• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Best Practice for Phone Pins

We currently have predominantly CISCO VoIP setup and the PINS used on our hard phones are currently set to the phone extension number.

What are the best practices in this area for the use of the PIN and the most secure and also  effective way of setting them.  i.e is it best if the user chooses or is it better if the PINS are managed centrally and distributed to users?
0
jdc1944
Asked:
jdc1944
  • 2
  • 2
1 Solution
 
BullmanTechCommented:
PINs should be randomly generated initially, set by an administrator. From there, users should typically be allowed to manage their own passwords except in certain high-security environments (government, military, etc.). You should follow (at minimum) the following standard guidelines which apply to most user-managed password systems:

- minimum PIN length (4 should be the absolute minimum for PINs, 8 for passwords)
- complexity requirements (disallowing repeated digits or sequences, e.g. 1111, 1234)
- maximum PIN age (90 days is standard, but this is often implemented only for passwords and not voicemail PINs)
- number of consecutive false entries allowed before lockout

Less important for voicemail PINs, but imporant general password considerations:
- PIN history (e.g. last 10 PINs cannot be used)
- minumum PIN age (e.g. 1 day; if PIN is changed today, user cannot change until tomorrow, preventing users cyclying through 10 new PINs minutes after each other to get back to their original)
0
 
jdc1944Author Commented:
thanks,  I presume the biggest risk to having default PINS is that anyone could log into someone else phone and pretend to be them or accept their calls.
0
 
BullmanTechCommented:
The risks present for default PINs depend on what other processes are in place at the company that could relate to phone use.

If someone needs a PIN to access / log into a physical phone sitting on company premises, then using default PINs could potentially give unauthorized indivuals access to company resources / systems (e.g. in a hoteling/open seating office context).

Also, an individual may be more easily able to elicit some form of secure or confidentiail information from a member of technical support, accounting, etc. that they might otherwise be unable to without having internal phone access. For example, if an outside individual could give someone in technical support an internal phone number for a call-back, that support person might be more willing / susceptible to a social engineering scenario where someone might be trying to gain technical information about the company's internal IT environment / systems or trying to gain direct systems access (by requesting a password reset, for example).
0
 
jdc1944Author Commented:
Thanks for your help
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now