Your password for chocolate? 71 % choose chocolate.

[Giaguara]

http://www.enterpriseitplanet.com/security/news/article.php/3342871 :

Trade your password for a bar of chocolate? You would probably (and responsibly) decline, but some Londoners took up the offer.

Out of a small sample of 172 office workers that were approached on the street, more than a third (37%) willingly divulged their password when simply asked, according to Infosecurity Europe 2004's organizers. Sadly, a large majority -- a full 71 percent -- forked over the information when bribed with chocolate.

Last year, 90 percent of office workers approached at the Waterloo Station accepted a cheap pen in exchange for their password. 65% of those surveyed did so the year before in 2002.

Indeed while chocolate may prove difficult for those with a sweet tooth, many still fall victim to social engineering, or in this case, a little light prodding minus the candy. Interviewers found that by fishing for the answer, such as implying that it is likely to be someone they know or a favorite sports team, workers broke down and let the secret slip. 34 percent fell for this ploy. The most common passwords, incidentally, were based on the names of loved ones, cars, teams and pets.

The survey also found that 40 percent knew their co-workers passwords, and that 20 percent never change their passwords while 51 do so on a monthly basis.

Disturbingly, many keep their passwords in drawer scribbled on a piece of paper or in easily accessible Word files. Also troubling for its potential to launch both identity theft scams and breaches in corporate network security is the fact that roughly two thirds of those surveyed used the same password for work and personal business.

Luckily, 53 percent said they would never reveal a password over the phone, as opposed to walking up to them in the street and just asking apparently. What would the other 47 percent do? That's something for IT managers to ponder.

So, would you trade your office (work) password for chocolate or other candy if it was your favorite kind of candy?

 

[JetwingX]

No, I am a demi-admin on our school's network. So I really can't (and wouldn't for that matter) but maybe for $50 or more ^^

 

[Cat]

I'd first take the candy and then change my password ...

 

[chevy]

I hope they checked that they received the real passwords....

 

[rbuenger]

Yes, would be interesting to know that. Personally I would never give my password away (ok, maybe for $10.000+ ) as one of my interests ist computer and network security.

But sadly I know that you in most cases don't need to ask for the password. Just ask for their login name would be enough. In my last audit checking a database application over 16% used their login name also as pw. And there even are users with a pw as short as 3 chars.

So as said bevor I'm not giving away my pw's. I also use a different pw for nearly anything thats important. If not (as most users do) any board admin can easily take your password you use at his board and log in to your mailserver or any other service you use. It if one of the services you use is compromised don't give them a chance to log in all the other thinks you registered to.

So if someone asks you don't tell them. And if the just keep asking simply "give up" after a minute and tell a faked pw. BUT don't make the failure to tell them a faked pw like "red" if you real pw is "yellow" It has to a completly different cathegory and length... ::angel::

 

[markceltic]

But sadly I know that you in most cases don't need to ask for the password. Just ask for their login name would be enough. In my last audit checking a database application over 16% used their login name also as pw. And there even are users with a pw as short as 3 chars.

` Absolutely amazing,people could be that lazy when it comes to security for their work.Small wonder there is such a huge market for companies offering security solutions.Why not get your employees to use some common sense for a change!