Simple Password Tips for the SMB

Paul Mah

I read with some fascination about how researchers from the University of California gained access to the command-and-control network of the Torpig botnet. The researchers monitored the botnet over a period of 10 days, and saw how the hackers in control of it plundered some 70 GB of personal and financial data from the 180,000 bots - or infected computers.


The Torpig malware packs some chilling capabilities. According to the article:


[Torpig] can pilfer user names and passwords from e-mail clients such as Outlook, Thunderbird and Eudora while also collecting e-mail addresses in those programs for use by spammers. It can also collect passwords from Web browsers.


In addition:

Torpig/Sinowal is customized to grab data when a person visits certain online banking and other Web sites. It is coded to respond to more than 300 Web sites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank


I'll refrain from going into the details and leave the security-centric stuff to Ralph DeFrangesco over at his wonderful security blog. The reason I brought this story up is because I think that small and medium-sized businesses can glean a couple of lessons from how Torpig works, especially pertaining to the topic of passwords.


Here are three simple recommendations for better password management for the SMB.


Enforce regular changing of passwords


The reason for this is pretty straightforward. Enforcing the changing of passwords on a regular basis can help protect system passwords that might have been unknowingly compromised. No matter how you see it, having the same password ad infinitum can only increase the risk of passwords being cracked or compromised.


It is typically easy to enforce the regular changing of passwords as many applications or operating systems, such as Microsoft's Windows Server, already have such capabilities built in. You can also use the Sample Password Policy in the Knowledge Network.


Discourage staff from using the same password everywhere


Most people simply memorize one or two passwords, and then use them anywhere and everywhere. As such, all it takes is a stolen password and some data mining or guesswork in order to exploit that stolen Gmail password to crack into your CMS or ERP system. This vulnerability will cease to exist if staff are educated on the importance of using unique passwords for different systems. For more help, see Protecting Your Passwords in the Knowledge Network.


The fact is, this tip is the hardest to enforce, yet the cheapest to implement - it costs nothing.


Where possible, implement dual-factor authentication


Dual-factor authentication relies on the physical possession of a key that is needed on top of the usual password for authentication. This typically comes in the form of a hardware token that will generate the constantly updated secondary password. While this can certainly defeat the password sniffing shenanigans of the Torpig malware, such a solution can also be expensive or beyond the expertise of some SMBs.


Absolute security is but an ideal. Obviously, I am certainly not saying that being infected with malware is even remotely acceptable. However, observing the simple password tips above would certainly help to minimize the impact of security breaches for the SMB.

Add Comment      Leave a comment on this blog post
May 14, 2009 6:57 AM b allen b allen  says:

I would be careful with recommending unique passwords for different systems, as this can lead to users writing them down.  Users generally use lots of systems, websites and services that require a password for authentication; it is simply not feasible to ask them to remember them all.  The risks can therefore be made greater by such a recommendation if there are no other moderating controls in place, e.g. utilising the network userID and password for authentication to access applications within the office. 

Single sign-on systems can assist, but they too have their drawbacks, although they offer many advantages.  Systems to enable users to reset their own passwords/issue new ones are also of great assistance and can take away/reduce the need for a help desk/administrator to have to deal with password reset requests.

Jun 22, 2009 12:23 PM Paul Mah Paul Mah  says: in response to b allen

Dear Bev,

I wanted to reply to your comment earlier, but it just slipped my mind somehow.

I agree on the risk of compelling users to use different passwords on various systems could result in them forgetting, or just writing it down. Perhaps a balance could be achieved by using a company-wide authentication system (Active Directory) and training staff not to use those passwords with external sites.


Paul Mah.

Nov 7, 2009 4:30 AM Gary Hinson Gary Hinson  says: in response to Paul Mah

What makes you think regularly changing passwords makes them more secure?  I'd happily settle for users choosing a long, strong password and using it "forever" ... but not, as you warn, for all their accesses - rather to unlock a suitable password vault program which securely stores the real access passwords (again, long and strong, unique for every access and stored under strong encryption).

A strong password or pass phrase to unlock the vault becomes easier to remember and quicker to type through constant practice if it is NOT changed frequently. 

Sorry Paul, you're way behind the curve on this.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.