Views

Password hardening

The Wiki of Unify contains information on clients and devices, communications systems and unified communications. - Unify GmbH & Co. KG is a Trademark Licensee of Siemens AG.

Jump to: navigation, search

Specify character sets required

New Admin/DLS level configuration items allows the phone to be configured to specify the characters that a password must contain:

  • The minimum number of uppercase (alphabetic) characters (can be none).
  • The minimum number of lowercase (alphabetic) characters (can be none).
  • The minimum number of digits (can be none).
  • The minimum number of special characters (can be none).

The User and Admin passwords have individual settings.

Password retention

A new Admin/DLS level configuration item allows the phone to be configured to specify how long before a password is allowed to be changed again. Once a password has been changed for an access level it is not allowed to be changed again for a specified period.

Password expiry

A new Admin/DLS level configuration item allows the phone to be configured to specify how long before a password must be changed again.

A password only stays valid for a given period, however it was set. When a password approaches the end of this period the appropriate user is warned when they attempt to use the password. The user is required to change the password as a result.

Confirm existing password when changing

The password for the access level being used to change a password must also be re-entered at the time that a password is changed to prevent malicious use of an access level that was left open.

Password history checks

A new Admin/DLS level configuration item allows the number of entries kept in password histories for the User and Admin passwords to be configured to prevent reuse of past passwords at the access level.

A list of previous passwords is maintained for each access level for a specified period. A new password must not exactly match any of the passwords contained in the list. When a new password has been accepted it is added to the list. This list is organised as FIFO so that it always contains the latest passwords.

Password difference checks

A new Admin/DLS level configuration item allows the number of characters by which a new password differs from the previous password to be configured.

Force password change

A new Admin/DLS level configuration item allows the phone to be set to force the User password to be changed the next time that it is entered after it has been set via the DLS or via Admin level access.

Suspend password on failures

A new Admin/DLS level configuration item allows the phone to be configured to set the number of failed password attempts allowed before the password for that level is suspended for a configurable period.

A suspended password may be enabled explicitly or enabled implicitly by setting a new password for the level. The suspension is automatically lifted after a restart of the phone.

Limit repeated password changes

A new Admin/DLS level configuration item allows the phone to be configured to set the period before a password is allowed to be changed again.

Prevent DN in passwords

Neither the User’s telephone number or display identity are allowed as part of a new password. Explicitly the following OCMS items are not allowed:

  • e164
  • sip-name
  • display-id-unicode

Ability to disable Admin access

A new DLS level configuration item allows the Admin password to be disabled, suspended or enabled. A disabled/suspended password may be enabled explicitly, or enabled implicitly by setting a new password.

Ability to disable User access

A new Admin/DLS level configuration item allows the User password to be disabled, suspended or enabled. A disabled/suspended password may be enabled explicitly, or enabled implicitly by setting a new password.