What won't users give up in exchange for their passwords?
Not much, as it turns out.
It is indeed curious what induces users to divulge passwords to perfect strangers. These social experiments offer insight into our psyches, and some would say, the human heart. And they cut to the substance of what motivates us: gratification, money, the prospect of coming out ahead. But that's getting ahead of ourselves… more on all those in a moment.
Passwords are the bane of IT's existence. So much time spent resetting them for hapless users, endless reminders to take down and destroy those password-riddled Post-Its. And stop re-using the same password across multiple accounts! (Talking to you, Mark Zuckerberg). Then there are the regular advisories insisting users change or update their passwords. The rhythms are as predictable as the tides.
Smart organizations insist on some sort of formal training at least once a year to remind users about the importance of password security. Highly evolved enterprises insist on quarterly security refreshers for users. The messaging that does get through isn't very "sticky," as the hipsters in marketing like to say. But sadly, any kind of security training – for passwords or anything else – regularly falls through the cracks at most organizations. Budgets, time, shifting priorities – the excuses are familiar and unending.
There's also the school of thought that passwords are passé. Consumers, credit card companies and Congress are all, apparently, fed up. Given that passwords are being regularly hacked and re-sold, it's clear that text-based logons and passwords are going the way of fax machines. Apple has helped popularize fingerprint authentication, Microsoft's developing facial recognition features, and German scientists think the sound of your skull can be used to ensure your identity. Regardless, multi-factor authentication (MFA) that includes some combination of biometrics, a security token and a PIN will eventually become mainstream, just as soon as they can agree on some standards.
Until that happy day, beware the researcher or security vendor offering you magic beans for your "password123." It just might be a trick.