But you probably knew that already.
A survey out today by the organizers of the tech-security conference Infosecurity Europe found that 21% of 576 London office workers stopped on the street were willing to share their computer passwords with a good looking woman holding a clipboard. People were offered a chocolate bar in exchange for the information. More than half of the people surveyed said they used the same password for everything.
There are a lot of skeptical comments over at the WSJ blog. However, a friend of mine who is a well-known figure in the security community said this in e-mail:
…we did a similar chocolate bar or $2 pen hand out in London to collect passwords. Our gathering password rate was 84%. We then contacted each security domain (we asked for their related email address to send them a free voucher entry for more candy bars). We asked the domain administrators (ISPs, businesses, etc.) to simply review the list and send back the percentage of correct collected passwords. Our response rate from the domain administrators was only 30% or so…I can’t remember the exact number…but it was less than half and more than a quarter. The ones that did respond confirmed that over 60% were the actual passwords.
To this day, if I hadn’t participated in the survey and collected the results myself, I would not have believed it.
So, clearly if you want to fish for passwords, your odds of getting something useful in exchange for a chocolate bar and a few minutes of face time with a good-looking woman are pretty darn good. Scary!