Forget sophisticated, AV-disabling network worms masquerading as an e-vite party link from a college friend. Next...
time you want to access someone's computer system without permission, just offer candy.
A recent survey of 172 office workers waiting for commuter trains at a London financial district transit station found a shocking 71% turned over their passwords in exchange for a chocolate Easter egg. Some even gave up the goods for a pen.
"We were really quite shocked at how easy it was to get them to give such sensitive information away," said Neil Stinchcombe, one of the researchers who took part in the third annual survey on office scruples to help promote the upcoming Infosecurity Europe 2004 conference this month in London.
"Slightly more people gave up their passwords last year, but we did it in the West End, which is our theater district," Stinchcombe explained. "These are more security conscious people this year, and still they gave up their passwords so easily."
To be fair, only 37% immediately exchanged confections for the company jewels. Another 34% needed some cajoling, such as the senior bank executive who admitted he had trouble remembering his password, which changed monthly, until he came up with a "foolproof system."
"I use my wife's name and add the current month, so now I never forget what it is."
A little later in the conversation, the executive provided his wife's name.
Others similarly caved to rather unsophisticated social engineering, first admitting their passwords were tied to a favorite sport teams, pet or car and later specifying those favorites.
One researcher asked a call center employee how she remembered the system password, which changed daily. "I don't have a problem remembering it as it is written on the board so that everyone can see it."
Everyone? the stunned researcher asked.
"Yes, although I think they rub it off before the cleaners arrive."
The results, researchers say, demonstrate dangers of password fatigue. The London workers used an average of four passwords daily and, given their line of work, were required to change them as frequently as each day but more typically each month or quarter.
"This survey proves people are still not as aware as they could be about information security," explained Claire Sellick, event director for Infosecurity Europe 2004, in a statement. "Clearly the workers are fed up with having to remember multiple passwords and would be happy to replace them with alternative identification technology, such as biometrics or smartcards."
Indeed, 92% of those surveyed said they'd prefer a finger or iris scan to having to use their brain to access programs or databases.
Lest you think this is just a UK thing, Stinchcombe begs to differ.
"It's a global problem," he asserted. "Anyone who uses Windows has to use passwords. And with the Web, everyone's in the same position if they use online services. What needs to be done is to better educate people so they don't make themselves vulnerable"
To chocolate, at least.