Zoom has changed some meeting defaults to make their group calls, webinars, classes etc a bit more secure from intruders. There’s more for a Zoom host should do to protect their meetings, classes and calls.
Two default settings have changed. Passwords must be set for all meetings and the Waiting Room is now on by default.
The password requirement is good but doesn’t go far enough, we’ll explain why and what to do. Waiting Room is a good idea for larger groups when it’s hard to keep track of who is in the meeting or class.
Basic (free) accounts must now set a password for all meetings. The same applies to accounts with a single licensed user.
That’s important because free accounts have a single, unchanging Personal Meeting ID. Anyone who finds that ID can join a non-passworded future meeting.
Hackers and intruders are just trying random meeting ID (a nine digit code) until they find a live and unprotected meeting to join. Or sharing meeting ID’s found online.
For meetings already scheduled with a PMI (Personal Meeting ID) you’ll need to share the new password either directly or send a new meeting link (which has an encrypted password included). That also applies to meetings shared via calendar integration.
Update the password regularly
We suggest a step beyond Zoom’s new settings.
Zoom’s change only goes part way to securing a meeting. They are not requiring the meeting password to be changed.
The password can and should be changed for each meeting or at least on a regular basis (every few days).
If the meeting ID and password don’t change, an intruder could access future meetings with the same settings.
Password setting forced on
Some Zoom password settings defaulted on but hosts could disable them. Now these options are forced on at all times (for free/Basic and single user accounts).
- Require a password when scheduling new meetings / webinars
- Require a password for instant meetings
- Require password for participants joining by phone
One click join
Meeting invitations can be sent as links with an encrypted version of the password, what Zoom calls ‘One-Click Join’.
The link doesn’t disclose the password, just a scrambled version of it. If an intruder gets the link, they can access any meeting using the same meeting ID and password. That’s one reason why we recommend changing the meeting password and resending meeting links.
The password inclusion option can be turned off at Settings | Meetings | Embed password in meeting link for one-click join.
Turning this option off means you’ll have to separately give the password to participants which is time consuming and might cause connection hassles.
Perhaps the compromise is to continue using one-click join but change the password regularly. That will stop unwanted people using a meeting link to access later meetings with the same meeting ID and password combination.
The other change is making the Waiting Room enabled by default.
Waiting Room means participants can’t just drop into a meeting, they have to be allowed in either individually or as a group after they’ve used the meeting ID and password to gain access.
It’s an extra admin step for the host but worth it to make sure you know exactly who is joining a meeting, class, webinar etc.
Settings | Meetings | In Meeting (Advanced) | Waiting Room lets you turn it on / off.
Waiting Room makes sense for larger meetings and classes (maybe 5 or 10 plus) when it can be hard to monitor everyone participating and an intruder might hide in the crowd.