Best Practice for Phone Pins

Posted on 2012-09-13
Last Modified: 2012-09-19
We currently have predominantly CISCO VoIP setup and the PINS used on our hard phones are currently set to the phone extension number.

What are the best practices in this area for the use of the PIN and the most secure and also  effective way of setting them.  i.e is it best if the user chooses or is it better if the PINS are managed centrally and distributed to users?
Question by:jdc1944
    LVL 5

    Accepted Solution

    PINs should be randomly generated initially, set by an administrator. From there, users should typically be allowed to manage their own passwords except in certain high-security environments (government, military, etc.). You should follow (at minimum) the following standard guidelines which apply to most user-managed password systems:

    - minimum PIN length (4 should be the absolute minimum for PINs, 8 for passwords)
    - complexity requirements (disallowing repeated digits or sequences, e.g. 1111, 1234)
    - maximum PIN age (90 days is standard, but this is often implemented only for passwords and not voicemail PINs)
    - number of consecutive false entries allowed before lockout

    Less important for voicemail PINs, but imporant general password considerations:
    - PIN history (e.g. last 10 PINs cannot be used)
    - minumum PIN age (e.g. 1 day; if PIN is changed today, user cannot change until tomorrow, preventing users cyclying through 10 new PINs minutes after each other to get back to their original)
    LVL 2

    Author Comment

    thanks,  I presume the biggest risk to having default PINS is that anyone could log into someone else phone and pretend to be them or accept their calls.
    LVL 5

    Expert Comment

    The risks present for default PINs depend on what other processes are in place at the company that could relate to phone use.

    If someone needs a PIN to access / log into a physical phone sitting on company premises, then using default PINs could potentially give unauthorized indivuals access to company resources / systems (e.g. in a hoteling/open seating office context).

    Also, an individual may be more easily able to elicit some form of secure or confidentiail information from a member of technical support, accounting, etc. that they might otherwise be unable to without having internal phone access. For example, if an outside individual could give someone in technical support an internal phone number for a call-back, that support person might be more willing / susceptible to a social engineering scenario where someone might be trying to gain technical information about the company's internal IT environment / systems or trying to gain direct systems access (by requesting a password reset, for example).
    LVL 2

    Author Closing Comment

    Thanks for your help

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    skype versions and error 4 62
    Registering SPA122 with a Digium System 1 124
    Implementing Cisco Jabber 1 59
    Virl for Cisco 4 beginner 6 60
    Although VoiceOver IP has been around for a while, internet connections have only recently become fast enough to provide good call quality. Now, VoIP has become a real option for businesses looking at ways to improve their business model. In this ar…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now