How much is your password worth?

It does not matter what kind of security system an organization has. The most important thing of all is that its members are indentified through proper authentication which is done through a supplied username and a unique password. Aside from this method, authentication may also be done through verification through something that only the specific person would know, something that only the person have, or what that person is. While something that a person has mostly involves biometrics so it is guaranteed that no one else can access information but a specific person, something that involves bits of information is susceptible to misuse by the person himself or herself.

An experiment was held in London in 2004. In this experiment, random Liverpool Street station commuters were invited to participate. Different questions were asked about the commuters’ password without directly asking for it. Each participant received a bar of chocolate as a reward. The scary thing is that more than 70% of these commuters revealed their passwords. Such instances post great threat to these commuters’ organizations’ security systems.

These commuters do not have any idea what the survey was actually about. This is true of most people. They do not know that they actually tell other people about their passwords with seemingly innocent information that they disclose.

This experiment was repeated in 2007 and again on in 2008, still in London. In the 2007 experiment, the number was lowered to 64% while in the 2008 experiment it became even lower at 55%.

The 2008 experiment also involved phone calls wherein someone pretended to be from an organization’s IT department. As a result, more than 58% of the respondents gave their passwords in the phone call. This method and a lot more is available in Kevin Mitnik’s “The Art of Deception”.

In another report, Pew research Center showed that out of 800 teen-aged respondents, 30% have shared their passwords with their partners or their friends. This happens more frequently with older girls.

There are different reasons why the respondents share their passwords. The first reason that they have is intimacy. They see password sharing as one of the acts that demonstrate serious, life-long commitment. Most couples believe that it is a way of developing and showing trust to each other. Most of them are not aware of how unhealthy this practice is. There are also some unconventional reasons for such actions such as having a friend or partner prevent one from logging in to their social networking site accounts when they have to work or study.

For security professionals, it means that they should know how people can make irrational decisions including sharing their passwords. The first step for security problems prevention is education. The basic is the simplest and most effective – never share passwords. Employees should realize that there is no exception to this rule. The second thing is the most failsafe method which is the use of biometrics. It is something that can never be shared and it does not put employees a chance to share.

April 3, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013