Passwords Again

Christian Stredicke
CEO of Vodia Networks

Just around the corner, this week there is the Boston Startup Week (http://bosstartupweek.com/). Although I don't consider Vodia a startup, I could not resist to attend the "Boston's Cybersecurity Economy" session to hear what is going on in our neighborhood when it comes to cyber security. Not that I would expect VoIP to be a topic there; but generally to hear what is going on.

My personal take away from the session was that there are two fundamental problems in the cyber security space: (1) buggy software and (2) negligeant users. Those two factors have created an amazing, multi-billion dollar economy that literally try to contain the damage coming from those two factors with a whole lot of products and services around it.

We have always tried hard to make our software as smooth as possible to minimize the impact from (1). This actually includes software updates and maintenance plans, if you think about it.

However looking at the history of breaches and glitches in our environment, my feeling is that the biggest problem comes from (2), especially when those users choose passwords like "password" or "secret" and PIN codes like 1234. In many cases it is understandable, if you work lets say in a warehouse and have a cordless phone, why would you bother assigning a strong password to your account. At the end of the day, you are just a user and sometimes it is not your business really.

We have tried to come up with a score algorithm that determines weather a password that you would like to use is good or bad. Whatever we tried, it always got easily tricked with such passwords like "bond007" which for the computer might look okay at first glance; however for us humans it is obviously relatively easy to guess. What is much better is to take a list of popular passwords, and then make sure that the password we are looking at is not too familiar with that password. So we went ahead, and collected a list of roughly 2000 passwords that seem to be most popular in the users space and added them to the JavaScript check procedure. Now when you enter your new password, you might be surprised that your favorite password is not accepted any more. If that small JavaScript could guess it, maybe those hackers out there can get it too! I believe this will significantly increase the password quality of the Vodia hosted PBX users. Next version 58.4 will have it.

Needless to say that the PBX already generates passwords e.g. for the provisioning of phones that are completely random and which the user will usually never see, and which the user never wants to see.