Woman four times more likely than men to give passwords for chocolate

Apr 17 2008 By Andrew Mernin

A SURVEY of 576 office workers has found that women far more likely to give away their passwords to total strangers than men, with 45% of women versus 10% of men prepared to give away their password to strangers masquerading as market researchers with the lure of a chocolate bar as an incentive for filling in the survey.

The survey by Infosecurity Europe was part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

In 2007, 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy.

The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth. Research also found over half of people questioned use the same password for everything - work, banking, web, etc.

Claire Sellick, event director at Infosecurity Europe, said: "Our researchers also asked for workers names and telephone numbers so that they could be entered into a draw to go to Paris, with this incentive 60% of men and 62% of women gave us their contact information."

One woman surveyed said: "Even though I have just been to Paris for the weekend I would love to go again."

Ms Sellick said: "That promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud."

Workers were also asked about their use of passwords at work, and half said they knew their colleagues' passwords and when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58% said they would. Researchers also asked workers if they thought other people in their company knew their CEO's password, with 35% them saying they thought someone else did with personal assistants and IT staff being the most likely suspects.

"This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department." Sellick continued, "This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank."

One man said, ‘I work for a government department, I would never give my password to anyone else, it could cost me my job’.

Most people used only one (31%), two (31%) or three (16%) passwords at work, but some people had to use as many as 32. It was also found that 43% of people rarely or never change their password which is very poor security practice.