Give Me Your Password
 

Well well well, looks like the idea of protecting your password can be defeated by free handouts. How free? How about a cheap pen.

From http://www.theregister.co.uk/content/55/30324.html

"Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today.

The second annual survey into office scruples, conducted by the people organising this month's InfoSecurity Europe 2003 conference, found that office workers have learnt very little about IT security in the past year.

If anything, people are even more lax about security than they were a year ago, the survey found.

Nine in ten (90 per cent) of office workers at London's Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.

Men were slightly more likely to reveal their password with 95 per cent of blokes, compared to 85 per cent of women quizzed, prepared to hand over their password on request.

The survey also found the majority of workers (80 per cent) would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them.

If workers came across a file containing everyone's salary details, 75 per cent of workers thought they would be unable to resist looking at it, again up from 61 per cent in 2002. A further 38 per cent said they would also pass the information around the office.

Naughty.

The survey was undertaken by the organisers of Infosecurity Europe 2003 in a quest to find out how security conscious workers are with company information stored on computers.

Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password.

If they initially refused they were asked which category their password fell into and then asked a further question to find out the password.

A further 15 percent were then prepared to give over their passwords, after the most rudimentary of social engineering tricks were applied.

One interviewee said, "I am the CEO, I will not give you my password it could compromise my company's information".

A good start, but then the company boss blew it. He later said that his password was his daughter's name.

What is your daughters name the interviewer cheekily asked.

He replied without thinking: "Tasmin".

D'oh.

Of the 152 office workers surveyed many explained the origin of their passwords.

The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).

Two thirds of workers have given their password to a colleague (the same as last year) and three quarters knew their co-workers passwords.

In addition to using their password to gain access to their company information two thirds of workers use the same password for everything, including their personal banking, Web site access, etc.

This makes them more vulnerable to financial fraud, personal data loss or even identity theft, the InfoSecurity team point out.

Meanwhile two thirds of workers admitted they had emailed colleagues illicit, unsavoury pictures or "dirty jokes", up slightly from 62 per cent in 2002. Men were twice as likely to indulge in this activity with 91 per cent of men sending unsavoury emails compared to only 40 per cent of women.

InfoSecurity's organisers say this behaviour could expose their employer to expensive litigation for sexual discrimination, low morale and even be viewed as allowing bullying.

Tamar Beck, Director of InfoSecurity Europe 2003, said: "Employees are sometimes just naïve, poorly trained or are not made aware of the security risk. Employers therefore need to create a culture of protecting their information and reputation with policies on information security backed up with training to support the security technology"."

Hehe,

Really, if you offered me a pen for a password, I would give you one, it just wouldn't be the real one. I'm a security freak on networks and my passwords reflect that, with mixed case, numeric and non-numeric characters.

But I'll tell you what,

I'll give you all my list of password hints:


My WindowsXP Admin account: Mom's state
My Hotmail: My State
My TFP password: Arfcom Modified


There Ya go! Have fun Crackers!

California
Colorado
Marcof

Sure, I'll be glad to take a pen from you in exchange for what I claim is a password.

Hehe,

Did you really think it would be that easy?

I would give it out and just change my password. You are supposed to change it periodically anyway right?

Seriously, people are dumb like that sometimes.

I had to set up a cow-orker's pc at work with network access to one of our drives. I asked him what his login for Win2k was, and he gave me login and password.

This is the day before April 1st, mind.

The next day he came in to find his mouse swapped to left-handed, oriented so that up = right, and set to super-mega-slow speed.

I could have done oh so much more, but it wasn't worth losing my job over. I think at least he is a little more educated about security now, though.

This isn't surprising, but it's very disturbing that people don't take basic security seriously. All of my passwords are a mix of letters (upper and lower case) and numbers chosen randomly.

ok if you insist,
mine is whatthehellstinksinhere I know kinda lomg but I dont think anyone will figure it out

Well, for me it all depends. For some of my nonsense items that require passwords, like hotmail accounts and so forth, I just use something basic, so I will always know it, and I really never change it. Everything else, though, such as computers, laptops, regular e-mails, etc, I use a mix of letters and numbers, and change it bi-weekly. I have too much stuff at risk to have an easy password.

I use the same password for everything, but its just a simple phrase with no connection whatsoever to myself., no football teams, no my name, no "password". I find it just as effective as mixed passwords with numerals and mixed capitalization with random letters, especially seince i find it easier to remember...

I generally have the same password, or variations of the same password, for most of my stuff. The way I see it, I don't have anything important right now that would matter if someone messed with. Besides, my password has letters and either numbers or symbols in it, and is the name of an obscure planet from a sci-fi book I read a few years back. Don't ask me why I chose it, I just did... but I bet you can't figure it out :p

my password is....

XXXXXXXXXXX

now where's my pen?

My personal favorite remains an acquaintance who thought they were being clever by actually making there password all asteriks (*'s), because it actually was what came up on screen. However another acquaintance noticed that it was just one key being hit rapidly, and from there it was all down hill. ::shake head:: Yay for having goatse as the background image and the password changed. . .

Biggest hole in network security
 

http://www.theregister.com/content/55/30324.html

Your co-workers are morons, but you already knew that.

I think this thread is already up... but its still pretty funny.

I saw a show on this on 20/20, it was pretty scary how fast some people are willing to give up their security unverified to strangers.

Its sad but true unforutunatly.... ive tried it myself at my workplace, and no one seems to understand a sence of secturity

Um, I can see going balls out with your password security (mixed case, letters, numbers, etc., changing every week) if it protects something of real value that you can expect someone to want unauthorized access to...

But just the login to your windows environment at work? What's the big deal? Set your password to your old girlfriend's last name or some other dumbass, easy to remember word... No one cares about getting in, and the "enter password" prompt is enough to stop anyone from messing with your desktop wallpaper.

It's better to have a slight risk of someone getting to your insignificant data than it is to bother the tech department every time you forget your login.

But as I said, if you are protecting something that the average cracker might want access to... then by all means, be careful!

I guess this answers the ultimate question: Just HOW stupid are people?

Not surprised at this.

I know people who Don't Know their own passwords.. They have someone else log them in and leave it logged in. Always generates problems when there is an unexpected power outage hehe.

why ask them when you can just look for the post-it on their monitors?

{comment withdrawn}

hey, uh, porschebunny - Check the *date* i posted it. Not just the time. :)

This isn't too surprising to me. If people actually took security seriously then they'd update their boxes when they're supposed to - but they don't. And then we get things like that worm that crippled the internet for a weekend awhile back.

ooh cheap pen, who could resist?

Kickass article MeanSpleen, I saw that in the news too! When I read your post subject, my immediate response was "the human factor!"

All the firewalls and security technology in the world are worthless if you can talk someone into simply giving you the information you need or doing something for you, which they wouldn't otherwise do.

This isn't a plug (borrow it from your public library if you need to :D) but I think everyone interested in this thread should read The Art Of Deception by Kevin Mitnick. Check it out, that's a link to an excerpt.

It's the best book I've read in a while, it brilliantly describes exactly what we're talking about. Everyone, even non-techie types can learn a whole lot from from it....I wish I could think of another example but this thread and that excerpt pretty much cover the basic idea.

: sane
: insane
: Arfcom Modified