Phishing Attacks Underscore Importance of Protecting E-mail Passwords

Paul Mah

You might have read about the Hotmail phishing news a few weeks back in which more than 10,000 Hotmail passwords obtained by phishing were posted on an open forum. Of course, falling victim to a phishing attempt would be less of a problem if you have followed the guidelines I gave in "Simple Password Tips for the SMB," where I advocated the small and medium businesses should discourage staff from using the same password everywhere.


Amid the media furor related to the compromise of such a large number of accounts, however, is the potential impact on other aspects of the victims' online lives.


Paul Wood, MessageLabs Intelligence senior analyst for Symantec, summed up the problem in an e-mail:

A user's unique e-mail address is often used to authenticate a number of Web sites, including social-networking sites and instant messaging on a public instant messaging network.

Wood also gave the following advice:

If your e-mail address has been compromised, not only should you change the password there, you should also change it on any other site that uses that e-mail address as a login ID.

Based on the new lessons gleaned from this saga, below are some steps that SMBs can take today to better protect themselves.


Use CAPTCHA for Web Logins or Automatic Lockouts

The original story involves the use of phishing, aka trickery, to get users to voluntarily enter their passwords at fake sites. Even if different passwords were used, the issue does put a spotlight on the importance of e-mail accounts, which is increasingly used to validate account creation for many online services or as a password retrieval destination.


To underscore this point, MessageLabs Intelligence noted that it is aware of an increase in the number of "brute-force" password-breaking attempts, in which dictionary attacks are mounted against online Webmail accounts or POP3 accounts.


From an SMB perspective, any Webmail access should be reinforced with a good CAPTCHA verification to deter brute-force attacks conducted using computer software. Other access methods such as POP or IMAP should either be heavily throttled to a limited number of login attempts per minute or protected by automatic lockouts after a predetermined number of failed attempts.


Use Different Passwords for Corporate Accounts

When I suggested discouraging staff from using the same password earlier, IT Business Edge reader Bev cautioned against unique passwords for different systems, making the point that having to remember more passwords "can lead to users writing them down." While I feel that good password management is still the best guard against system compromise, a middle ground here might be to caution staffers against using the same set of passwords for company accounts with those they use on personal accounts.


Obviously, there is no ethical or easy way to enforce such a directive. Such emphasis will have to take place though continued user education and constant reminders.


What additional steps would you recommend to ensure good security beyond the couple of pointers suggested above? Feel free to leave a note below.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Oct 19, 2009 2:21 PM Chris Chris  says:

I created my website as a public service to the Internet Community to collect email addresses of those who defraud us. You can submit, search and view email addressed of suspected online fraud artists anonymously at http://www.suspectedscammers.com. Please join me in making the Internet a better place

Oct 20, 2009 10:57 AM Markus Oslund Markus Oslund  says:

Hi, since it is inevitable to use - different passwords for each account AND change the passwords after some time period (lets say at least after half a year) it is not possible for me to remember all the passwords, since I have a different mail addresess and accounts. So I've decided to choose a password management tool, which will help me. One of the best I've tried is Sticky Password. It includes strong password generator, all accounts are encrypted and stored on secure place on your PC. Also they provide with portable version. Lovely.


Oct 20, 2009 11:34 AM Bob Jones Bob Jones  says:

I'm not a fan of 'password safes' to store all my passwords.  I much prefer using a tool like Deadbolt Password Generator.  It's online so I can access it anywhere, and I don't have to wory about someone hacking into my safe.



Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.