Passwords are used in FreeSWITCH when phones register, when phones originate a call, when FreeSWITCH registers toexternal gateways/ITSPs and when administrators authenticate into the FreeSWITCH system via Event Socket (eg: fs_cli). Most of these areas utilize weak plaintext passwords.
In addition, many users set their passwords to simple easy-to-guess combinations. Worse yet, some don't ever change or set up their voicemail password, leaving the defaults in place.
These passwords are very often targeted and once gained, they are exploited to commit fraud.
Following are some of the mechanisms available to mitigate this.
Registration credentials do not need to be passed or kept on disk in plain-text. When defining SIP credentials in your User Directoryy, instead of including the following line:
<param name="password" value="samiam"/>
replace it with a pre-calculated a1-hash of the password, like the following:
<param name="a1-hash" value...