[ad]
So it turns out you don’t need any fancy password cracking software like John the Ripper or Cain and Abel you just need a handful of £5 gift vouchers for Marks and Spencers!
But we had discussed this in part before, some people will give out their passwords if you just ask, some if you offer chocolate and this time in the guise of a ‘survey’ for a gift voucher.
Although the majority (60 percent) of 207 London residents were happy to hand over computer password data which might be useful to potential ID thieves in exchange for a £5 M&S gift voucher, the public at large take a hard line on firms who fail to keep tight hold of customer data.
In exchange for the voucher, a number of those quizzed during a street survey in Covent Garden earlier this week went on to explain how they remember their password and which online websites (from a range of email, shopping, banking and social networking sites) they most frequently use. A sizeable chunk of those surveyed (45 per cent) said they used either their birthday, their mother’s maiden name or a pet’s name as a password.
Perhaps it’s just as well that stolen identities are worth a lot less than £5, fetching as little as 50p on the underground black market, according to Symantec.
It seems like rather than giving out the actual password they answered questions put together in such a way that a profiler could easily work out what their password was and which sites they used it on.
Pretty sneaky methinks, it’s a good way to test how paranoid people are about their data security…it’s ironic really seeing how much they complain but at the end of it they are their own worst danger.
ine in ten (89 per cent) of 1,000 Brits quizzed during a wider survey, commissioned by Symantec and price comparison site moneysupermarket.com, expressed the opinion that “reckless and repeated” data breaches ought to be punished by criminal prosecutions. Sanctions should include the ability to incarcerate directors of negligent firms in jail. Eight out of ten of those quizzed agreed there should be a “one strike and you’re out” rule for data loss.
Almost four in five of those polled reckon their personal data is not secure in the hands of companies that hold it, a finding that probably stems from the steady drip of data breach stories that have followed from the massive HMRC child benefit lost disc bungle last year. Three in four consumers are concerned about the amount of information organisation hold on them, regardless of whether or not this information is held online or offline. Online payments were perceived as the single greatest risk for losing data.
The general public are pretty harsh too when it comes to dishing out punishment, but then again that is human nature and that is why there’s jury service.
It’s not surprising either that people have very little faith in data stored by the government and their greatest fear is carrying out online transactions.
I think we all know well enough to keep ourselves safe…but sadly as always it seems the rest of the world don’t.
Source: The Register
Bogwitch says
{sigh}
It’s been said before, I’d quite happily make up a password for a researcher. I’d also tell them it was something simple, Wife’s maiden name, pets name, registration number.
Why? I have a vested interest in generatin IT Sec work and fearmongering like that it just the ticket.
5 quid gift voucher would be a bonus for me.
Goodpeople says
This is one of those moments where I wonder if people are really worh protecting..
Of course I would also have told the researcher that my passwords are very simple.. just to get the check.
razta says
I agree. I dont think many people would have given their real passwords, when they could just make it up and get the
Darknet says
They aren’t giving actual passwords, but the survey mines enough data to ascertain the passwords within a few guesses and know WHICH sites they use them on. To most people they wouldn’t even realise what they’d given away.
Yami King says
@ Darknet
You are correct about this, well… not entirely, as razta mentioned, you do really need evidence supporting that the information the user gives is actually correct.
—
But yes, people tend to give information away quite easily, but wasn’t it already known to researchers, people like using information like dates of birth, their pet’s name, etc… as their passwords?
What actually is quite funny too, is when company policies require users to change their password every month, but do not require any secure passwords, people tend to use the names of the current month as their password.
SpikyHead says
Well thats why they say… Common Sense is Not So Common…
When will these people learn
collector says
Go to any public user database and execute this:
SELECT password, count(*) FROM users
GROUP BY password
ORDER BY count(*) DESC;
you’ll find that 1% of all hashed passwords are the same. Try to de-hash it width http://gdataonline.com/seekhash.php, or if you are using something other than standard md5, try hashing the 123456 and see if it’s match ;)