There are more and more options for synchronization of passwords between Notes, HTTP, LDAP and/or Active Directory environments. As you may know one form of “phishing” attack is one in which a seemingly authentic email is sent to a user requesting that a password and other user information be sent back to the sender. The sender then takes that information and utilizes the userid/password information to authenticate to user accounts and send out spam (in the best of cases). If a user replies with credit card information, well then of course…it’s a shopping spree!
After a recent phishing attack in which some of our users responded with their LDAP passwords, it occurred to me that it was a really good thing that we don’t synchronize our Notes.id passwords with our LDAP passwords. Those individuals who responded were primarily IMAP or web users. And the Notes client users remained off the radar screen of the phisher (at least for now!).
Of course as phishing attacks become more sophisticated this could change. But I was imagining a situation where the Notes.id password and Windows authentication password were synchronized, and the phisher was able to obtain access to the individual’s workstation. Is the decision to set up password synchronization for the sake of single sign-on or for simplifying processes for a user’s sake justified? Or maybe I’m over simplifying the whole process and giving a phisher too much credit?
Perhaps the message here is to err on the side of caution, and confirm that additional key structures, authentication services, and firewalls are in place. Of course there is the little security nightmare with users using the same password anyway across most system or having it written conveniently somewhere on a Post-it® note! So, don’t assume that a password is secure enough to protect users from themselves and a little phish.