You might have read about the Hotmail phishing news a few weeks back in which more than 10,000 Hotmail passwords obtained by phishing were posted on an open forum. Of course, falling victim to a phishing attempt would be less of a problem if you have followed the guidelines I gave in "Simple Password Tips for the SMB," where I advocated the small and medium businesses should discourage staff from using the same password everywhere.
Amid the media furor related to the compromise of such a large number of accounts, however, is the potential impact on other aspects of the victims' online lives.
Paul Wood, MessageLabs Intelligence senior analyst for Symantec, summed up the problem in an e-mail:
A user's unique e-mail address is often used to authenticate a number of Web sites, including social-networking sites and instant messaging on a public instant messaging network.
Wood also gave the following advice:
If your e-mail address has been compromised, not only should you change the password there, you should also change it on any other site that uses that e-mail address as a login ID.
Based on the new lessons gleaned from this saga, below are some steps that SMBs can take today to better protect themselves.
Use CAPTCHA for Web Logins or Automatic Lockouts
The original story involves the use of phishing, aka trickery, to get users to voluntarily enter their passwords at fake sites. Even if different passwords were used, the issue does put a spotlight on the importance of e-mail accounts, which is increasingly used to validate account creation for many online services or as a password retrieval destination.
To underscore this point, MessageLabs Intelligence noted that it is aware of an increase in the number of "brute-force" password-breaking attempts, in which dictionary attacks are mounted against online Webmail accounts or POP3 accounts.
From an SMB perspective, any Webmail access should be reinforced with a good CAPTCHA verification to deter brute-force attacks conducted using computer software. Other access methods such as POP or IMAP should either be heavily throttled to a limited number of login attempts per minute or protected by automatic lockouts after a predetermined number of failed attempts.
Use Different Passwords for Corporate Accounts
When I suggested discouraging staff from using the same password earlier, IT Business Edge reader Bev cautioned against unique passwords for different systems, making the point that having to remember more passwords "can lead to users writing them down." While I feel that good password management is still the best guard against system compromise, a middle ground here might be to caution staffers against using the same set of passwords for company accounts with those they use on personal accounts.
Obviously, there is no ethical or easy way to enforce such a directive. Such emphasis will have to take place though continued user education and constant reminders.
What additional steps would you recommend to ensure good security beyond the couple of pointers suggested above? Feel free to leave a note below.