Chocolate Owns Your Passwords

Outsmart Malicious Hackers

The same old story, if you ask people for something they will most likely give it without thinking of the consequences..

Even more so if you are a pretty girl, and in this case you offer someone chocolate. Hey who doesn’t love chocolate? I have to say I don’t love it enough to give out my passwords..

A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.

That’s 1 in 5, amazing! It just shows a bit of simple social engineering targeted against a certain company or just using a certain location will yield valuable info.

Similar tests have been conducted before, I would have though awareness might be slightly higher now – but it seems like it’s just the same.

As depressing as the survey may be for the security pros whose job it is to keep corporate networks safe, the results are a substantial improvement over last year. That was when 64% of people were willing to give away their passwords. But there were other disturbing signs this year: 61% of workers surveyed shared their birthdates and a similar number – 60% of men and 62% of women – shared their names and telephone numbers.

This doesn’t sound particularly damaging, but cyber criminals could use this information to craft so-called phishing emails that install malicious computer code when opened or try to convince people to cough up more damaging information like a bank account number.

It’s good to see a substantial improvement since last year, but still I’d prefer if the figures were below 5%. Sharing personal info is also a bad idea as it gives people with malicious intent a lot more ammunition to break into the corporate cookie jar.

Most peoples’ passwords are likely to be based on personal information unless they are generated by the company…if complex passwords are generated by the company it’s generally even they will be written on a post-it not in the drawer or under the keyboard.

Source: WSJ

Posted in: Privacy, Social Engineering

, , ,

Latest Posts:

StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.

7 Responses to Chocolate Owns Your Passwords

  1. David April 25, 2008 at 12:51 pm #

    Hey, if you’re a pretty girl and you’re offering me chocolate, I, too, will be delighted make up a password and give it to you to write on your clipboard.

    Did they test even one of those passwords to see if it was good for anything?

  2. Bogwitch April 25, 2008 at 2:13 pm #

    Abolutely. Hell, if a pretty girl asks me WITHOUT chocolate, I’d be sure to tell her my password is ‘password’ That way, I can skew the results of any survey to show that password security is still weak and needs infosec professionals like me to fix it!

  3. zupakomputer April 25, 2008 at 3:34 pm #

    Let’s hope you guys are right & they were just making them up.

    I would think the personal info has long been one of those moot points; just about anybody these days has access to databases that can look up postcodes, phone numbers, names, and house numbers. For example in the UK these are based on electoral registers, and they can and have been used to list people on the likes of automated phonecall lists (where you’re offered prizes and so forth).

    I’ve lost count of the amount of times on the phone I’ve had to give out personal details as routine (even say, checking up an insurance quote – or they won’t tell you anything); usually they only need your postcode and they’re able to look up the other details from there.

  4. fever April 25, 2008 at 7:52 pm #

    to think that someone would give out a password in exchange for a chocolate bar is hilarious. hopfully the were smart enough to change the pass immediatley or give a false one, if not than they are stupid people. but a very interesting bit of social engineering. i wonder how big the chocolate bar was? was the lady a blonde or a brunette?

    too much fun.

  5. BlueRaja April 26, 2008 at 9:47 pm #

    This story is tiring. As Bruce Schneier put it, “I would certainly give up a fake password for a bar of chocolate.”

    I know I would.

  6. ZaD MoFo April 27, 2008 at 4:37 am #

    This is my password: $Fogo.-%qBBRallOpe-n

    Do those folks are idiots? No.

    Here is spontaneous honesty but viewed at distance by pals who know the importance of restricting access to computers.

    Passwords are bothersome to remember. One password is ok but when you must remember ten or twenty (bank, social number, computer, access code for your house, your alarm system, your blog access, your social network page and so on, and many more if youre a sysop, it may appear to be a valuable technique to conglomerate thoses numbers, to simplify by having five passwords or less. But you know youre in trouble when a single password is the root access for your bank account, your computer, your house. On the other hand, if you think as criminal do like us we do (remember: to protect our stuff we must know all the tricks), it’s nonsense to give such a thing so “precious” for candy that we forgot: “all are not criminals”.

    Sure, times have changed over the years. Computers & IT stuff is serious busyness now. Money and data fly all over the wires but like the guy who let the motor run the time to fetch a pack of cigs, simplicity = speed = smart.
    Bad luck or shit happend anyway.

    By the way, it’s impressive what you could learn from someone unknow to you before, just by asking, even if you are not a blond girl.

    So, this was my password: $F0g0.-%`97BRallOpe-n
    Here is the > CHOCOLATE <.

  7. backbone April 29, 2008 at 3:08 pm #

    I have some chocolate leftovers from last years christmas… anybody interested?