In most aspects of IT, obscurity is not security. But when it comes to passwords, obscurity is the only security. You should create passwords that are difficult to guess, you shouldn’t use the same password for more than one service, and you definitely shouldn’t share your password with just anyone on the street who asks for it.
These simple security rules appear to be beyond the depth of comprehension achieved by a sizable percentage of respondents to a survey conducted recently in London. Surveyors contacted random office workers outside the Liverpool Street Station and offered them a piece of chocolate for their office password — and 21% gave it to them. That’s down from last year’s 64%, but still — 21% means that in an office of only 26 people, 5 of them would give out their password for chocolate. Does that make you feel secure?
And according to the survey results, 4 of those 5 would be women. Not trying to stir up a flame war on sexism here — just reporting the findings. I don’t think this means that women are necessarily less security-conscious. There’s a lot of anecdotal evidence that women are more drawn to chocolate than men are. I wonder how the male vs. female results would have turned out if the good-looking surveyors had offered sex instead of chocolate. Hmm? How many men would rationalize “I’ll just go change my password right afterwards”?
For that matter, the passwords were never verified — so probably some percentage of respondents were faking it in order to have their chocolate and eat it, too. And when it comes to faking it, we need not ask about the female:male ratio.
Some other scary results from the survey: 31 percent of respondents use only one password for everything, and 78% use three or less. Almost half (43%) rarely or never change their passwords, and half of them know their co-workers’ passwords. I’d bet a lot of those passwords given out for chocolate really belonged to a “friend”.
Perhaps scariest of all: more than 60% of the respondents were willing to give out their date of birth, name and telephone number in order to validate their participation and enter in a drawing for a free trip to Paris. That sounds like script for a good phishing expedition to me.