0

Per telecomworld:

FreePBX Operator Panel (FOP)

The secret code for performing transfers and hangups in the Flash Operator Panel is passw0rd (zero not the letter O)

I'm on Elastix 2.5 and am just curious about this -- it seems a questionable choice to set any password to a static value. The MySQL password is set to this value for either FreePBX or PIAF (PBX In A Flash).

Why?

In Elastix 2.5 running elastix-admin-passwords --change invokes:

#!/bin/bash
clear
echo "This script resets your MySQL password. IT MUST BE passw0rd!"
echo "Script also changes your admin password for Elastix MT access."
read -p "To continue, press Enter. Otherwise, press Ctrl-C to abort."
echo " "
elastix-admin-passwords --change
echo " "
echo "Done. Access Incredible PBX at http://`/sbin/ifconfig eth0 | grep "inet " | cut -f 2 -d ":" | cut -f 1 -d " "`"
echo " "​

I'm as much interested in how that came about as to whether or not it's a "good" idea.

Braiam
  • 35,380
  • 25
  • 108
  • 167
Thufir
  • 1,810
  • 6
  • 33
  • 60

2 Answers2

4

With many programs (including MySQL), the default and sometimes only way to authenticate a user is to ask the user for a password. It works the same even if that user is actually another program: the server will still ask it for a password, and the program must know the answer.

The easiest way to ship a product with all the programs knowing the right passwords is to use a bunch of hard-coded (as in, part of the ISO image—the same for every install) ones—then you can just put them in the various config files (or worse, in the various programs' source code). An alternative is to generate unique, random passwords for each install and have the installer put them in the appropriate config files, but that's more work (though far more secure!).

A second reason for default passwords is to make writing documentation easy. "Log in at http://machine-ip-address/, user admin, password admin" is easy. (This doesn't apply to program-to-program passwords, of course).

The key thing about these passwords is that default passwords are always insecure. It does not matter if the default password is password, p455w0rd, or even j@'kNDv&178VGzsv; it is insecure. Its been published widely on the Internet, it is known to anyone who cares to do a slight bit of research, and it's probably on any password-guesser's wordlist. So it really doesn't matter security-wise what the default passwords are, and thus passw0rd (instead of password) is probably just a joke. The person who chose it knows its insecure (since its a default password), and makes a joke of "must contain letters and numbers" security requirements by putting a clearly insecure letters-and-numbers password.

So, yes, when technically possible, you should change default passwords. When it's not technically possible, you should ask why and think long and hard: is it really a good idea to run this software? And if you do decide to run it, make certain to control access some other way.

derobert
  • 107,579
  • 20
  • 231
  • 279
1

"passw0rd" was famously derived by the genius-level idea of corrupting the lowercase letter "o" in the trailing half of the single-word string "password" into a zero "0", thus resulting in the string "passw0rd".

The corruption hints the user of the need to choose an obfuscated password that would not necessarily occur to an intruder, or be found through a dictionary attack. The string "passw0rd" itself does not, however, achieve this, as the substitution "o" -> "0" is unfortunately common enough for password-cracking programs to attempt it, in addition to many similar variations.

DepressedDaniel
  • 4,169
  • 12
  • 15