The survey was run by the organisers of Infosecurity Europe
2004, an information security exhibition at London's Olympia. It
also showed that the majority of workers would take confidential
information with them when they change jobs and would not keep
salary details confidential if they came across them.
Workers were asked a series of questions which included, "What
is your password?" – to which 37% immediately gave their password.
If they initially refused, the researchers used social engineering
tactics: "I bet it's to do with your pet or child's name" – at
which a further 34% revealed their passwords.
Of the 172 office workers surveyed, many explained the origin of
their passwords, such as "my team – Spurs," "my name – Charlie,"
"my car – Mini Cooper," "my cat's name – Tinks."
The most common password categories were family names, such as
partners or children (15%), followed by football teams (11%), and
pets (8%). The most common password was "admin".
One interviewee who worked at a financial call centre revealed
that the office password changes daily, but said it was easy to
remember: "it is written on the board so that every one can see
it," adding that the board would likely be wiped before the
cleaners arrived.
When asked if they would give their password to someone calling
from the IT department, respondents were slightly more wary – with
only 53% saying that they would not give their password as it could
cause a security breach.
That still left just under half of workers vulnerable to social
engineering techniques, which are often used by hackers to gain
access to systems. They often pretend to be calling from the IT
department and request a user's log-on and password to "resolve a
network problem."
Password security was also not good between colleagues as four
out of ten knew their colleagues' passwords and 55% said that they
would give their password to their boss.
One man said his office uses 10 different systems a day, so he
and his colleagues share one password for each system so that they
can remind each other if they forget.
In addition to using their password to gain access to their
company information, two thirds of workers use the same password
for personal access such as on-line banking and web site access.
Using just one password could make them more vulnerable to
financial fraud or identity theft.
Workers used an average of four passwords. Most passwords change
on a monthly basis (51%), 3% change their passwords weekly, 2%
change them daily, 10% change them each quarter, 13% rarely change
their passwords and 20% never change them.
Many of the commuters who regularly had to change their
passwords kept them on pieces of paper in their drawer or stored
them on Word documents.
Eighty percent of workers were fed up with using passwords and
92% said that they would rather be able to log on using biometric
technology such as fingerprint and iris scanners, or be able to log
on using smartcards or tokens.
Seventy-one percent of workers would download contacts or
competitive information to take with them to their next job, which
shows they think it valuable enough to risk stealing it.
By stealing confidential information such as contacts, workers
are not only taking a vital asset to a competitor they could also
expose their employer to prosecution under the Data Protection
Act.
If workers came across a file containing everyone's salary
details, 71% of workers didn't think they would be able to resist
looking at it (75% in 2003 and 61% in 2002). A further 23% said
they would also pass the information around the office.
