How to set a strong VICIdial phone password

The default Registration Password on a new VICIdial phone is the word test, and leaving it that way is an open invitation to anyone scanning for soft targets. The Registration Password is the secret a phone device uses to connect to your server, so a weak one means an attacker can register a phone against your dialer, place calls on your carrier, and run up a bill in your name. Setting a strong value takes ten seconds and closes that door.

Why test is dangerous

Every fresh phone record starts with the same default secret: test. That is documented behavior, which means it is also the first guess any attacker makes. If your server is reachable and the secret is still test, a rogue Softphone can register itself, and once it has registered it can attempt outbound calls. With a SIP (Session Initiation Protocol) phone exposed to the internet, this is one of the most common ways small dialers get hit with fraudulent calls.

What counts as strong

A strong Registration Password has all of these:

• At least 8 characters long.
• A mix of lower-case and upper-case letters.
• At least one number.

Longer is better, up to the field limit. Something like Hk7vQ2mR4t is far harder to guess than test while still fitting every rule.

Stay inside the allowed character set

The field accepts up to 20 characters, and only letters, numbers, dash, and underscore. No spaces, no punctuation like exclamation marks or at-signs, no slashes. If you paste a password manager value full of symbols, it will be rejected or silently break the entry that VICIdial writes into the Conf file. Stick to letters, digits, dash, and underscore and you stay safe. The flow below shows how to decide on a value.

flowchart TD
  A[Pick a candidate password] --> B{8 or more characters}
  B -->|No| A
  B -->|Yes| C{Upper and lower case plus a number}
  C -->|No| A
  C -->|Yes| D{Only letters digits dash underscore}
  D -->|No| A
  D -->|Yes| E[Save it as the Registration Password]

Walk a candidate through the gates. If it fails any one of length, mix, or character set, go back and adjust. Only a value that clears all three is worth saving.

Use a different secret on every phone

One more habit makes a big difference: do not reuse the same Registration Password across all your phones. If every device shares one secret and that secret leaks, every phone on the server is exposed at once. Give each phone its own value. It is a little more to track, but it limits the blast radius if a single device or its config is ever compromised. A password manager entry per phone, recording the extension and its secret, keeps this manageable even at a few dozen phones.

Setting it

Open the phone on the Modify Phone screen, put your strong value in the Registration Password field, and save. VICIdial regenerates the conf entry within a minute. Then update the same secret on the device side so Phone registration still succeeds. If you skip the device side, the phone will fail to register until both values match again. If you are unsure which field this even is, the article on what the registration password is lays out exactly where it lives, and the phones pillar guide shows the whole record around it.

VICIfast provisions hardened VICIdial servers in under 40 seconds with secure defaults baked in, so you are not relying on remembering to change test on every phone. See our pricing for what each plan covers.