When to Turn On Force PW Change for Bulk-Copied Users

When you use VICIdial's User Bulk Copy, every new account is created with its password set equal to its user number. That is convenient for fast setup and a real security hole if you leave it that way. Force PW Change is the switch that closes it, and deciding when to flip it on is one of the few choices that actually matters on a bulk run.

The problem it solves

Bulk Copy sets the User Number, Password, and Full Name to the same value for each account it creates. So an account numbered 4012 has password 4012 - guessable by anyone who knows the numbering scheme, and call-center numbering schemes are rarely a secret. For a quick description of the create step, see how to bulk-copy a range of users. Force PW Change forces each account to set a new password the first time it signs in, so the default never survives into normal use.

Where it applies

Force PW Change works for admin-level users and is recommended for security reasons. If you are bulk-creating accounts that can reach the admin interface - supervisors, managers, anyone with elevated rights - turn it on without thinking twice. The risk of a default password on an account that can change Campaign settings, pull recordings, or edit other users is far higher than on a plain calling Agent who can only take calls.

How the decision flows

flowchart TD
  A[Bulk Copy a user range] --> B[Password = User Number]
  B --> C{Admin-level accounts?}
  C -->|Yes| D[Enable Force PW Change]
  C -->|No| E[Still recommended]
  D --> F[User resets on first login]
  E --> F
  F --> G[Default password retired]

When to enable it

• Always, for any admin-level batch - this is the exact case the setting is designed for.
• Whenever the new accounts will be handed to real people rather than used as short-lived test logins.
• Whenever your numbering scheme is predictable, which makes the default password easy to guess from the outside.

When you might skip it

If you are bulk-copying throwaway accounts in a lab and will delete them the same day, the forced reset is just friction - it slows down logins you never intended to keep. In that case skip it and clean up afterward; see how to bulk-delete users safely. For anything touching production, leave it on. The few extra seconds each agent spends setting a password are nothing against the cost of a default-password breach.

Pair it with the rest of your hardening

Force PW Change covers the agent-screen login only, which is an important limit to understand. Do not forget the phone side: the registration password on a SIP (Session Initiation Protocol) phone is a separate secret, and a weak one is just as exposed to anyone scanning for open devices on the internet. The same advice applies to IAX2 phones, which carry their own registration secret too. The full set of these utilities is laid out in our VICIdial admin bulk tools guide, and phone secrets are set on the Bulk Phone Insert page. Treat the agent-screen password and the phone registration password as two separate locks on the same door, and set them both before any new account or device ever reaches the public internet.

A managed VICIdial server keeps these defaults sane from the start. See VICIfast pricing for a box that ships secure.