26 September 2008 | 7,961 views

Brits Give Up Passwords For a £5 Gift Voucher

Check For Vulnerabilities with Acunetix

So it turns out you don’t need any fancy password cracking software like John the Ripper or Cain and Abel you just need a handful of £5 gift vouchers for Marks and Spencers!

But we had discussed this in part before, some people will give out their passwords if you just ask, some if you offer chocolate and this time in the guise of a ‘survey’ for a gift voucher.

Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the public at large take a hard line on firms who fail to keep tight hold of customer data.

In exchange for the voucher, a number of those quizzed during a street survey in Covent Garden earlier this week went on to explain how they remember their password and which online websites (from a range of email, shopping, banking and social networking sites) they most frequently use. A sizeable chunk of those surveyed (45 per cent) said they used either their birthday, their mother’s maiden name or a pet’s name as a password.

Perhaps it’s just as well that stolen identities are worth a lot less than £5, fetching as little as 50p on the underground black market, according to Symantec.

It seems like rather than giving out the actual password they answered questions put together in such a way that a profiler could easily work out what their password was and which sites they used it on.

Pretty sneaky methinks, it’s a good way to test how paranoid people are about their data security…it’s ironic really seeing how much they complain but at the end of it they are their own worst danger.

ine in ten (89 per cent) of 1,000 Brits quizzed during a wider survey, commissioned by Symantec and price comparison site moneysupermarket.com, expressed the opinion that “reckless and repeated” data breaches ought to be punished by criminal prosecutions. Sanctions should include the ability to incarcerate directors of negligent firms in jail. Eight out of ten of those quizzed agreed there should be a “one strike and you’re out” rule for data loss.

Almost four in five of those polled reckon their personal data is not secure in the hands of companies that hold it, a finding that probably stems from the steady drip of data breach stories that have followed from the massive HMRC child benefit lost disc bungle last year. Three in four consumers are concerned about the amount of information organisation hold on them, regardless of whether or not this information is held online or offline. Online payments were perceived as the single greatest risk for losing data.

The general public are pretty harsh too when it comes to dishing out punishment, but then again that is human nature and that is why there’s jury service.

It’s not surprising either that people have very little faith in data stored by the government and their greatest fear is carrying out online transactions.

I think we all know well enough to keep ourselves safe…but sadly as always it seems the rest of the world don’t.

Source: The Register



Recent in Password Cracking:
- Moscrack – Cluster Cracking Tool For WPA Keys
- eBay Hacked – 128 Million Users To Reset Passwords
- Blackhash – Audit Passwords Without Hashes

Related Posts:
- UK Has The Worst Internet Security In Europe
- Chocolate Owns Your Passwords
- McDonalds Japan Spreads Malware on MP3 Player

Most Read in Password Cracking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,042,839 views
- Password Cracking Wordlists and Tools for Brute Forcing - 491,895 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 411,809 views

Low-cost VPS Hosting

7 Responses to “Brits Give Up Passwords For a £5 Gift Voucher”

  1. Bogwitch 27 September 2008 at 5:02 pm Permalink

    {sigh}
    It’s been said before, I’d quite happily make up a password for a researcher. I’d also tell them it was something simple, Wife’s maiden name, pets name, registration number.
    Why? I have a vested interest in generatin IT Sec work and fearmongering like that it just the ticket.
    5 quid gift voucher would be a bonus for me.

  2. Goodpeople 28 September 2008 at 5:54 am Permalink

    This is one of those moments where I wonder if people are really worh protecting..

    Of course I would also have told the researcher that my passwords are very simple.. just to get the check.

  3. razta 29 September 2008 at 7:02 am Permalink

    I agree. I dont think many people would have given their real passwords, when they could just make it up and get the

  4. Darknet 29 September 2008 at 7:30 am Permalink

    They aren’t giving actual passwords, but the survey mines enough data to ascertain the passwords within a few guesses and know WHICH sites they use them on. To most people they wouldn’t even realise what they’d given away.

  5. Yami King 30 September 2008 at 6:36 pm Permalink

    @ Darknet
    You are correct about this, well… not entirely, as razta mentioned, you do really need evidence supporting that the information the user gives is actually correct.

    But yes, people tend to give information away quite easily, but wasn’t it already known to researchers, people like using information like dates of birth, their pet’s name, etc… as their passwords?
    What actually is quite funny too, is when company policies require users to change their password every month, but do not require any secure passwords, people tend to use the names of the current month as their password.

  6. SpikyHead 1 October 2008 at 12:40 am Permalink

    Well thats why they say… Common Sense is Not So Common…

    When will these people learn

  7. collector 2 October 2008 at 7:15 am Permalink

    Go to any public user database and execute this:

    SELECT password, count(*) FROM users
    GROUP BY password
    ORDER BY count(*) DESC;

    you’ll find that 1% of all hashed passwords are the same. Try to de-hash it width http://gdataonline.com/seekhash.php, or if you are using something other than standard md5, try hashing the 123456 and see if it’s match ;)