Survey: Women Four Times More Likely To Give Away Passwords For Chocolate


Printer-friendly version Email this CRN article

Okay feminists, hold on to your hats -- and your passwords. A recent survey found that women are far more likely to give away their passwords and other personal information to total strangers than their male counterparts.

The survey, which was conducted by London-based Infosecurity Europe, was part of a social engineering exercise to raise awareness about information security.

Altogether, the study found that out of the 576 office workers who were surveyed, 45 percent of women, versus 10 percent of men polled, were prepared to give away their passwords to strangers masquerading as market researchers. Chocolate and trips to Paris offered as incentive for completing the survey.

"This research shows that it's pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department," said Claire Sellick, event director of Infosecurity Europe, in a written statement. "This type of social engineering technique is often used by hackers targeting a specific organization with valuable data or assets such as a government department or a bank."

When asked for personal information, 61 percent of the office workers provided their dates of birth for "validation" purposes. The survey also found that more than half of the people questioned used a single password for multiple functions, such as banking, work and e-mail, and that the majority of people only use one, two or three passwords, with 43 percent indicating that they rarely or never change their passwords.

However, the study also indicated a significant drop in the overall number of people willing to give away their passwords and other identifying information to strangers. This year only 21 percent of those surveyed were prepared to give away their personal information compared to a total of 64 percent in 2007.

Regarding the use of passwords in the workplace, half of the workers indicated that they knew their colleagues passwords. Another 58 percent said that they would give their passwords to someone who phoned and said they were from the IT department.

When asked if they thought other people in their company knew their CEO's password, 35 percent responded that someone else knew their CEO's password, with personal assistants and IT staff as two of the likely positions to have this kind of information.

In addition, 60 percent of men and 62 percent of women provided names and phone numbers with the incentive of a trip to Paris. According to the survey, respondents provided this kind of information willingly because the "market researchers" appeared to be too "well dressed and honest" to be criminals.

"Whether a criminal approaches you on the street or online, they will often not be who they appear to be. A criminal can often look very presentable," said Sellick. "Many of the social engineering techniques used by face-to-face fraudsters have been adopted by criminals to encourage people to open spam emails or visit websites that are infected with viruses, Trojans or malware."

But for partners, the survey begs the question -- are men more security-minded than women? Some partners agree that women might be more trusting with personal information -- particularly those in non-IT related professions.

"Fortunately or unfortunately that is the case," said Michelle Drolet, founder and CEO of Towerwall (formerly ConQwest ) based in Framingham, Mass. "Social engineering exercises we typically perform will prey on the entry paths to an organization (typically a woman at the front desk). We walk right in and pretend to be working with IT and ask for passwords from admin staff and yes, we get them. And we are in."

Meanwhile, other partners dispute what they say are simplistic generalizations and are skeptical that security mindedness can be assigned to one gender above the other.

"I disagree, I've seen it happen both ways," said Jay Jensen, president and CEO of Jensen Information Technologies, a network solutions and high-speed communications provider based in Des Plaines, Ill. "Because I work with small businesses they all tend to be lax about (security). If I implement security measures on them, boy do they scream."

"People are either security conscious or they're not," he added.

Printer-friendly version Email this CRN article