Password shambles opens the door to hackers

Apr 21 2004 by Brian Amble Print This Article

Computer security in UK companies is shambolic, according to new research, as a survey of office workers at Liverpool Street Station found that 71 per cent were willing to part with their password in return for a chocolate bar.

The survey also found the majority of workers would take confidential information with them when they change jobs and would not keep salary details confidential if they came across them.

The research was undertaken by the organisers of this month's Infosecurity Europe 2004 in a quest to find out how security conscious workers are with company information stored on computers.

Workers were asked a series of questions which included what is your password, to which 37 per cent immediately gave their password. If they refused, the researchers used social engineering tactics - "I bet it's to do with your pet or child's name". At this a further 34 per cent revealed their passwords.

Of the 172 office workers surveyed many explained the origin of their passwords, such as "my team - Spurs", "my name - Charlie", "my car - minicooper", "my cat's name - Tinks". The most common password categories were family names such as partners or children (15 per cent), followed by football teams (11 per cent), and pets (8 per cent), the most common password was "admin".

When asked if they would give their password to someone calling from the IT department, they were slightly more wary with only 53 per cent saying that they would not give their password as it could cause a security breach.

That still left just under half of workers vulnerable to social engineering techniques, which are often used by hackers to gain access to systems, they often pretend to be calling from the IT department and requesting a user's log on and password to "resolve a network problem".

Password security was also not good between colleagues as 4 out of 10 knew their colleagues' passwords and 55 per cent said that they would give their password to their boss.

One man said "we use 10 different systems a day, so we all use the same passwords for each one so that we can remind each other if we forget."

A large number of people also admitted to poorly safeguarding their details, often by writing them down - or in many cases storing them on disk or hard drive.

But most users are unrepentant, with 80 per cent saying they are fed up with passwords and want a better way to login to computer systems. Almost all said that they would rather be able to log on using biometric technology such as fingerprint and iris scanners, or be able to log on using smartcards or tokens.

According to figures from consultants PWC, one in five of the UKís larger companies have suffered security breaches in IT over the last year and almost one in ten fell foul to significant fraud with flagging password security boosting business vulnerability.

One interviewee said, "I work in a financial call centre, our password changes daily, but I do not have a problem remembering it as it is written on the board so that every one can see it."

What everyone, the researcher asked? "Yes, although I think they rub it off before the cleaners arrive", replied the worker.