Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2016
01:00 PM
Terry Sweeney
Terry Sweeney
Slideshows
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

7 Ways To Charm Users Out of Their Passwords

While the incentives have changed over time, it still takes remarkably little to get users to give up their passwords.
Previous
1 of 8
Next

Image Source: Flickr

Image Source: Flickr

What won't users give up in exchange for their passwords?

Not much, as it turns out.

It is indeed curious what induces users to divulge passwords to perfect strangers. These social experiments offer insight into our psyches, and some would say, the human heart. And they cut to the substance of what motivates us: gratification, money, the prospect of coming out ahead. But that's getting ahead of ourselves… more on all those in a moment.

Passwords are the bane of IT's existence. So much time spent resetting them for hapless users, endless reminders to take down and destroy those password-riddled Post-Its. And stop re-using the same password across multiple accounts! (Talking to you, Mark Zuckerberg). Then there are the regular advisories insisting users change or update their passwords. The rhythms are as predictable as the tides.

Smart organizations insist on some sort of formal training at least once a year to remind users about the importance of password security. Highly evolved enterprises insist on quarterly security refreshers for users. The messaging that does get through isn't very "sticky," as the hipsters in marketing like to say. But sadly, any kind of security training – for passwords or anything else – regularly falls through the cracks at most organizations. Budgets, time, shifting priorities – the excuses are familiar and unending.

There's also the school of thought that passwords are passé. Consumers, credit card companies and Congress are all, apparently, fed up. Given that passwords are being regularly hacked and re-sold, it's clear that text-based logons and passwords are going the way of fax machines. Apple has helped popularize fingerprint authentication, Microsoft's developing facial recognition features, and German scientists think the sound of your skull can be used to ensure your identity. Regardless, multi-factor authentication (MFA) that includes some combination of biometrics, a security token and a PIN will eventually become mainstream, just as soon as they can agree on some standards.

Until that happy day, beware the researcher or security vendor offering you magic beans for your "password123." It just might be a trick.

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dieselnerd
100%
0%
dieselnerd,
User Rank: Strategist
8/2/2016 | 2:01:43 PM
Printing
When are you guys going to fix the print option so that it prints entire articles?
sgordonson***
50%
50%
sgordonson***,
User Rank: Apprentice
8/1/2016 | 11:40:42 AM
Any more recent data on these surveys?
I noticed most of these surveys are 10 years old , do you have any more recent data , to see if attitudes have changed?  In general I agree most non technical users are lax about their security and PI , they have no idea how bad it really is ......
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
7/31/2016 | 9:40:09 PM
Re: Your data is my data
As nice as it would be if your optimism turned out true, unfortunately I've seen more of the latter to be true. I've seen first hand people who could care less about Information Security only take an interest after they've had an event that affected them. I wish more people would make use of the old addage, a smart person learns from their mistakes but a brilliant person learns from others.
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/29/2016 | 2:31:45 PM
Re: Your data is my data
Well you can eitehr call me an optimistic, thinking people will come to their senses and consider that the data they compromised could be theris, or a pessimistic, thinking everyone of us at the pace we are goign with databreach will suffer an identity theft and then will chnage our behavior toward password and data.
Chessie1934
100%
0%
Chessie1934,
User Rank: Apprentice
7/29/2016 | 1:59:16 PM
Re: Your data is my data
Nobody has really been put on the hook for actions that result in a breach so no one cares about truly protecting data.  Once there is a real consquence to the insider who contributes to a data breach--CFO who won't pay for updated software, dumb-ass end user who clicks a supsicious link--in some significant manner, people will start caring about the data that is under their protection.  Until then, the attitude will be they'll just provide credit monitoring to those affected by a breach.  They'd rather pay (more) later than pay (a litlle) up-front to prevent a breach.
rstoney
100%
0%
rstoney,
User Rank: Strategist
7/29/2016 | 9:03:34 AM
Re: Your data is my data
Very true;

 

  But come on - the fresh-baked cookie offering to a group of typically male IT shops is just downright rude and unfair.   Especially around morning coffee time.

 

   My preference is the soft sugar cookies with the hershey kiss in the middle.  Gawd I am hungry now for cookies.  *&&$%## !!!!
phoenix522
100%
0%
phoenix522,
User Rank: Strategist
7/28/2016 | 4:31:03 PM
Re: Wow...
I overheard a person in a non-IT training class a while back as she was stating that the Target breach was blown way out of proportion and there's no need for change when it comes to credit card fraud. Her logic was, "How many people do YOU know who were impacted by that?"

Some people just don't get the need for security, they simply want to bury their head in the sand and let others worry about it. If you add those people who work for a company but they aren't happy there, they are even less worried about what happens to the company data.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
7/28/2016 | 1:01:05 PM
Re: Wow...
Most, if not all, of the examples cited in the slideshow were in-person interactions. Most social engineers -- the malicious ones -- don't have the nerve to pull this off and don't want to risk being ID'd later.

But, yes... there is an incredible amount of unthinking behavior out there on the part of end-users. This just skims the surface.
TerryB
100%
0%
TerryB,
User Rank: Ninja
7/28/2016 | 12:51:33 PM
Re: Wow...
What I couldn't tell from article was who these people thought they were giving their password to? Was the social engineering hook (true in these cases) that this was only a test/survey? 

Surely it wasn't a cold call who told person "My name is Demitri. Would you please provide me your password and I will send you a cookie."

But even replying to what you thought was test/survey shows a real level of either stupidity or lack of caring about corp data. How would they know if real study or not?

Whoopty has good point. Many probably changed passwords after getting gift. Most, like at our our place, are probably forced to change every 90 days, enforced by system tracking last 31 changes to make sure you don't use password again. Chances are they had password like "Cutekitty8". Three guesses what their next password was? 
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/28/2016 | 11:48:15 AM
Your data is my data
Unfortunately until users consider corporate data - that includes corporate financials but also customers/consumers data like yours and my data- as their own, this behavior will continue.  Individuals who suffered an identity theft through the IRS breach or a healthcare fraud done under their name are less likely to sell passwords or give them away in exchange for cheap bribe.
Page 1 / 2   >   >>
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.