you Alpha test this software in-house, but do you beta test it with end users? Are your Software Engineers developing with the end-user in mind?
     
  11. nb

    nb Support Team
    Staff Member 3CX Support

    Joined:
    Jun 7, 2007
    Messages:
    2,129
    Likes Received:
    153
    I cannot believe I'm hearing this. Especially from 3CX Partners and 3CX Certified members.

    Actually - its not even good or bad strategy. Its the ONLY strategy to forcefully convert people to start securing their PBX properly.
    Who argues that weak passwords are OK has absolutely no idea of cyber security - let alone defense and penetration. Especially a system for a paying customer.

    In fact you keep extensions hack-able. (And some have been doing this for 7 YEARS!!!).
    Moreover they can be hacked by these script kiddies launching the most standard tools of tools.
    And you argue that this is ok because my system is "closed"...???!!! The sympathy I have is not for you - but I am really worried for the clients you represent.

    One day, you WILL get a nice little bill with some high toll numbers to nice little numbers in Somalia, etc that you would have to cough up.. We will see then how confident you all remain...

    @crsc - Well 7 years? Of course we will override an admin that reasons like this. A admin that values security would come up with this change proactively HIMSELF.
    No this is not a potential nightmare. You just re provision and go ahead. 2 seconds.
    It seems you still don't know what a potential nightmare is in computing and cyber security. I think you better not know trust me.

    @ron Wiertz - Let me see if I got it right - Did you use the word "Closed" - This is getting even more educational !!!
    I'm very sorry to say that this argument is completely baseless. Do you know that whatever "closed" system you think you might have, 70% of the attacks come in from TRUSTED SOURCES? How do you know whether some disgruntled employee decides to hijack your extension or that of the CEO?
    How do you effectively "Close" your system to some guy that's already in your network?

    @coertvc - So we have to jeopardize the security of 3CX and it's image because you are using Avaya phones (unsupported) and does not know how to change the password to a more complex one. This is not a very good argument...
    The rude part is that you call the product not enterprise ready. Why can't you change and secure your endpoints?
    Actually its a dishonor to all enterprise systems when you try and classify a phone configured your way as Enterprise.

    @bwalker - We have Alpha, beta, rc candidates - I mean what do you want to alpha test? This is not a space launch.
    You want a version to test that you can have a more secure password? Come on now. Do you test facebook when it asks you for a more secure password? Amazon AWS (Just mentioning 2 services that have billions of users here). You complain to them as well?

    @Orlin - What features are not ready yet that you really really really need?
    And why are you a premium partner after all these years still talking like this? This is really bad.
    Its like you are a Mercedes sales executive assigned to sell the 2017 model, IN YOUR INTEREST TO SELL IT and when a customer comes and wants to buy a Mercedes you tell him - No buy the one of 2015!!!! What a cardinal error!!!

    Conclusion:
    I actually think FOR THE SAFETY of clients, I think I should immediately delete this thread.
    I mean given I know already I'm preaching to the deaf, (I'm sure I'm going to get some amazing, genius answers soon), I'm not even concerned with your safety on the internet. But now I must step up because I have a vital concern here...

    You cannot be entrusted and responsible to install 3CX for other customers if you completely disregard security this way. If you reason like this in 2017, you just cannot.
    And this is why we enforce this. To make sure that cyber security negligence like this is FORCEFULLY Stopped. Whether you like it or not. This will never change inside 3CX.

    And if you talk publicly like this, you put yourselves and your clients in danger. Only God knows what else you have configured insecurely. Because if you reason like this for your pbx (one of the most important and secure services in your business) then you reason like this for other things too.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    jbryant84, leejor and Nick Galea like this.
  12. bwalker@tektone.net

    Joined:
    Nov 23, 2011
    Messages:
    2
    Likes Received:
    0
    @nickybrg - wow... lay off the caffeine a bit.

    Perhaps flaming your customers isn't the best strategy for winning hearts and minds.

    I can't justify anyone's comments but my own - and my comments weren't against the security requirements - it was about the lack of communication in the upgrade roll-out. In my case, this added a significant amount of time to successfully accomplish the upgrade to v15.

    I don't want to Alpha anything, I'm not a 3CX test engineer.

    I would love to be involved in a Beta at some point.

    I don't complain, I vote with my wallet. I have been a 3CX supporter (and customer) since 2011. I've recommended the product countless times.

    Regardless of how substantiated your argument may be...
     
Thread Status:
Not open for further replies.