7 Ways To Charm Users Out of Their Passwords
While the incentives have changed over time, it still takes remarkably little to get users to give up their passwords.
July 27, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt0c1ec44cdf50f441/64f0db9107b8495919d867fe/01-password.jpg?width=700&auto=webp&quality=80&disable=upscale)
What won't users give up in exchange for their passwords?
Not much, as it turns out.
It is indeed curious what induces users to divulge passwords to perfect strangers. These social experiments offer insight into our psyches, and some would say, the human heart. And they cut to the substance of what motivates us: gratification, money, the prospect of coming out ahead. But that's getting ahead of ourselves… more on all those in a moment.
Passwords are the bane of IT's existence. So much time spent resetting them for hapless users, endless reminders to take down and destroy those password-riddled Post-Its. And stop re-using the same password across multiple accounts! (Talking to you, Mark Zuckerberg). Then there are the regular advisories insisting users change or update their passwords. The rhythms are as predictable as the tides.
Smart organizations insist on some sort of formal training at least once a year to remind users about the importance of password security. Highly evolved enterprises insist on quarterly security refreshers for users. The messaging that does get through isn't very "sticky," as the hipsters in marketing like to say. But sadly, any kind of security training – for passwords or anything else – regularly falls through the cracks at most organizations. Budgets, time, shifting priorities – the excuses are familiar and unending.
There's also the school of thought that passwords are passé. Consumers, credit card companies and Congress are all, apparently, fed up. Given that passwords are being regularly hacked and re-sold, it's clear that text-based logons and passwords are going the way of fax machines. Apple has helped popularize fingerprint authentication, Microsoft's developing facial recognition features, and German scientists think the sound of your skull can be used to ensure your identity. Regardless, multi-factor authentication (MFA) that includes some combination of biometrics, a security token and a PIN will eventually become mainstream, just as soon as they can agree on some standards.
Until that happy day, beware the researcher or security vendor offering you magic beans for your "password123." It just might be a trick.
As any social engineer will affirm, you catch more flies with honey than with vinegar. The chocolate-for-passwords stunt has been replicated numerous times in the last 20 years; in a 2004 test, more than 70% revealed their computer password for a chocolate bar; more unsettling, 34% volunteered it with no bribe at all. Subsequent variants on the chocolate offer have turned up psychological insights around fair play and reciprocity. Research unveiled earlier this year by the University of Luxembourg showed that if chocolate was only given out afterwards, 30% of participants revealed their passwords, but if received beforehand, 44% shared their password.
This is a slight variation on the password trap set with a chocolate bar: Prey on a weakness for sugar, leverage childhood memories, make the temptation too good to resist. And while a New York-based cookie enabler didn't ask for passwords specifically, she still managed to get people to give up Social Security numbers, fingerprints, driver license info, mother's maiden names and even photographs of themselves in exchange for a Chocolate Chili Fleur de Sel cookie.
Armed with all that personal information, who really needs a password?
A vendor study of users in six countries released earlier this year found that 20% of employees would sell their passwords for cold, hard cash. According to Sailpoint, 44% were willing to do it for less than $1,000; some would sell corporate credentials for less than $100. Employees from the US showed the greatest willingness to take cash for their passwords (27%); Germany was next (20%), followed by a tie between France and the U.K. (16% each), then another tie between the Netherlands and Australia (12% each). Though tempting to write off the survey-leading, security-flouting Americans as the biggest money-grubbers, we prefer to view them as the world's worst bargainers.
A completely unscientific survey of U.K. users done in 2003 showed that 95% of men and 85% of women were willing to divulge passwords for "a cheap pen," up significantly from the previous year when 65% of surveyed users were willing to make that deal. The same survey found that 80% of workers would take confidential information with them when they changed jobs. Moreover, 75% said they'd be unable to resist looking at files with coworkers' salary information; 38% said they'd be unable to keep that information to themselves.
More than 270 participants in a 2005 vendor survey were offered a $3 Starbucks gift card for their company passwords; two-thirds (66%) made the trade. But even among those who refused, 70% were still willing to offer a clue about their password. One of the study's respondents who said he was too busy to respond to questions, but still wanted the gift card, sent his assistant to complete the survey. The assistant obligingly revealed both the boss's password and her own.
Researchers did not divulge if she ordered two chai soy lattes on the way back to the office.
Thinking it was helping users improve their online security, CNBC earlier this year gave website visitors a chance to gauge the strength of their passwords. The business news channel said the tool was for "entertainment and educational purposes" only and would not store the passwords. Unfortunately, CNBC didn't use SSL/TLS encryption for the page, which inadvertently made the passwords visible. Worse, traffic analysis showed the tool was storing passwords in a Google Docs spreadsheet; the tool also sent passwords to Google's DoubleClick and to a comScore division, both of which had trackers on CNBC's page.
Jack Johnson of the pop-rap duo Jack & Jack asked his 3 million Twitter followers to direct-message him their passwords so he could post videos of himself to their Twitter feeds. "DM me those passwords (only me tho, don't ever give out ur passwords to strangers)," he said in a tweet that's since been deleted. What could go wrong? His lawyer claimed that Johnson's Twitter account is protected against hacking by two-factor authentication and that the popstar deletes the passwords the same day they are sent.
Jack Johnson of the pop-rap duo Jack & Jack asked his 3 million Twitter followers to direct-message him their passwords so he could post videos of himself to their Twitter feeds. "DM me those passwords (only me tho, don't ever give out ur passwords to strangers)," he said in a tweet that's since been deleted. What could go wrong? His lawyer claimed that Johnson's Twitter account is protected against hacking by two-factor authentication and that the popstar deletes the passwords the same day they are sent.
What won't users give up in exchange for their passwords?
Not much, as it turns out.
It is indeed curious what induces users to divulge passwords to perfect strangers. These social experiments offer insight into our psyches, and some would say, the human heart. And they cut to the substance of what motivates us: gratification, money, the prospect of coming out ahead. But that's getting ahead of ourselves… more on all those in a moment.
Passwords are the bane of IT's existence. So much time spent resetting them for hapless users, endless reminders to take down and destroy those password-riddled Post-Its. And stop re-using the same password across multiple accounts! (Talking to you, Mark Zuckerberg). Then there are the regular advisories insisting users change or update their passwords. The rhythms are as predictable as the tides.
Smart organizations insist on some sort of formal training at least once a year to remind users about the importance of password security. Highly evolved enterprises insist on quarterly security refreshers for users. The messaging that does get through isn't very "sticky," as the hipsters in marketing like to say. But sadly, any kind of security training – for passwords or anything else – regularly falls through the cracks at most organizations. Budgets, time, shifting priorities – the excuses are familiar and unending.
There's also the school of thought that passwords are passé. Consumers, credit card companies and Congress are all, apparently, fed up. Given that passwords are being regularly hacked and re-sold, it's clear that text-based logons and passwords are going the way of fax machines. Apple has helped popularize fingerprint authentication, Microsoft's developing facial recognition features, and German scientists think the sound of your skull can be used to ensure your identity. Regardless, multi-factor authentication (MFA) that includes some combination of biometrics, a security token and a PIN will eventually become mainstream, just as soon as they can agree on some standards.
Until that happy day, beware the researcher or security vendor offering you magic beans for your "password123." It just might be a trick.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024