The survey was carried out by the organisers of Infosecurity
Europe 2003, an exhibition at London's Olympia from 29th April to
1st May.
In last year's survey, only 65% of workers interviewed at the
station revealed their passwords (although it appeared to lack the
incentive of a free pen).
Workers were asked a series of questions which included "what is
your password?", to which 75% immediately gave their password. If
they initially refused they were asked which category their
password fell into – and then asked a further question to find out
the password. A further 15% then revealed their passwords.
One interviewee said, "I am the CEO. I will not give you my
password – it could compromise my company's information". He later
said that his password was his daughters name. "What is your
daughters name?" asked the interviewer; and the interviewee replied
without thinking, "Tasmin".
This technique for finding out passwords is known as social
engineering. It is often used by hackers to gain access to systems,
often pretending to be calling from the IT department and
requesting a user's log-in and password to "resolve a network
problem".
Of the 152 office workers surveyed many explained the origin of
their passwords, such as "my name - Cynthia", "my football team -
Arsenal", "my car - celica", "my pet's name - Dibbles", "my date of
birth". The most common password was "password" (12%) and the most
popular category was their own name (16%) followed by their
football team (11%) and date of birth (8%).
The survey also found that the majority of workers would take
confidential information with them when they change jobs and would
not keep salary details confidential if they came across them.
Around 80% of workers would download contacts or competitive
information to take with them to their next job, which shows they
think it valuable enough to risk stealing it and 55% admitted that
they would download company information if asked to by a
friend.
