Blog article
See all stories »

Half of women will give you their password for chocolate

Thought I was having deja vu again, but it turns out they ran this survey last year too. Infosecurity Europe polled office workers outside Liverpool Street Station here in swinging London and found 45 per cent of women were quite happy to give strangers (market researchers) their email password in return for a chocolate bar. The figures for men were 10 per cent.

More disturbing stats: 

  • half of people used the same password for everything

  • 43 per cent of people rarely changed their password

  • 58 per cent freely gave out their passwords to anyone claiming  they were from their office's IT department

  • half claimed to know passwords belonging to their colleagues.

Full story is in The Inquirer.
3728

Comments: (6)

A Finextra member
A Finextra member 17 April, 2008, 08:48Be the first to give this comment the thumbs up 0 likes

Is anything chocolate proof?

Might it be better to have a system where you only 'log on' through the same interface for everything, using the same process? It would be handy if it was designed so even if you told someone else, it wouldn't really do them much good. A 'no passwords' system is possible.

Of coure the rule is tell no-one, but chocolate....

John Fitzgerald
John Fitzgerald - AIB - Dublin 17 April, 2008, 08:59Be the first to give this comment the thumbs up 0 likes Didn't Microsoft try that with Microsoft Passport? The single log on I mean, not the chocolate ..
Philip Knight
Philip Knight - Asset Advantage Ltd - Reading 17 April, 2008, 09:28Be the first to give this comment the thumbs up 0 likes Stupid women or stupid men? Two comments: how did they know that the password was a valid one? And if you offer me something for free I'd tell you my password (maybe even a valid one) and then promptly change it whilst I munch away on the free choccy. The only real conclusion must be that women like chocolate more than men - and I think we knew that already...
A Finextra member
A Finextra member 17 April, 2008, 14:46Be the first to give this comment the thumbs up 0 likes A quick poll here suggests that women do indeed like chocolate more than men. In fact some put men quite a long way back down the list of things they like.
A Finextra member
A Finextra member 21 April, 2008, 15:34Be the first to give this comment the thumbs up 0 likes

Phillip you are a trickster, good idea with the fake password.

John, with regard to single sign on here's my simplistic view:

The problem with the Microsoft solution was that not enough people trusted them and/because their methodology was flawed. I can't see how it could ever have been practical.

As for passwords, truth be known I'd prefer a system where there was no 'log-on' at all. There are some interesting possibilities and ideally we would adopt a system where there was no logon, no passwords and no personally identifiable data flying around. I suppose the only reason my bank displays my name and address on my account screen is because they think there's a risk I might be supplied with someone else's data. Better methodology would see that risk disappear along with the opportunities for fraud.

Single sign on does not mean that you sign on once to do any number of things on any number of sites, including your banking. To me it means that you have a single sign on process for all interactions, however you may be required to refresh your credentials for example when you are making a financial transaction. The system must not rely on everyone trusting everyone else in the chain.

However it also means that when you visit your doctor you 'sign on' once to allow access to your records, consultation with your medical insurance providers and government health services if they are involved in your health care transaction. When it comes to paying a gap payment you might authenticate again, at the completion of your consultation to authorise a debit or credit payment.


Through the single authentication process you are identifying yourself to the doctor, authorising their right to access your medical records, confirming to your insurer and possibly the government, that you are receiving treatment from that doctor and verifying that they are eligible to receive any subsidy for your treatment. The whole process would take you about 10 seconds, and probably wouldn't even interrupt your conversation. Less time, less risk, lower costs - better treatment?

There are elements to the architecture which I'd rather keep to myself but I'm not prepared to let Microsoft handle my medical or financial data. I certainly wouldn't sign in to Microsoft as my first point of call on the net, I'd prefer someone substantially more neutral and I'm certain most consumers would too.

It would be prudent to design an internet banking system with hackers in mind and assume they are always going to defeat your defenses. Simply make the process one where hackers are prevented from interfering with transactions even if they can capture the 'random' information. e.g. When shopping at a merchant do you care that the merchant is telling his bank that someone bought a pair of trousers for $199.95? Even if it is you, no-one else knows, even the theoretical hacker reading the merchant's messages to his bank, if you use the right methodology. Some vendors are approaching this idea but still stuck with bad methodology.

To explore the full possibilities one needs to discard the present modus operandi and all the preconceptions which have followed. I am astounded by the phishers continued dominance of the bank to customer email channel. I briefly considered membership of a leading anti-phishing group but quickly concluded that they were in fact a developing industry themselves directed at spreading the bad news and not really 'incentivated' to actually arrive at a solution, although they have very effectively measured and reported the extent of the problem. Similarly I have attended banking security conferences where everyone basically agreed that security was window dressing and as long as everyone was doing equally poorly then all was o.k.

Single sign on has some possibilities, but not in the way it's been seen publicly, so far.

A Finextra member
A Finextra member 25 April, 2008, 12:46Be the first to give this comment the thumbs up 0 likes

Conventional passwords are fundamentally insecure. Better to follow concepts like icon-based randomised personal soft keypads. The user cant actually describe them, so its difficult to self-compromise, and the whole message security and anti-phishing aspects work much better.

Also people have a better capacity to remember images that conventional passwords.

Look at www.tricerion.com for an example and a good explanation.

Retired Member

Member since

19 Mar 2009

Location

Blog posts

6,066

Comments

6,309

This post is from a series of posts in the group:

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.


See all