New Password Mechanisms
Those who have seen the release notes for 5.3.2 will have noticed that we have added some new features to the PBX to improve the password management. They are not actually new in the sense that this would shake up the IT industries, they are just new to the Vodia PBX. But they have become good industry practice and it was time to put them in.
The first feature is a password reminder. Today most PBX users all have email addresses. The email is an essential way to communicate with the user; the PBX sends emails when something happens, e.g. the user missed a call or has a new mailbox message. Sending an email with a temporary password to the email account is a safe way to regain access to an account where the password has been lost. The temporary password does not change the current password; otherwise it would be easy to disturb the account for someone who knows the account number of a user. Once the user has received the email and successfully logged in, he is redirected to the password page and asked to change the password.
This is where the next feature comes in. The PBX now keeps a history of the last used password hashes, and compares a new password against that list. If the password was used in that account before, it is not accepted as a new password. This helps the user come up with new passwords, and not use the same password all over again. Together with the password policy, this should help reducing the risk of exposing weak passwords to the public.
After all, we are all excited that more and more PBX are running on hosted servers in the cloud. The big benefit to have access to the system practically from anywhere implies that the bad guys also have access from anywhere. This makes it even more important to have good passwords. The new features in 5.3.2 are another step into this direction.