Would you give up your passwords for free chocolate? Many people would, the media tells us - repeatedly. Why, though, does this story keep popping up?
Passwords are important. But not as important, it would seem, as chocolate. Since 2004, the idea that people will exchange their passwords for chocolate has made headlines several times. Numerous publications have indicated that the offer of free confectionery is all it takes to make folk forget basic security measures.
But how much truth is there to these assertions, and why do they keep popping up?
Let’s start at the beginning. The earliest of the chocolate for password studies we could find was reported on by the BBC on Tuesday 20th April 2004. “More than 70% of people would reveal their computer password in exchange for a bar of chocolate,” it declared. 34% would give it up even without the bribe.
Terrible, right? But what was the source of this information, and how reliable was it?
Passwords For Chocolate, Part 1
As the BBC reported, these stats came from a survey carried out for the Infosecurity Europe trade show that took place in London in April 2004. Commuters passing through the city’s Liverpool Street train station were questioned about their passwords and logins, and the results recorded.
While both worrying and amusing in equal proportions, this experiment was also inherently flawed. For a start, the passwords that were shared were not verified, so it could be the case that 70% of people are prepared to lie about what their passwords are in order to get free chocolate. (Security expert Bruce Schneier feels particularly strongly about this point.)
And let’s not ignore the fact that the people carrying out this survey had an event to promote. It was very much in their interests to get headline grabbing results.
Passwords For Chocolate, Part 2
Bearing that in mind, it’s not surprising that three years later, the same people carried out the same survey in the same city, again at a train station – as the Register reported on 17th April 2007. Nevertheless, this time around there seemed to be have been a bit of an improvement in people's cyber security awareness. Only 64% of those surveyed were willing to divulge their passwords in exchange for chocolate and “a smile”.
That would be encouraging, but in this version of the experiment, the survey was extended beyond random commuters at a busy train station to include attendees at the Infosecurity event – in other words, people who should know better.
We still don’t know whether the passwords that people gave up were real or not, of course, but it was interesting enough for news outlets to report on again.
More Passwords For Chocolate
Moving on a couple of years, in 2008, another variation of this survey was carried out, again outside Liverpool Street station. This time the results indicated how much more likely women are to share their passwords so they can get hold of cocoa-based treats.
“Woman 4 times more likely than men to give passwords for chocolate,” said the Guardian, on 16th April 2018 (we're guessing the headline should read 'Women', otherwise it would have been a very quick survey). Specifically, 45% of the women among the 576 people surveyed were caught out, compared to just 10% of the men.
Of course, the same criticisms apply to this version of the study as to previous ones. Also, it’s not clear what the ratio of men to women was. Presumably it was 50/50, but if not, it’s easy to see how the researchers could have skewed the results to fit their agenda.
Speaking of the researchers, who might they be? Would it surprise you to learn that this survey was carried out by none other than Infosecurity Europe?
That’s three years in which this organisation apparently used chocolate to extract passwords from strangers – and always some time around April. Anyone would think they have a yearly trade show to promote.
And it’s not just in those years that Infosecurity Europe has garnered press coverage for carrying out highly unscientific studies. In 2002 and 2003, for example, it tempted commuters with cheap pens, and in 2005, theatre tickets were used to draw out personal information.
Passwords For Chocolate: What Now?
What conclusions can we draw from this? Most obvious is that Infosecurity Europe frequently carries out password surveys around the time that its trade show happens in June each year. Sometimes, the results are picked up by major newspapers and websites, and the surveys thereby do their job of promoting the upcoming event.
That's fair enough. But what of the results? Can we trust them? No doubt Infosecurity Europe would be the first to accept that these studies aren’t in any way scientific. Without actually logging into other people’s accounts, there’s no way to know if the passwords that people share with them are real. That would be true whether this test were carried out by the organisers of a security event or researchers at a university.
Going on gut feeling alone, however, it seems likely that a large proportion of the passwords and personal information that people shared in these surveys was real – or at least close enough to the truth to be valuable.
That is, of course, worrying. Sharing passwords with strangers is obviously not a good idea, and the power of social engineering is such that many of us are more vulnerable than we might imagine. Even if only a fraction of the results were real, it would be too many.
Nevertheless, it’s important to know where our information is coming from, especially considering the rise of fake news in recent years. In the passwords for chocolate case, the statistics that news sources are so happy to share come from an unscientific survey from an organisation with a vested interested – one that has an event to promote.
Despite that, Infosecurity Europe’s work has plenty of value. The headlines these stories create help to shine a light on the importance of keeping passwords safe. It may be a little repetitive to keep banging on about social engineering, but if it makes people think more carefully about how they share sensitive information, then it really is a blessing.
Would the people in your business give up their passwords too easily? Find out with our Security Awareness Training.