Password Security

As one of the UK’s leading SIP providers, we unfortunately hear stories about companies getting hacked on a regular basis. Unlike many online services you might use, compromising your SIP account has real monetary value to a hacker. The losses tend to range from a few pounds up to a few hundred pounds, occasionally even into the thousands. The typical attack involves taking over your SIP account and launching a huge volume of calls to expensive destinations such as premium rate numbers.

We know that online fraud is a growing threat, so it’s vital you do everything you can to keep your telephony systems secured. The good news is that the vast majority of cases basic password security has not been implemented by the company that got hacked and the attack could easily have been prevented. Read on to understand a few simple steps that you can take to keep yourself safe from 99% of online SIP attacks.

How do people get hacked?

Whilst there are more elaborate and sophisticated attacks out there, most of the victims of SIP hacking that we come across have made one or more of a few basic mistakes.

The hacking techniques

There are two basic types of attack that everyone should be aware of. We'll outline them briefly below.

Brute force

In this attack the hacker tries every permutation possible of a password. The longer the password and the more different types of characters in the password, the more infeasible the attack becomes. Take as an example a basic 3 digit numeric pin, it has a total of just 1,110 combinations. A hacker could crack this password in just a few minutes over a network. By contrast, a randomly generated password of 10 characters in length, made up of numbers, uppercase letters and lowercase letters has 853,058,371,866,181,866 combinations, making a brute force attack over a network impossible. There's a great site where you can experiment with the strength of different password formats here.

Dictionary attack

The other type of attack that a hacker will use to try and guess your password is known as a dictionary attack. Rather than trying every possible permutation of a password, instead the attacker tries a very large dictionary of commonly used passwords. Sometimes these lists will actually be built from passwords released when companies have been compromised and their customers' passwords have been stolen.

So this is where people who either use common dictionary words as their passwords get hacked, as well as people who have re-used a password from another service. You can look up your email address and usernames on haveibeenpwned.com to see if your passwords have already been leaked. It's not an exhaustive list, but well worth checking for some peace of mind.

Common vulnerabilities

Weak passwords

This is the most basic of issues. Far too many people are using passwords that are just too weak. We talk about what a secure password is and how best to create one further down the page.

Reused passwords

Another common mistake is reusing passwords across platforms. This is a really bad idea. If you use the same password on ABC.com as you do for your SIP account, then if ABC.com gets hacked your SIP account becomes vulnerable also. Even if you might share some passwords on social media networks and the like, it's vital that you always use secure, unique passwords for every SIP trunk or hosted PBX extension that you manage.

Passwords not changed regularly

Another common mistake that people make is to set a password once and never change it. Setting up a schedule for regularly changing the passwords on all of your SIP devices will help to ensure that you never get compromised.

Recording passwords in an insecure location

It sounds obvious, but it's scary how many people do things like email passwords to themselves or store them in insecure locations like a spreadsheet. Read on to learn about some secure methods for storing all of your passwords.

What is a secure password?

So we've looked at the most common ways that accounts get hacked, now it's time to think about what a secure password really is.

A secure password will not be found in any dictionary

This means both that passwords must not be common dictionary words and it also means that it must never have been used before on another service.

A secure password is too long to be brute forced

As we explained above, even randomly generated short passwords can be guessed with a program that tries every combination. You should use at least 8-10 characters selected from numeric digits, lowercase letters, uppercase letters and punctuation symbols.

How to make a password secure?

The first thing to say is never try to make up a password yourself. Humans are very bad at generating anything close to a random sequence of characters. Research as been conducted to look at the patterns in numeric pins and revealed that we tend to use patterns and repetition rather than truly random combinations. Instead we should always use some kind of random password generator. There are many on the web such as passwordsgenerator.net. Google is your friend here.

How to remember passwords?

So you're following the rules and now every password you make is unique and randomly generated, but how can you possibly remember them all? The answer is you don't try to and rather than recording them insecurely in a document on your computer, you use a dedicated password manager to remember them all. All you have to do is remember the access details for your password manager and it then provides access to all of your passwords. There are many out there to chose from - read reviews and speak to your friends and colleagues about what they use. A short list to get you started might include 1password.com, passpack.com and lastpass.com.

How Orbtalk helps to protect you from fraud

Whilst we can’t control the passwords that you set yourselves on devices such as phones and extensions, we have a system in place called Call Guard that monitors all of our traffic and tries to identify fraudulent patterns of behaviour and cuts off outbound calling when a serious risk is identified. We can't guarantee that we can identify all fraud, but we do know that we’ve stopped thousands of pounds of fraud for our customers that have been compromised. You can learn more about our SIP trunk solution here.