George Gleason

Cybercriminals and other bad actors are increasingly exploiting telephone systems, much as they exploit computers, software, and networks.  The consequences can include direct costs (for example thousands of dollars of fraudulent international calls), liability risks (stolen user and client information that can become subject to lawsuits), and potential national security risks (hijacking by cyberterrorist gangs, for uses such as covert message drops).  This is true regardless of whether you have a premises-based or "cloud"-based telephone system. 

The most important protection is a strong password policy.  In most cases, the passwords you use to access various PBX features, such as listening to your voicemail messages, are digits on the dialing keypad.

Yes, publish it:  

It's often said, "don't publish your password policy."  That advice is incorrect, as a brief lesson from cryptology demonstrates.  

Cryptology is the overall science of encryption systems, within which "cryptography" is the science of building encryption systems, and "cryptanalysis" is the science of breaking into encryption systems.  Any encryption system has essentially two components: the "general system" (the algorithm that encrypts and decrypts messages), and the "keys" (data or settings that are unique to each user or message).  

Cryptologists always assume that adversaries know the "general system," thus security must reside entirely in the "keys."  This is a safe assumption, for example on the battlefield where capturing an opposing force's encryption equipment alone is much less useful than capturing the "codebooks" that contain the lists of daily keys.  (Your cryptanalysts have already figured out the opponent's general system, getting them the keys lets them read all the traffic in real time.)

By analogy and also in actual fact, your password policy is equivalent to a "general system" and your individual passwords are "keys."  Thus you should assume that potential adversaries know your policy, and your security resides entirely in your passwords.

Examples of useful elements of voicemail password policies:

1)  Allow a variable number of digits, with a high upper limit.  This increases potential adversaries' "search space," and the number of tries they have to perform to find the password for any given mailbox.  Clearly, an organization with only 5-digit passwords is setting itself up as a juicy target.  But any policy that sets a fixed number of digits is less secure than a policy that allows a variable number of digits.

However, all other factors equal, what will tend to happen is that the statistical distribution of users' passwords in an organization will tend to pile up as a normal curve that's skewed toward the low end of the allowed number.  Thus you need to encourage users to pick voicemail passwords with larger numbers of digits, that can flatten out the distribution or at least pile up at a higher point.

2)  Do Not use birthdays or other personal identifying information (PII).  These artificially constrain the adversaries' search space even more than a fixed number of digits.  More importantly, they can also lead to further compromises: for example a person's name plus date of birth is sufficient for identity theft.  

(That's also why you should never celebrate birthdays online, particularly in insecure public forums such as "social media."  Cybercriminals have apps that search for words such as "birthday" to harvest this information.  Next thing you know, your bank account is overdrawn.)

3)  Random or semantically meaningless character-strings ("gobbledegook") are less secure than semantically meaningful strings.  True.  The entire trope about using gobbledegook passwords (letters, numbers, and punctuation required; no recognizable words allowed) was a bad mistake from the get-go, and the person responsible for creating it has even apologized publicly.  

I'll have more to say about that in a future article.  In brief, the human brain works best with patterns and meanings; a "gobbledegook password" policy leads to users simplifying their passwords at every password change in order to retain some semblance of a pattern or meaningful sequence; the result is a narrowed search space that is more easily cracked.

4)  Useful ways to choose larger numbers of digits:

a)  Telephone numbers you don't call from work.  An early childhood friend's number that's no longer in use, the number of your favorite small restaurant or local store, etc.  Use them with or without area code, and/or add or subtract a digit or two at the beginning or end.  

b)  Semantic passwords and phrases:  Dictionary words or phrases you can visualize or remember, and spell out on the dialing keypad.  For example you can't be expected to remember the 13-digit string 467 737 487 3693, but you can easily visualize and remember "horse sits down" (don't use that one) even if horses don't "sit" when they're resting.  Use any language that's comfortable; optionally use a mix of languages, e.g. English, Spanish, and Chinese words and phrases. 

This is arguably the most-secure method for generating PBX and voicemail passwords, because semantic meaning is independent of length in number of digits, and there will be higher variability of password length throughout an organization.  Even single words are good (and also produce useful variation in number of digits): 27 83 38 28 is a frustrating 8-digit password, but "aqueduct" is memorable and easy to dial (don't use that one).

- On Panasonic PBX telephones, you can dial without going off-hook ("pre-dial" feature), to translate your words/phrases to digits that appear on the telephone screen.  Dial by letters, and the digits will appear on the screen.  

- Then copy the digit string anywhere safe, such as a piece of recycled paper you're going to put through the shredder when done.  Then clear your phone screen so you don't accidentally dial those digits when you go off-hook (press the rectangular button below the word "CLEAR" on the main display).  

- Then log in to your mailbox, select "mailbox management," then select "change the password," and enter your chosen digit string followed by #(pound).  Listen to the read-back, press 1 to try again or 2 to accept, and then hang up.  Then shred or tear up and flush the small piece of paper on which you wrote your digit string.  

- For other brands of PBX that don't have a "pre-dial" feature (and for your mobile and home landline voicemail), you can at least look at the letters next to the digits on the keypad, and write down the digits, and then log into your mailbox and change your password.

5)  In case you're thinking it's going to be impossible to get your coworkers to adopt relatively long passwords:  In point of fact, using a long semantic password or phrase is as easy as typing a word or phrase of the same length on a computer keyboard.  Once you get used to the locations of the letters on the dialing keypad it becomes second-nature.  

Back in the day when telephone numbers started with exchange names, such as KLondike 5-, MUrray hill 2-, etc., everyone could dial the first two letters as quickly as if they were numbers.  When telcos went to "All-Number Calling" and eliminated the exchange names, there was a public backlash, because the change made telephone numbers less meaningful (by divorcing them from geographic boundaries) and harder to remember (by removing the semantically-meaningful association).

A semantic password policy also lends itself to more frequent changes of passwords.  One of the fatal flaws of gobbledegook passwords is that required password changes lead to people using simpler passwords over time, thereby making the cybercriminal's job easier.  Semantic passwords and phrases don't have this problem, because meaning is "free" in the human brain, so there is no incentive to over-simplify a digit string.  For example changing from 467 737 487 3693 to 269 726 634 663 is difficult as a digit-string, but easy as a phrase: "horses sit down" becomes "cows come home" (don't use that one either).  

Thus you can change semantic passwords and phrases more frequently, and the task becomes amusing rather than frustrating.

Strictly speaking, the scientific determination of the degree of security of any password policy depends on empirical comparisons between it and other policies, to determine if there is a statistically-significant difference in the rate of successful break-ins.  This entails tracking a large number of users at a large number of companies, over a long enough period of time to get meaningful numbers of break-ins, and/or days between break-ins, under each password policy.  

That said, our results have been good.  Since we introduced the semantic password and passphrase policy for our clients, there have been zero successful break-ins into our clients' PBXs that are operated under this policy.  We have also found that password reset requests have decreased by about 80%, which demonstrates that semantic passwords and phrases are easier to remember and use than long numeric passwords that are not semantically meaningful.  

This is a win/win solution for organizations and their employees.  Whether or not you're a client of ours, you can start using it today.