Chocolate Owns Your Passwords

The New Acunetix V12 Engine

The same old story, if you ask people for something they will most likely give it without thinking of the consequences..

Even more so if you are a pretty girl, and in this case you offer someone chocolate. Hey who doesn’t love chocolate? I have to say I don’t love it enough to give out my passwords..

A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.

That’s 1 in 5, amazing! It just shows a bit of simple social engineering targeted against a certain company or just using a certain location will yield valuable info.

Similar tests have been conducted before, I would have though awareness might be slightly higher now – but it seems like it’s just the same.

As depressing as the survey may be for the security pros whose job it is to keep corporate networks safe, the results are a substantial improvement over last year. That was when 64% of people were willing to give away their passwords. But there were other disturbing signs this year: 61% of workers surveyed shared their birthdates and a similar number – 60% of men and 62% of women – shared their names and telephone numbers.

This doesn’t sound particularly damaging, but cyber criminals could use this information to craft so-called phishing emails that install malicious computer code when opened or try to convince people to cough up more damaging information like a bank account number.

It’s good to see a substantial improvement since last year, but still I’d prefer if the figures were below 5%. Sharing personal info is also a bad idea as it gives people with malicious intent a lot more ammunition to break into the corporate cookie jar.

Most peoples’ passwords are likely to be based on personal information unless they are generated by the company…if complex passwords are generated by the company it’s generally even they will be written on a post-it not in the drawer or under the keyboard.

Source: WSJ

Posted in: Privacy, Social Engineering

, , ,

Latest Posts:

CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.
Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.

7 Responses to Chocolate Owns Your Passwords

  1. David April 25, 2008 at 12:51 pm #

    Hey, if you’re a pretty girl and you’re offering me chocolate, I, too, will be delighted make up a password and give it to you to write on your clipboard.

    Did they test even one of those passwords to see if it was good for anything?

  2. Bogwitch April 25, 2008 at 2:13 pm #

    Abolutely. Hell, if a pretty girl asks me WITHOUT chocolate, I’d be sure to tell her my password is ‘password’ That way, I can skew the results of any survey to show that password security is still weak and needs infosec professionals like me to fix it!

  3. zupakomputer April 25, 2008 at 3:34 pm #

    Let’s hope you guys are right & they were just making them up.

    I would think the personal info has long been one of those moot points; just about anybody these days has access to databases that can look up postcodes, phone numbers, names, and house numbers. For example in the UK these are based on electoral registers, and they can and have been used to list people on the likes of automated phonecall lists (where you’re offered prizes and so forth).

    I’ve lost count of the amount of times on the phone I’ve had to give out personal details as routine (even say, checking up an insurance quote – or they won’t tell you anything); usually they only need your postcode and they’re able to look up the other details from there.

  4. fever April 25, 2008 at 7:52 pm #

    to think that someone would give out a password in exchange for a chocolate bar is hilarious. hopfully the were smart enough to change the pass immediatley or give a false one, if not than they are stupid people. but a very interesting bit of social engineering. i wonder how big the chocolate bar was? was the lady a blonde or a brunette?

    too much fun.

  5. BlueRaja April 26, 2008 at 9:47 pm #

    This story is tiring. As Bruce Schneier put it, “I would certainly give up a fake password for a bar of chocolate.”

    I know I would.

  6. ZaD MoFo April 27, 2008 at 4:37 am #

    This is my password: $Fogo.-%qBBRallOpe-n

    Do those folks are idiots? No.

    Here is spontaneous honesty but viewed at distance by pals who know the importance of restricting access to computers.

    Passwords are bothersome to remember. One password is ok but when you must remember ten or twenty (bank, social number, computer, access code for your house, your alarm system, your blog access, your social network page and so on, and many more if youre a sysop, it may appear to be a valuable technique to conglomerate thoses numbers, to simplify by having five passwords or less. But you know youre in trouble when a single password is the root access for your bank account, your computer, your house. On the other hand, if you think as criminal do like us we do (remember: to protect our stuff we must know all the tricks), it’s nonsense to give such a thing so “precious” for candy that we forgot: “all are not criminals”.

    Sure, times have changed over the years. Computers & IT stuff is serious busyness now. Money and data fly all over the wires but like the guy who let the motor run the time to fetch a pack of cigs, simplicity = speed = smart.
    Bad luck or shit happend anyway.

    By the way, it’s impressive what you could learn from someone unknow to you before, just by asking, even if you are not a blond girl.

    So, this was my password: $F0g0.-%`97BRallOpe-n
    Here is the > CHOCOLATE <.

  7. backbone April 29, 2008 at 3:08 pm #

    I have some chocolate leftovers from last years christmas… anybody interested?