Password Security Trivia

**DiscoStew** · 10th September 2008, 11:28 AM

I went to a seminar a couple of weeks ago on Identity Management and one of the speakers from a US University runs a group whose sole purpose it is to compromise their own University's IT security, to find holes and then have them fixed.

So one day they decided to try something a little low tech. They sent out some students with chocolates and stuffed toys to select students and staff members at random to see if they could entice out of them their username and passwords.

Results:
Stuffed toys worked better than chocolates
Females garnered more details than males
Females had a 100% success rate with males

I am not sure exactly what they were wearing but that is scary.

**VladTepes** · 10th September 2008, 12:08 PM

An exercise was conducted along these lines by an IT firm some time back. It was all done with pens.

The firm dressed up in their corporate shirts and went around to people saying " We are checking the password security of the system, to make sure people are constructing their passwords properly". Oh and here's a pen to thank you for your help.

HEAPS of people just TOLD THEM THEIR PASSWORDS OUTRIGHT>

Too bloody trusting.

An after hours survey also revealed that many people had their passwords written under their keyboards !

Just proves that technology is rarely the problem. People are the problem.

**CowsGoMoo** · 10th September 2008, 12:10 PM

Scary.

I can recommend a book called "The Art of Deception" by Kevin Mitnick. He was on the FBI's most wanted list for awhile for a long list of "hacking" exploits.

In his book he lists various ways of gaining access to other people's systems. Most of them are very low tech and exploit social engineering. In most cases people are the weak link.

**VladTepes** · 10th September 2008, 12:14 PM

Kevin Mitnick - that's the guy I was trying to think of. The bloke is a genius.

(Evil genius perhaps, but genius nonetheless)

Tombie · 10th September 2008, 12:49 PM

Originally Posted by VladTepes

Kevin Mitnick - that's the guy I was trying to think of. The bloke is a genius.

(Evil genius perhaps, but genius nonetheless)

Did he get to them by their number plates???

**Basil135** · 10th September 2008, 01:46 PM

Originally Posted by Tombie2

Did he get to them by their number plates???

There is one in every crowd...

**VladTepes** · 10th September 2008, 01:54 PM

No he probably reasearched it meticulously for hours on online forums.

**DiscoStew** · 10th September 2008, 02:25 PM

Originally Posted by Tombie2

Did he get to them by their number plates???

Funny you should say that because I remembered this story after replying to the number plate thread.

People sometimes worry too much about the unlikely and miss the easy vulnerability.

**martinozcmax** · 11th September 2008, 10:42 AM

I have worked in IT for nearly 30 years and what really gives me the irrits is idiots forcing me to change my password every 90 days. St George bank does it for business accounts. I have tried explaining to the numbskulls in the tech dept that it is actually less secure as eventually you end up writing it down to help you remember it.

Had the same user name and password with the nab ever since they started internet banking.

I have one password for anything not money related which is simple and I couldn't care if it gets compromised and one more complex for secure sites except St Bloody George.

**DiscoStew** · 11th September 2008, 01:14 PM

Originally Posted by martinozcmax

I have worked in IT for nearly 30 years and what really gives me the irrits is idiots forcing me to change my password every 90 days. St George bank does it for business accounts. I have tried explaining to the numbskulls in the tech dept that it is actually less secure as eventually you end up writing it down to help you remember it.

Had the same user name and password with the nab ever since they started internet banking.

I have one password for anything not money related which is simple and I couldn't care if it gets compromised and one more complex for secure sites except St Bloody George.

Security mechanisms can be broken given enough time so there are clever people out there who work out the average time it would take for a password being guessed by a password generator etc. Then we set the password change frequency to be less than that. We have a 60 day cycle here at the uni.

Thread: Password Security Trivia

Thread Tools

Password Security Trivia

Bookmarks

Bookmarks

Posting Permissions