Vulnerabilities / Threats

7/27/2016
01:00 PM
Terry Sweeney
Terry Sweeney
Slideshows
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

7 Ways To Charm Users Out of Their Passwords

While the incentives have changed over time, it still takes remarkably little to get users to give up their passwords.
Previous
1 of 8
Next

Image Source: Flickr

Image Source: Flickr

What won't users give up in exchange for their passwords?

Not much, as it turns out.

It is indeed curious what induces users to divulge passwords to perfect strangers. These social experiments offer insight into our psyches, and some would say, the human heart. And they cut to the substance of what motivates us: gratification, money, the prospect of coming out ahead. But that's getting ahead of ourselves… more on all those in a moment.

Passwords are the bane of IT's existence. So much time spent resetting them for hapless users, endless reminders to take down and destroy those password-riddled Post-Its. And stop re-using the same password across multiple accounts! (Talking to you, Mark Zuckerberg). Then there are the regular advisories insisting users change or update their passwords. The rhythms are as predictable as the tides.

Smart organizations insist on some sort of formal training at least once a year to remind users about the importance of password security. Highly evolved enterprises insist on quarterly security refreshers for users. The messaging that does get through isn't very "sticky," as the hipsters in marketing like to say. But sadly, any kind of security training – for passwords or anything else – regularly falls through the cracks at most organizations. Budgets, time, shifting priorities – the excuses are familiar and unending.

There's also the school of thought that passwords are passé. Consumers, credit card companies and Congress are all, apparently, fed up. Given that passwords are being regularly hacked and re-sold, it's clear that text-based logons and passwords are going the way of fax machines. Apple has helped popularize fingerprint authentication, Microsoft's developing facial recognition features, and German scientists think the sound of your skull can be used to ensure your identity. Regardless, multi-factor authentication (MFA) that includes some combination of biometrics, a security token and a PIN will eventually become mainstream, just as soon as they can agree on some standards.

Until that happy day, beware the researcher or security vendor offering you magic beans for your "password123." It just might be a trick.

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dieselnerd
100%
0%
dieselnerd,
User Rank: Strategist
8/2/2016 | 2:01:43 PM
Printing
When are you guys going to fix the print option so that it prints entire articles?
sgordonson***
50%
50%
sgordonson***,
User Rank: Apprentice
8/1/2016 | 11:40:42 AM
Any more recent data on these surveys?
I noticed most of these surveys are 10 years old , do you have any more recent data , to see if attitudes have changed?  In general I agree most non technical users are lax about their security and PI , they have no idea how bad it really is ......
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
7/31/2016 | 9:40:09 PM
Re: Your data is my data
As nice as it would be if your optimism turned out true, unfortunately I've seen more of the latter to be true. I've seen first hand people who could care less about Information Security only take an interest after they've had an event that affected them. I wish more people would make use of the old addage, a smart person learns from their mistakes but a brilliant person learns from others.
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/29/2016 | 2:31:45 PM
Re: Your data is my data
Well you can eitehr call me an optimistic, thinking people will come to their senses and consider that the data they compromised could be theris, or a pessimistic, thinking everyone of us at the pace we are goign with databreach will suffer an identity theft and then will chnage our behavior toward password and data.
Chessie1934
100%
0%
Chessie1934,
User Rank: Apprentice
7/29/2016 | 1:59:16 PM
Re: Your data is my data
Nobody has really been put on the hook for actions that result in a breach so no one cares about truly protecting data.  Once there is a real consquence to the insider who contributes to a data breach--CFO who won't pay for updated software, dumb-ass end user who clicks a supsicious link--in some significant manner, people will start caring about the data that is under their protection.  Until then, the attitude will be they'll just provide credit monitoring to those affected by a breach.  They'd rather pay (more) later than pay (a litlle) up-front to prevent a breach.
rstoney
100%
0%
rstoney,
User Rank: Strategist
7/29/2016 | 9:03:34 AM
Re: Your data is my data
Very true;

 

  But come on - the fresh-baked cookie offering to a group of typically male IT shops is just downright rude and unfair.   Especially around morning coffee time.

 

   My preference is the soft sugar cookies with the hershey kiss in the middle.  Gawd I am hungry now for cookies.  *&&$%## !!!!
phoenix522
100%
0%
phoenix522,
User Rank: Strategist
7/28/2016 | 4:31:03 PM
Re: Wow...
I overheard a person in a non-IT training class a while back as she was stating that the Target breach was blown way out of proportion and there's no need for change when it comes to credit card fraud. Her logic was, "How many people do YOU know who were impacted by that?"

Some people just don't get the need for security, they simply want to bury their head in the sand and let others worry about it. If you add those people who work for a company but they aren't happy there, they are even less worried about what happens to the company data.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
7/28/2016 | 1:01:05 PM
Re: Wow...
Most, if not all, of the examples cited in the slideshow were in-person interactions. Most social engineers -- the malicious ones -- don't have the nerve to pull this off and don't want to risk being ID'd later.

But, yes... there is an incredible amount of unthinking behavior out there on the part of end-users. This just skims the surface.
TerryB
100%
0%
TerryB,
User Rank: Ninja
7/28/2016 | 12:51:33 PM
Re: Wow...
What I couldn't tell from article was who these people thought they were giving their password to? Was the social engineering hook (true in these cases) that this was only a test/survey? 

Surely it wasn't a cold call who told person "My name is Demitri. Would you please provide me your password and I will send you a cookie."

But even replying to what you thought was test/survey shows a real level of either stupidity or lack of caring about corp data. How would they know if real study or not?

Whoopty has good point. Many probably changed passwords after getting gift. Most, like at our our place, are probably forced to change every 90 days, enforced by system tracking last 31 changes to make sure you don't use password again. Chances are they had password like "Cutekitty8". Three guesses what their next password was? 
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/28/2016 | 11:48:15 AM
Your data is my data
Unfortunately until users consider corporate data - that includes corporate financials but also customers/consumers data like yours and my data- as their own, this behavior will continue.  Individuals who suffered an identity theft through the IRS breach or a healthcare fraud done under their name are less likely to sell passwords or give them away in exchange for cheap bribe.
Page 1 / 2   >   >>
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3914
PUBLISHED: 2018-09-21
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 2000 bytes. An attacker can s...
CVE-2018-3915
PUBLISHED: 2018-09-21
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 64 bytes. An attacker can sen...
CVE-2018-11240
PUBLISHED: 2018-09-21
An issue was discovered on SoftCase T-Router build 20112017 devices. There are no restrictions on the 'exec command' feature of the T-Router protocol. If the command syntax is correct, there is code execution both on the other modem and on the main servers. This is fixed in production builds as of S...
CVE-2018-11241
PUBLISHED: 2018-09-21
An issue was discovered on SoftCase T-Router build 20112017 devices. A remote attacker can read and write to arbitrary files on the system as root, as demonstrated by code execution after writing to a crontab file. This is fixed in production builds as of Spring 2018.
CVE-2018-16784
PUBLISHED: 2018-09-21
DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring.