Voicemail security, even stronger than bank security


Microsoft's telephone department takes security very seriously. Your voicemail password must be at least eight digits long.

By comparison, the password for my ATM card is only four digits long.

Because voicemail is that important, I guess.

(Yes, I know about two-factor authentication. I'm writing this only half-jokingly.)

Comments (44)
  1. Marquess says:

    Well, can you brute-force the voicemail PIN or are there safeguards?

  2. Tom says:

    There have been cases in the past where an outside user (non-employee) with knowledge of your voicemail password and your company phone number can make long-distance phone calls using the company phone system.

    So my guess is that your ATM PIN is only 4 digits because it’s only your money at risk, whereas the voicemail PIN is 8 digits because the company’s money is at risk.

  3. nathan_works says:

    That’s the stupidest combination I’ve ever heard of in my life! That’s the kinda thing an idiot would have on his luggage!

  4. Dan says:

    Same thing at my workplace too.

  5. Paul says:

    Actually, even though the ATM PIN is only 4 characters, it also requires your ATM Card (that thing in your wallet).  This combination increases the security greatly.  Even if you tell everybody your ATM PIN, if they don’t have your card, they get nowhere.  Compare to Voicemail password.  

  6. Joe Dietz says:

    I have a very nice piece of black tape over the voicemail light on my phone.  Its been there for almost 3 years now (more or less precisely since 45 days after we upgraded phone systems and it demanded a strong password that had to be changed every 45 days).  I should remember to mention this fact to my new boss I suppose.

  7. Vilx- says:

    Still this is a trend. Every now and then I come across a website which has a military-grade password security policy for a forum with 10 unique visitors a day. Go figure…

  8. PaulS says:

    You could make it stronger still by requiring that no two consecutive digits could be on the same row of the keypad… which means no repeating digits…

  9. David Walker says:

    @Paul: Raymond already covered that topic.  Maybe you didn’t read the whole thing…

  10. John says:

    PaulS: requiring that no two consecutive digits could be on the same row would probably make the passwords a lot weaker and more prone to brute force since the search space would be greatly reduced.

  11. Jim says:

    I used to work in the company telecom section. The voice mail password reset request was a single biggest job we can have. After the holidays, like labor day etc. you got flood of calls for VM password reset. There were two kinds of reset though, one was to just reset the VM password another to reset the VM mail box which was referred to blow up the VM box. Some of my new hires often blew the senior management VM box and got many angery phone calls as well.

  12. Dylan says:

    violet: Why not keyfiles?

  13. Kemp says:

    Dylan: Given the management thinking that produced that recommendation, I imagine they would institute a 60-day regeneration of keyfiles too.

  14. -dan says:

    Leave a door open and no one will come in, lock it up and people will think there is something worth getting in for  …

    And then there is the old proverb about killing  a mosquito with a cannon

    Whatever the case when you lock up everything and it becomes to common place, then people put less importance on the things that really do need to be secure.

    I think most people are overwhelmed and buried in passwords for everything in life, phones, web sites, banks, computer logins, luggage you name it. No way you can’t keep using a few of the same codes which of course leads to less security.  One of the biggest security leaks is the overuse of security.

  15. Brian says:

    Ever since our company turned on strict password complexity, history, and age requirements, my passwords have gotten weaker.  Instead of using a very long, complex password that is embedded in to my head, I now use super weak passwords that are easy to remember (and therefore, guess).

    I have a sneaking suspicion the people that implement these policies have no clue how the users react to them.

    I believe the best password policy is a minimum password length of 20 characters, with no force-change requirements.

  16. Cooney says:

    Actually, even though the ATM PIN is only 4 characters, it also requires your ATM Card (that thing in your wallet).  This combination increases the security greatly.  

    No it doesn’t. It requires a card with matching account info on the magstrip, which is easy to copy. Couple a skimmer to a camera that records your pin and security goes to hell. It was only last year that my credit union sent me a new card because someone put a skimmer on their ATM.

  17. Cooney says:

    Ever since our company turned on strict password complexity, history, and age requirements, my passwords have gotten weaker.  Instead of using a very long, complex password that is embedded in to my head, I now use super weak passwords that are easy to remember (and therefore, guess).

    I use marching passwords for this sort of thing. What sucks is when you have 2-3 password authorities on different schedules – there’s often no reason for them to be different, but keeping them in sync is a pain.

  18. John Muller says:

    What really sucks is when the mandatory password change hits on a Friday; the chain of thought behind the new password is easier to recall the very next day then after a weekend.

  19. Feroze says:

    In Microsoft’s case, the Voicemail password is not just the VM password, it also gives you access to your email, calendar and the company’s address book. Hence the reason to enforce a strong password, in the same way as Outlook. Exchange Um can be considered a client in the same way Outlook is.

  20. James Schend says:

    Our voicemail just emails us a .wav file. I don’t think I’ve ever even set a password… if I have, no clue what it is.

  21. Miral says:

    It also probably helps to pick a different length than most common ones.  My bank uses a 4-digit PIN for ATM cards but a 5-digit PIN for phone banking, primarily to force people to pick something different for each one.

    (Of course, I suspect a lot of people just use the same number with one digit repeated, or some other silly variation.)

  22. Olivier says:

    @Marquess: they are probably using Asterisk with fail2ban ;) so, yes, there’s a protection against the bruteforce attacks.

  23. Anonymous Coward says:

    Cooney, the reverse is also true – most new atm passes (the ones with a chip) can be used without the pin:

    http://news.slashdot.org/story/10/02/11/2129212

  24. steveg says:

    Place I work has all voice mail accessible remotely via the default password…

    I’ve changed mine. And programmed the phone to play different tunes — gotta put that degree to good use.

  25. violet says:

    My organization requires that all passwords be strong and changed every 60 days. *All* passwords. In consequence of which, rather than having the reasonable security offered by writing long, random passwords into scripts used by remote sites, we have all our data on a public, anonymous ftp server.

    I’m actually not opposed to this arrangement, but I suspect it’s not what the security people would consider ideal.

    (Also, my PIN is 8 digits long. It wouldn’t surprise me if your bank let you set yours similarly.)

  26. Neil (SM) says:

    Paul wrote: "Actually, even though the ATM PIN is only 4 characters, it also requires your ATM Card (that thing in your wallet)."

    Jeez, Paul.  Raymond writes his disclaimer about two-factors and joking at the bottom of his post and you *still* could help bringing it up.

  27. Lawrence says:

    Voicemail PINs at our company are five digits. By coincidence, internal desk-to-desk numbers are five digits also. Guess what the default (and recommended not to change) PIN is set to for each user?

  28. Pi says:

    Eat this! We have no voicemail in our company.

    offtopic: I already miss the depressing colors.

  29. Drak says:

    [Off topic]

    Did your site move to a different IP address? I’m getting intermittent errors:

    Oops!

    We’re sorry, but Community Server is not configured for this site: "65.55.48.164".

  30. dartme18 says:

    seven AM, eh?

    Aaron

  31. Joseph Koss says:

    For your protection, a 4-digit Personal Identification Number (PIN) has been selected for you using an industry standard certified random number generator.

    Your PIN is: 0000

    Please do not share your PIN with other people.

  32. If a bank upsets their customers, the customers can easily move to a different bank.

    If a company upsets their employees, the ease with which the employees can move to a different company varies greatly depending on the economic climate.

  33. Cooney says:

    > We probably could have wrestled with them and come up with some kind of rsync+ssh+keypair solution, but by that point it was just easier to stick it on the public FTP and have done with it.

    Hmm, a perfect example of what schneier would call ‘too much security’

  34. Michael says:

    I think the people who set password policies *do* know how users will react, but they also realize they have no incentive to promote actual security, and every incentive to create policies that sound good to management.

  35. violet says:

    @Aneurin — I’ve only very occasionally encountered ATMs that don’t let me enter an 8-digit PIN (weirdly, cheap off-brand ATMs in Mexican shoppes worked, whereas Chase ATMs in Times Square did not). In other countries, my debit card was usually rejected for other reasons (but when it worked, my PIN was accepted).

  36. gechurch says:

    @Cooney

    I wouldn’t say copying the magstrip off a card was easy. For starters you need to have a skimmer and a machine to spit out a copy of the card. That’s far from impossible, but a lot more effort than downloading a free brute-forse password hack tool from the Internet.

    You also have to have physical access o the card. This step is a lot harder, especially since it must be done without the owner of the card knowing (or they’ll cancel the card). Then of course you must know the pin. Getting the camera is easy, filming the person entering their pin without them knowing it shouldn’t be.

    None of those things are impossible, but add them together and you’ve put up significant barriers. Especially given most cards have a daily limit of $1000 or so (here in Australia anyway).

  37. Cooney says:

    In the specific use case, yes, it’s a pain. Of course, it’s done regularly. People also set up fake atms that are simple skimmers (since we have people setting up real offbrand atms every damn place in this country.

    The point here isn’t that it’s a challenge. It’s that a simple device can read your magstrip and duplicate the 2nd factor with relative ease. There’s no verification here – it isn’t like RSA tokens.

  38. violet says:

    @Dylan and @Kemp — I’m not entirely sure, as this particular security, uh, *solution* was around before I got here. But based on more recent experiences, I think anything using encryption is its own special hell. I don’t think they require that keys be regenerated every 60 days, but I think they do want any SSH access to be host-restricted by at least two firewalls that–of course–they control. Either that, or some sort of VPN solution involving a SecurID synchronized code card that would not work even a little for a nightly rsync script.

    We probably could have wrestled with them and come up with some kind of rsync+ssh+keypair solution, but by that point it was just easier to stick it on the public FTP and have done with it.

  39. violet says:

    While I’m at it, another thing that annoys me is sites that have all manner of bizarre security requirements (I’m sorry, your password must contain at least one number; I’m sorry, your password is too similar to the name of a Simpsons character; I’m sorry, your password cannot be a sexually explicit anatomical impossibility) and then require that it be *no longer* than 8 characters. It completely nerfs my standard insecure password and, typically, makes me add another entry into ~/passwords — which, yes, makes me a terrible person.

  40. "(Also, my PIN is 8 digits long. It wouldn’t surprise me if your bank let you set yours similarly.)"

    Surely this would require updating every cash machine in the world?

    One thing that particularly annoys me is mandatory password changes on things I access infrequently enough that I *always* need to change it (eg. ZoneEdit).

  41. Will says:

    It is not that hard to get all the info just see http://www.theregister.co.uk/2010/02/23/card_skimmer_scam/ for one example

  42. Anonymous Coward says:

    Gechurch, skimming isn’t expensive. Skimming front panels often look very realistic and are available on the black market in the low two digit range.

    Here are some photos of skimming fronts:

    http://www.verzijlbergh.com/tag/skimmen

    http://www.folderaar.nl/reclamefolder-blog/niet-storen-skimmers-aan-het-werk

    Here are photos of a skimming front found on a train ticket machine:

    http://web.inter.nl.net/users/p.c.wiegmans/skimapparaat/index.html

  43. Anonymous Coward says:

    Schneier’s paper, while chiding people for giving out security advice based on speculative threats, is itself almost entirely based on speculation. (And there are even a few errors/lies in it.) Furthermore, it ignores or misinterprets important effects, like the fact that you’ve got only one life, or that certain things don’t happen precisely because we do care about security, or that the costs are often born by the wrong people, or that people in general don’t behave economically rational in the first place, and there is no reason why they would or should.

    Personally, I’m all for making security as easy as possible, but Scheiner’s report does nothing but muddy the waters.

Comments are closed.

Skip to main content