Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2016
01:00 PM
Terry Sweeney
Terry Sweeney
Slideshows
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

7 Ways To Charm Users Out of Their Passwords

While the incentives have changed over time, it still takes remarkably little to get users to give up their passwords.
Previous
1 of 8
Next

What won't users give up in exchange for their passwords?

Not much, as it turns out.

It is indeed curious what induces users to divulge passwords to perfect strangers. These social experiments offer insight into our psyches, and some would say, the human heart. And they cut to the substance of what motivates us: gratification, money, the prospect of coming out ahead. But that's getting ahead of ourselves… more on all those in a moment.

Passwords are the bane of IT's existence. So much time spent resetting them for hapless users, endless reminders to take down and destroy those password-riddled Post-Its. And stop re-using the same password across multiple accounts! (Talking to you, Mark Zuckerberg). Then there are the regular advisories insisting users change or update their passwords. The rhythms are as predictable as the tides.

Smart organizations insist on some sort of formal training at least once a year to remind users about the importance of password security. Highly evolved enterprises insist on quarterly security refreshers for users. The messaging that does get through isn't very "sticky," as the hipsters in marketing like to say. But sadly, any kind of security training – for passwords or anything else – regularly falls through the cracks at most organizations. Budgets, time, shifting priorities – the excuses are familiar and unending.

There's also the school of thought that passwords are passé. Consumers, credit card companies and Congress are all, apparently, fed up. Given that passwords are being regularly hacked and re-sold, it's clear that text-based logons and passwords are going the way of fax machines. Apple has helped popularize fingerprint authentication, Microsoft's developing facial recognition features, and German scientists think the sound of your skull can be used to ensure your identity. Regardless, multi-factor authentication (MFA) that includes some combination of biometrics, a security token and a PIN will eventually become mainstream, just as soon as they can agree on some standards.

Until that happy day, beware the researcher or security vendor offering you magic beans for your "password123." It just might be a trick.

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/28/2016 | 11:43:51 AM
Re: Wow...
Well, i hope you use unique password because many times hackers will test the password they obtain - by theft, bribe or money - against many other systems until they get into the one they want access to.  You may think you can just chnage your password as soon as revealed and all is safe but hackers are not that stupid, they usually do not ask for the password of the system they wnat access to, they want to study your passwords, test them against other corporate systems until they get their way in.  And be worried, there is always one app you forget that will let them in!
T Sweeney
100%
0%
T Sweeney,
User Rank: Moderator
7/28/2016 | 10:21:40 AM
Re: Wow...
Ha! Thanks, Whoopty... that's a better title, actually: 7 Ways to Bribe Users! I'll admit I was surprised at how many ways there were to get users to give up the goods. Some little treat is actually a great conversational opener for a social engineer, provided they're willing to try it in person and forego the anonymity of the phone.

The other surprise: How many users will give up their passwords just by being asked... no incentive required. What's up with that?
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
7/28/2016 | 8:02:00 AM
Wow...
I thought this piece would be about legitimate social engineering techniques, not outright bribery of people! I'm shocked so many would give up information for a pen.

A cookie I can understand but still...

I might be tempted by the cash, but only because I would immediately change my password after they gave it to me. 
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.