A treat for password crackers

commentary Would you divulge your password to a complete stranger? A large majority would immediately pooh-pooh the notion but not some office workers in London.

commentary Would you divulge your password to a complete stranger?

A large majority would immediately pooh-pooh the notion but not some office workers in London. Out of 172 office workers recently surveyed at the Liverpool Street rail station, 71 percent were willing to reveal their passwords for a bar of chocolate.

The study was conducted by Infosecurity Europe as part of its annual research on office scruples.

Many participants were willing to explain the origins of their passwords, which ranged from their favourite soccer team to their pet or child's name. The most common password was "admin". Two-thirds use the same password for personal Internet access for services such as online banking.

While the results of the survey were disturbing, remarks made by some respondents were plain shocking.

"I work in a financial call centre. Our password changes daily but I do not have a problem remembering it as it's written on the board so that everyone can see it," said one participant. When pressed on who "everyone" constituted, the worker said, "... I think they rub it off before the cleaners arrive."

A senior executive who was interviewed said he initially had trouble remembering his password -- which changed every month. So he devised a "foolproof solution" by adding his wife's name with the current month.

According to Infosecurity Europe, 80 percent of respondents were tired of using passwords while 92 percent said they would prefer to use alternatives such as smartcards, tokens or biometric technology.

This year's results was slightly better than the previous year where out of 152 office workers surveyed at Waterloo Station, 90 percent gave away their passwords for a cheap pen.

"We keep as many passwords as possible at the default that comes with the software such as 'admin' or 'password' so that we don't have to keep remembering them. I log onto different applications and networks around a hundred times a day ... it is a nightmare to remember all the passwords," one worker told Infosecurity Europe in the 2003 survey.

On the surface, these stories may sound ridiculous but it does bring home a key point -- password management is a nightmare.

Although software applications to manage passwords are readily available, the challenge goes beyond technology -- in this day and age, it's getting harder to clearly discern the boundaries between work and personal tasks. For instance, employees would rather login to their Internet banking Web site during office hours rather than spend precious time in a queue.

Even Microsoft Chairman Bill Gates predicted the death of the password in a recent speech at the RSA Security conference in San Francisco. He said it was time to remove the vulnerabilities associated with employees using "weak passwords".

Mainstream acceptance of different forms of authentication will take time but in the interim, companies should proscribe employees from revealing or even discussing their passwords. And if you ever intend to run a business in London, conduct a gullibility test ... just in case.