Security Best Practices, Breaking News, & Updates
The good news in this annual survey approach is that folks are more aware of the dangers of password disclosures, as the percentages of folks who would be willing to disclose their password has dropped when compared to prior years. However, I do have a weakness for chocolate People still give passwords for chocolate http://sunbeltblog.blogspot.com/2008/04/people-still-give-passwords-for.html QUOTE: A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London. This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)
Harry, this presumes the respondents are divulging their actual passwords. 15 out of every 10 people like chocolate, and even I would disclose a "password" for a free Cadbury's Fruit & Nut in Dark Chocolate bar.
Follow-up to my earlier comment: BMighty has the following story:
Sweets For The Cheats: Like Passwords For Chocolate
Posted by Keith Ferrell Thursday, Apr 17, 2008, 10:05 AM ET
It's silly -- and sexist -- season again, as a European security conference lets us know, as it does every year, just how easy it is to acquire passwords from workers. Namely, how many passwords can you get in exchange for a bit of chocolate?
Infosecurity Europe 2008, being held April 22-24 in London, offers a "survey" of close to 600 office workers -- cornered outside a tube station -- each asked to fill out a form, which included the request for their password, in exchange for a candy bar.
Breaking this year's news with the (one assumes deliberately) provocative headline, Women 4 times more likely than men to give passwords for chocolate , Infosecurity found this year's results actually dramatically better than previous years.
While "45% of women versus 10% of men [were]prepared to give away their password, to strangers masquerading as market researches [sic] with the lure of a chocolate bar as an incentive for filling in the survey," only 21 percent of the 576 respondents were willing to surrender their password, down from over 60 percent last year.
And that, in turn was down from 2004, when three-quarters of the people "surveyed" were willing to share their passwords.
Whether or not the improvement is a result of better security education -- or just the result of the amount of publicity the password for chocolate survey has received over the years is hard to say.
And of course the bigger problem is password availability that doesn't require a chocolate bar at all. More than half of the respondents to the false survey said they would reveal their password over the phone if the caller claimed to be from the IT department.
I wonder how such a sweet-cheat survey would work here, considering the generally held belief that European chocolate bars are better, and perhaps more pasword persuasive, than American.