Study: Employees willing to share passwords with strangers

By Edward Hurley, News Writer 24 Apr 2003 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Companies want user passwords to be strong. Some use software to enforce corporate security policy and ensure that passwords are changed at set intervals and are of sufficient length. But are companies sure their employees won't just give the password out to someone at a subway station?

A recent survey by the organizers of the Infosecurity Europe conference found that 90% of office workers would reveal their passwords to a questioner at Waterloo Station in London. Last year, 65% of those surveyed gave up their passwords.

Now, to be fair, the survey takers did lull the interview subjects into a false sense of security by connecting with them through the social engineering method, which is often the surest way of getting around security measures. The interview subjects got more comfortable as they were asked more questions. So, by the time the password question came, they obliged and told it, said Neil Stinchcombe, public relations director for Infosecurity Europe.

Employees need to understand that keeping their passwords to themselves is critical to their companies' security, Stinchcombe said. "Policy and people drive security," he said. "Technology is in place just to support them."

When it came to revealing their passwords, only 75% initially did. The interviewers were able to get the passwords out of 15% more by asking them to describe something about the password they used.

One interviewee replied, "I am the CEO; I will not give you my password. It could compromise my company's information." But the executive would admit that his password was his daughter's name. When asked for his darling's moniker, the CEO said "Tasmin."

The most popular passwords were people's names (16%), followed by football (or soccer) team names (11%) and birthdays (8%). The most common single password (12%) was -- drumroll, please -- "password"!

These stories may make security professionals laugh a bit, but not for long. Every security person has seen the host of ways end users massacre password policy, from writing passwords down on Post-it notes to forgetting passwords.

Giving up their passwords isn't the only mistake employees make, according to the survey, which was conducted to highlight security issues. Respondents were asked other questions, including:

• Have you ever given your password to a colleague? Two-thirds said that they have given their password to a colleague.
• Do you have any of your colleagues' passwords? Three quarters said they knew their co-workers' passwords.
• Would you download company information if asked to by a friend? About 55% said they would, and 57% said they would tell their friends their password, if asked.
• When you leave your current job, would you bring confidential information with you that would help at your new position? About 85% of men said they would, whereas 75% of women said they would.
• What would you do with a file containing everyone's salary details? Three quarters of those surveyed said they wouldn't be able to resist taking a little peak, but 38% went even further, saying they would pass the information around.
• Have you ever sent around "unsavory pictures" or "dirty jokes"? Here is where a real gender gap was revealed. More than twice as many men (91%) admitted to it, compared with only 40% of women.

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Are passwords passÉ?"

SearchSecurity.com news exclusive: "Testing password strength gives policy some bite"

SearchSecurity.com news exclusive: "Proper password policy is imperative"

Best Web Links on password cracking

• FEEDBACK: How strong is your enterprise's password policy? Would you give up your secret code to someone at a train station?
  Send your feedback to the SearchSecurity.com news team.

Digg This!     StumbleUpon     Del.icio.us