Password protection improves among workers, finds survey


An annual survey carried out by the organisers of the Inforsecurity Europe conference found that 64% of the people asked for their passwords on the street in a mock survey handed them over. That figure fell to 21% this year.

Researchers stopped 576 workers outside Liverpool Street Station in the City of London and pretended to be carrying out market research. They offered workers a chocolate bar in return for participating in the fake study and asked workers for their passwords as well as their names and dates of birth.

The study found a marked difference between the response of the sexes, with four times as many women as men revealing their passwords. It found that 45% of women and 10% of men revealed their password.

Claire Sellick, the event director for Infosecurity Europe, said that the danger was not just in the revealing of passwords, but of the other data too.

"Our researchers also asked for workers' names and telephone numbers so that they could be entered into a draw to go to Paris. With this incentive 60% of men and 62% of women gave us their contact information," said Sellick.

"Once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud," she said.

Getting a person to actually tell you a password or vital information, rather than trying to break encryption, is called social engineering. The survey uncovered other workplace dangers that leave companies vulnerable to socially-engineered attacks.

The survey found that 58% of the workers would give their password to a phone caller who claimed to be from the IT department and 35% of them thought that at least one other person knew their chief executive's password.

"This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department.” Sellick said. "This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank.”