www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/

Office workers give away passwords for a cheap pen

By John Leyden
Published Friday 18th April 2003 08:24 GMT

Workers are prepared to give away their passwords for a cheap pen, according to a somewhat unscientific - but still illuminating - survey published today.

The second annual survey into office scruples, conducted by the people organising this month's InfoSecurity Europe 2003 conference, found that office workers have learnt very little about IT security in the past year.

If anything, people are even more lax about security than they were a year ago, the survey found.

Ninety per cent of office workers at London's Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.

Men were slightly more likely to reveal their password with 95 per cent of blokes, compared to 85 per cent of women quizzed, prepared to hand over their password on request.

The survey also found the majority of workers (80 per cent) would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them.

If workers came across a file containing everyone's salary details, 75 per cent of workers thought they would be unable to resist looking at it, again up from 61 per cent in 2002. A further 38 per cent said they would also pass the information around the office.

Naughty.

Social engineering

The survey was undertaken by the organisers of Infosecurity Europe 2003 in a quest to find out how security conscious workers are with company information stored on computers.

Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password.

If they initially refused they were asked which category their password fell into and then asked a further question to find out the password.

Another 15 per cent were then prepared to give over their passwords, after the most rudimentary of social engineering tricks were applied.

One interviewee said, "I am the CEO, I will not give you my password - it could compromise my company's information".

A good start, but then the company boss blew it. He later said that his password was his daughter's name.

What is your daughters name, the interviewer cheekily asked.

He replied without thinking: "Tasmin".

D'oh.

Unsavoury emails

Of the 152 office workers surveyed many explained the origin of their passwords.

The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).

Two thirds of workers have given their password to a colleague (the same as last year) and three quarters knew their co-workers passwords.

In addition to using their password to gain access to their company information two thirds of workers use the same password for everything, including their personal banking, website access, etc.

This makes them more vulnerable to financial fraud, personal data loss or even identity theft, the InfoSecurity team notes.

Meanwhile, two thirds of workers admitted they had emailed colleagues illicit, unsavoury pictures or "dirty jokes", up slightly from 62 per cent in 2002. Men were twice as likely to indulge in this activity, with 91 per cent of men sending unsavoury emails, compared to only 40 per cent of women.

InfoSecurity's organisers say this behaviour could expose their employer to expensive litigation for sexual discrimination, low morale and might even be viewed as allowing bullying.

Tamar Beck, Director of InfoSecurity Europe 2003, said: "Employees are sometimes just naïve, poorly trained or are not made aware of the security risk. Employers therefore need to create a culture of protecting their information and reputation with policies on information security backed up with training to support the security technology".

*****************************

Totally and 100% true.

I once had to program the entry system for a call center.  When I sent out the memo I specifically told everyone you cannot use your birthday, extension, SSN's or publicly known telephone numbers and that the code had to be 5 numbers.  Simple, right?  WRONG.

Out of 65 people I had to have discussions with 10 or so who tried to argue with me telling me that I was making it "too complicated" for them, another 10 or so tried to slip in something that violated the policy (like I was too stupid to catch it) and one literally stood in front of me and SWORE that he couldn't remember it unless it was something he used from my "verbotten" list.

After threatening a few people with NINE digit codes of MY choosing, they shut up real fast and picked something within the guidelines.

People just do not want to get that security is important.

Most people couldn't care less about computers; much less security.
To them, computers have roughly the same importance as a payphone.
Only useful when they need to read their dumb emails or surf porn on the clock.
It should be policy that if they knowingly compromise security, they're
fired. No excuses.
Like that will ever happen.

Of course, there is no guarantee that they actual gave out their REAL password...

Well I used to have to deal with alot of passwords, with the right one to get in some probgrams you can find out alot on a person or do alot of damage.