Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2016
01:00 PM
Terry Sweeney
Terry Sweeney
Slideshows
Connect Directly
Facebook
Twitter
RSS
E-Mail

7 Ways To Charm Users Out of Their Passwords

While the incentives have changed over time, it still takes remarkably little to get users to give up their passwords.
2 of 8

Milk Chocolate or Dark?

As any social engineer will affirm, you catch more flies with honey than with vinegar. The chocolate-for-passwords stunt has been replicated numerous times in the last 20 years; in a 2004 test, more than 70% revealed their computer password for a chocolate bar; more unsettling, 34% volunteered it with no bribe at all. Subsequent variants on the chocolate offer have turned up psychological insights around fair play and reciprocity. Research unveiled earlier this year by the University of Luxembourg showed that if chocolate was only given out afterwards, 30% of participants revealed their passwords, but if received beforehand, 44% shared their password.

Image Source: Wikimedia Commons

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dieselnerd
100%
0%
dieselnerd,
User Rank: Strategist
8/2/2016 | 2:01:43 PM
Printing
When are you guys going to fix the print option so that it prints entire articles?
sgordonson***
50%
50%
sgordonson***,
User Rank: Apprentice
8/1/2016 | 11:40:42 AM
Any more recent data on these surveys?
I noticed most of these surveys are 10 years old , do you have any more recent data , to see if attitudes have changed?  In general I agree most non technical users are lax about their security and PI , they have no idea how bad it really is ......
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
7/31/2016 | 9:40:09 PM
Re: Your data is my data
As nice as it would be if your optimism turned out true, unfortunately I've seen more of the latter to be true. I've seen first hand people who could care less about Information Security only take an interest after they've had an event that affected them. I wish more people would make use of the old addage, a smart person learns from their mistakes but a brilliant person learns from others.
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/29/2016 | 2:31:45 PM
Re: Your data is my data
Well you can eitehr call me an optimistic, thinking people will come to their senses and consider that the data they compromised could be theris, or a pessimistic, thinking everyone of us at the pace we are goign with databreach will suffer an identity theft and then will chnage our behavior toward password and data.
Chessie1934
100%
0%
Chessie1934,
User Rank: Apprentice
7/29/2016 | 1:59:16 PM
Re: Your data is my data
Nobody has really been put on the hook for actions that result in a breach so no one cares about truly protecting data.  Once there is a real consquence to the insider who contributes to a data breach--CFO who won't pay for updated software, dumb-ass end user who clicks a supsicious link--in some significant manner, people will start caring about the data that is under their protection.  Until then, the attitude will be they'll just provide credit monitoring to those affected by a breach.  They'd rather pay (more) later than pay (a litlle) up-front to prevent a breach.
rstoney
100%
0%
rstoney,
User Rank: Strategist
7/29/2016 | 9:03:34 AM
Re: Your data is my data
Very true;

 

  But come on - the fresh-baked cookie offering to a group of typically male IT shops is just downright rude and unfair.   Especially around morning coffee time.

 

   My preference is the soft sugar cookies with the hershey kiss in the middle.  Gawd I am hungry now for cookies.  *&&$%## !!!!
phoenix522
100%
0%
phoenix522,
User Rank: Strategist
7/28/2016 | 4:31:03 PM
Re: Wow...
I overheard a person in a non-IT training class a while back as she was stating that the Target breach was blown way out of proportion and there's no need for change when it comes to credit card fraud. Her logic was, "How many people do YOU know who were impacted by that?"

Some people just don't get the need for security, they simply want to bury their head in the sand and let others worry about it. If you add those people who work for a company but they aren't happy there, they are even less worried about what happens to the company data.
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
7/28/2016 | 1:01:05 PM
Re: Wow...
Most, if not all, of the examples cited in the slideshow were in-person interactions. Most social engineers -- the malicious ones -- don't have the nerve to pull this off and don't want to risk being ID'd later.

But, yes... there is an incredible amount of unthinking behavior out there on the part of end-users. This just skims the surface.
TerryB
100%
0%
TerryB,
User Rank: Ninja
7/28/2016 | 12:51:33 PM
Re: Wow...
What I couldn't tell from article was who these people thought they were giving their password to? Was the social engineering hook (true in these cases) that this was only a test/survey? 

Surely it wasn't a cold call who told person "My name is Demitri. Would you please provide me your password and I will send you a cookie."

But even replying to what you thought was test/survey shows a real level of either stupidity or lack of caring about corp data. How would they know if real study or not?

Whoopty has good point. Many probably changed passwords after getting gift. Most, like at our our place, are probably forced to change every 90 days, enforced by system tracking last 31 changes to make sure you don't use password again. Chances are they had password like "Cutekitty8". Three guesses what their next password was? 
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/28/2016 | 11:48:15 AM
Your data is my data
Unfortunately until users consider corporate data - that includes corporate financials but also customers/consumers data like yours and my data- as their own, this behavior will continue.  Individuals who suffered an identity theft through the IRS breach or a healthcare fraud done under their name are less likely to sell passwords or give them away in exchange for cheap bribe.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
CVE-2020-11079
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
CVE-2020-13245
PUBLISHED: 2020-05-28
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 1.0.9.6_1.2.19 through 1.0.11.100_10.2.10, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
CVE-2020-4248
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
CVE-2020-8329
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...