Chocolate Owns Your Passwords

The same old story, if you ask people for something they will most likely give it without thinking of the consequences..

Even more so if you are a pretty girl, and in this case you offer someone chocolate. Hey who doesn’t love chocolate? I have to say I don’t love it enough to give out my passwords..

A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.

That’s 1 in 5, amazing! It just shows a bit of simple social engineering targeted against a certain company or just using a certain location will yield valuable info.

Similar tests have been conducted before, I would have though awareness might be slightly higher now – but it seems like it’s just the same.

As depressing as the survey may be for the security pros whose job it is to keep corporate networks safe, the results are a substantial improvement over last year. That was when 64% of people were willing to give away their passwords. But there were other disturbing signs this year: 61% of workers surveyed shared their birthdates and a similar number – 60% of men and 62% of women – shared their names and telephone numbers.

This doesn’t sound particularly damaging, but cyber criminals could use this information to craft so-called phishing emails that install malicious computer code when opened or try to convince people to cough up more damaging information like a bank account number.

It’s good to see a substantial improvement since last year, but still I’d prefer if the figures were below 5%. Sharing personal info is also a bad idea as it gives people with malicious intent a lot more ammunition to break into the corporate cookie jar.

Most peoples’ passwords are likely to be based on personal information unless they are generated by the company…if complex passwords are generated by the company it’s generally even they will be written on a post-it not in the drawer or under the keyboard.

Source: WSJ

Posted in: Privacy, Social Engineering

, , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

7 Responses to Chocolate Owns Your Passwords

  1. David April 25, 2008 at 12:51 pm #

    Hey, if you’re a pretty girl and you’re offering me chocolate, I, too, will be delighted make up a password and give it to you to write on your clipboard.

    Did they test even one of those passwords to see if it was good for anything?

  2. Bogwitch April 25, 2008 at 2:13 pm #

    Abolutely. Hell, if a pretty girl asks me WITHOUT chocolate, I’d be sure to tell her my password is ‘password’ That way, I can skew the results of any survey to show that password security is still weak and needs infosec professionals like me to fix it!

  3. zupakomputer April 25, 2008 at 3:34 pm #

    Let’s hope you guys are right & they were just making them up.

    I would think the personal info has long been one of those moot points; just about anybody these days has access to databases that can look up postcodes, phone numbers, names, and house numbers. For example in the UK these are based on electoral registers, and they can and have been used to list people on the likes of automated phonecall lists (where you’re offered prizes and so forth).

    I’ve lost count of the amount of times on the phone I’ve had to give out personal details as routine (even say, checking up an insurance quote – or they won’t tell you anything); usually they only need your postcode and they’re able to look up the other details from there.

  4. fever April 25, 2008 at 7:52 pm #

    to think that someone would give out a password in exchange for a chocolate bar is hilarious. hopfully the were smart enough to change the pass immediatley or give a false one, if not than they are stupid people. but a very interesting bit of social engineering. i wonder how big the chocolate bar was? was the lady a blonde or a brunette?

    too much fun.

  5. BlueRaja April 26, 2008 at 9:47 pm #

    This story is tiring. As Bruce Schneier put it, “I would certainly give up a fake password for a bar of chocolate.”

    I know I would.

  6. ZaD MoFo April 27, 2008 at 4:37 am #

    This is my password: $Fogo.-%qBBRallOpe-n

    Do those folks are idiots? No.

    Here is spontaneous honesty but viewed at distance by pals who know the importance of restricting access to computers.

    Passwords are bothersome to remember. One password is ok but when you must remember ten or twenty (bank, social number, computer, access code for your house, your alarm system, your blog access, your social network page and so on, and many more if youre a sysop, it may appear to be a valuable technique to conglomerate thoses numbers, to simplify by having five passwords or less. But you know youre in trouble when a single password is the root access for your bank account, your computer, your house. On the other hand, if you think as criminal do like us we do (remember: to protect our stuff we must know all the tricks), it’s nonsense to give such a thing so “precious” for candy that we forgot: “all are not criminals”.

    Sure, times have changed over the years. Computers & IT stuff is serious busyness now. Money and data fly all over the wires but like the guy who let the motor run the time to fetch a pack of cigs, simplicity = speed = smart.
    Bad luck or shit happend anyway.

    By the way, it’s impressive what you could learn from someone unknow to you before, just by asking, even if you are not a blond girl.

    So, this was my password: $F0g0.-%`97BRallOpe-n
    Here is the > CHOCOLATE <.

  7. backbone April 29, 2008 at 3:08 pm #

    I have some chocolate leftovers from last years christmas… anybody interested?