Password Policy - Phishing Prevention

MitMMitM Member Posts: 622 ■■■■□□□□□□
One way I've seen as an attempt to combat phishing is to have a password management policy that requires employees to enter a bad password when they are prompted to login from a link that they clicked in email.

The thinking is a legitimate site will not accept a bad password but a phishing site would

Any thoughts on this? Is a good/realistic idea

Comments

  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    How would the phishing victim know that they are on a malicious link? The reason they give away their passwords is because they think they're browsing a legitimate link.

    2-Factor authentication, and a continuous education & awareness program are the only two effective remedies that I know of. 
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    That's exactly the point, they wouldn't.  That's why the policy would require them to always enter a false password, any time that they are prompted to login after clicking a link from an email
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    My biggest concern with this is it might encourage them to click a link in the first place. I would not want to encourage users to click any links or provide any input but I do think it's an interesting idea.
  • scaredoftestsscaredoftests Mod Posts: 2,780 Mod
    Agreed. And some people, even though they are told repeatedly NOT to click any link, will then do so after doing the above..
    Never let your fear decide your fate....
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    I agree. It is an interesting idea though. I think it is more useful as a tip, instead of a policy

    I also agree with @UnixGuy comments regarding 2FA and continuous  education + awareness
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @MitM - usually what I recommend is that if an end-user gets an email with a link in it claiming to be from a site that the end-user accesses or has an account; instead of clicking on the link, it's better to just open a browser and enter the website that's known to the end-user.

  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    @paul78 agreed. This is what I do too
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    We train our users not to click on links right away. First, hover over them to show the actual link. Then, key it in manually. And if they are not sure, they can always forward the email as an attachment to us to check out first. We have a really security-savvy group of users.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    tedjames said:
    We train our users not to click on links right away. First, hover over them to show the actual link. Then, key it in manually. And if they are not sure, they can always forward the email as an attachment to us to check out first. We have a really security-savvy group of users.
    The "key it in manually" step is really key. :D(pun intended) Many people don't understand how multibyte unicode IDN's can be abused.
  • Johnhe0414Johnhe0414 Registered Users Posts: 191 ■■■■■□□□□□
    Education and training - we use a web blast for continuous tips and warnings throughout the week.
    Current: Network+ | Project+ 
    Working on: PMP
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    tedjames said:
    We train our users not to click on links right away. First, hover over them to show the actual link. Then, key it in manually. And if they are not sure, they can always forward the email as an attachment to us to check out first. We have a really security-savvy group of users.
    100% agree.  This is the one thing I hate about O365 ATP Safe Links. It rewrites the URL
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    edited November 2018
    100% agree.  This is the one thing I hate about O365 ATP Safe Links. It rewrites the URL

    Just my 2 cents - but I find it preferable to use O365 ATP vs url inspection. I'm not a fan of having end-users inspect the URL and then clicking on the link because most end-users are not able to detect a malicious URL - and even a sophisticated user can be fooled with an IDN. I rather that the end-user simply access the site that they believe is attempting to send them an email.

    BTW - the latest version of Outlook decodes the ATP URL and displays the actual original URL. Perhaps you haven't patched >:) <just kidding>

  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    paul78 said:
    100% agree.  This is the one thing I hate about O365 ATP Safe Links. It rewrites the URL
    BTW - the latest version of Outlook decodes the ATP URL and displays the actual original URL. Perhaps you haven't patched >:) <just kidding>

    hmmmm What version? I'm running 1803 (Build 9126.2295). When you hover the link, it shows

    na01.safelinks.protection.outlook.com/?URL=<somewhat of the actual link>
  • UnixGuyUnixGuy Mod Posts: 4,564 Mod
    MitM said:
    That's exactly the point, they wouldn't.  That's why the policy would require them to always enter a false password, any time that they are prompted to login after clicking a link from an email
    so what happenes when they click on a malicious link, it asks them for a password, they enter a false password..malicious link responds with 'failed login', then they enter correct password..malicious link responds with 'failed login' again...I don't see how it'll prevent the passwords from being stolen
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube channel: https://youtu.be/DRJic8vCodE 


  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    UnixGuy said:
    MitM said:
    That's exactly the point, they wouldn't.  That's why the policy would require them to always enter a false password, any time that they are prompted to login after clicking a link from an email
    so what happenes when they click on a malicious link, it asks them for a password, they enter a false password..malicious link responds with 'failed login', then they enter correct password..malicious link responds with 'failed login' again...I don't see how it'll prevent the passwords from being stolen
    Valid point. I don't know. I didn't come up with the idea, was just something I came across :smile:
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    edited November 2018
    hmmmm What version? I'm running 1803 (Build 9126.2295). When you hover the link, it shows

    na01.safelinks.protection.outlook.com/?URL=<somewhat of the actual link>

    I'm running 1811 (Build 110029.20079). We enable Targeted releases.

    I just poked around and I see the same behavior but rarely. I notice that the original URL is NOT displayed only if the HTML uses nested tables. 

  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    Malicious websites can infect end-users by simply visiting the site--no interaction needed. Encouraging end users to visit a potentially malicious website is a bad idea.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    yoba222 said:
    Malicious websites can infect end-users by simply visiting the site--no interaction needed. Encouraging end users to visit a potentially malicious website is a bad idea.
    I agree but this was not about encouraging end users to visit a potentially malicious site.  This is strictly a policy that states IF an end user clicks a hyperlink from email and is prompted to login, they MUST first enter a bad password.

    While an interesting thought, I don't see it as practical
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    How is it entering a bad password going to help against a phishing site that would always prompt incorrect username or password? Also, is this policy enforce in its technological control? What about employee simply choose to enter their correct password on first login.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    LionelTeo said:
    How is it entering a bad password going to help against a phishing site that would always prompt incorrect username or password? Also, is this policy enforce in its technological control? What about employee simply choose to enter their correct password on first login.
    It wouldn't.  I'm not sure how successful this is (or could be). It was mentioned at some event I was at
Sign In or Register to comment.