Protecting passwords
Passwords are used in FreeSWITCH when phones register. When FreeSWITCH registers to external gateways and when administrators authenticate into the FreeSWITCH system itself. Most of these areas utilize weak plaintext passwords.
In addition, many users set their passwords to simple easy-to-guess combinations. Worse yet, some don't ever change or set up their voicemail boxes, leaving the defaults in place.
These passwords are very often targeted and once gained, they are exploited to commit fraud.
There are a few mechanisms available to mitigate this.
Registration passwords
Registration credentials do not need to be passed or kept on disk in plain-text. When defining SIP credentials in your folder, instead of including the following line:
<param name="password" value="samiam"/>
replace it with a pre-calculated a1-hash
of the password, like the following:
<param name="a1-hash" value="c6440e5de50b403206989679159de89a"/>
To generate a1-hash
, get the md5
of the string username...