I just came across an article on non-password authentication that refers back to an April 2004 survey of office workers which found that “71% were willing to part with their password for a chocolate bar.”
Wow. I know they say everyone has their price, but this is ridiculous.
It reminds me of the comic book Underworld Unleashed, in which a demon approached various DC villains offering to give them enhanced powers in exchange for their souls. The Joker sold his soul in exchange for… a box of cigars. “They’re cubans!” he explained.
Another good one: “I work in a financial call centre, our password changes daily, but I do not have a problem remembering it as it is written on the board so that every one can see it.”
Un. be. lievable.
Then again, it’s rumored most people leave their homes unlocked in Canada. . .
(Not that I’d give any of my passwords away for chocolate. Now if it was chocolate mixed with peanut butter on the other hand. . .)
Many people I work with don’t have internet access at home, for whatever reason. Anything they do online is done at work; their email is saved on the work server. If they have someone’s address (or a reservation number, phone number, etc.) sent to them and they forget to print it out, it’s common practice to call a colleague and hand over the password in return for the goods. With most people, this is generally not perceived as problematic, as their memories are of the type that can’t remember their current password without writing it down, let alone a succession of six passwords (the minimum setup required to log into our servers if you work here continuously). Not being one of the above-mentioned individuals, I will say no more.
Each system we use requires at least two passwords: our server password and one for the system. One of the systems requires another layer. They are all on different timetables for requiring you to change them. Most people in the office do a pretty shoddy job of creating passwords and keeping them safe, simply because the task of remembering six strings of guess-proof garble is beyond them. I imagine that the problem will only get worse as the work force continues to gray, until we do switch to biometrics or smartcards.
As for the call center with the password on the board, I can say from experience that 1) call-center employees are, by and large, not intelligent enough to remember a password throughout a typical day; 2) employees change with such frequency that creating and deleting individually keyed accounts would be a full-time job; and 3) most call centers have additional security measures–in my case, it was a passcard–to keep non-employees out. One could, of course, argue that constant staff change might also keep people from recognizing when someone is in their midst who doesn’t belong. In my case, this would have been hard to do because of the training team: ten people, sitting at various points throughout the cube farm, who spend two weeks at a stretch with a group of 5-12 newbies. If a trainer saw someone they didn’t recognize, you can bet security would be called.
More yeesh….Disaster Area had to change her password yesterday and couldn’t remember it this morning. When she finally figured it out, she said, “Oh yeah! It’s ****!”
Now, this only gets you into the general system. But I’m 90% certain I can guess the password she uses to get into one of the specific systems. And though our uber-supervisory leashes keep too much damage from being done, someone who knew at least marginally what they were doing could definitely do some damage, if only through information-gathering.
Yeah, people trust me. *shrugs*
Apparently offering people chocolate and then asking for their password still works. On the plus side it’s only 48% effective these days.