Workers were asked a series of questions which included what
is your password, to which 37% immediately gave their password,
if they initially refused the researchers used social engineering
tactics, "I bet it's to do with your pet or child's name",
at this a further 34%revealed their passwords.
Of the 172 office workers surveyed many explained the origin
of their passwords, such as "my team - Spurs", "my
name - Charlie", "my car - minicooper", "my
cat's name - Tinks". The most common password categories
were family names such as partners or children (15%), followed
by football teams (11%), and pets (8%), the most common password
was "admin". One interviewee said, "I work in
a financial call centre, our password changes daily, but I
do not have a problem remembering it as it is written on the
board so that every one can see it." What everyone, our
stunned researcher asked? "Yes, although I think they
rub it off before the cleaners arrive", replied the worker.
When asked if they would give their password to someone calling
from the IT department, they were slightly more wary with only
53% saying that they would not give their password as it could
cause a security breach.
That still left just under half of workers vulnerable to social
engineering techniques, which are often used by hackers to
gain access to systems, they often pretend to be calling from
the IT department and requesting a user's log on and password
to "resolve a network problem".
Password security was also not good between colleagues as 4
out of 10 knew their colleagues' passwords and 55% said that
they would give their password to their boss. One man said
that we use 10 different systems a day, so we all use the same
passwords for each one so that we can remind each other if
In addition to using their password to gain access to their
company information two thirds of workers use the same password
for personal access such as online banking, website access,
etc. Using just one password could make them more vulnerable
to financial fraud or even identity theft.
Workers used an average of 4 passwords, however, one person
who was a system administrator regularly used 40 passwords,
which he stored using a programme that he had written himself
to keep them secure. Most passwords were changed on a monthly
basis 51%, 3% change their passwords weekly, 2% change them
daily, 10% change them each quarter, 13% rarely change their
passwords and 20% never change their passwords. Many of the
commuters who regularly had to change their passwords kept
them on pieces of paper in their drawer or stored on word documents.
One senior executive for a bank said that he had to change
his password every month and he used to have a problem remembering
what it was, but now he has a "foolproof" solution.
When our research asked what it was he replied, I use my wife's
name and add the current month, so now I never forget what
Eighty percent of workers were fed up with using passwords
and 92% said that they would rather be able to log on using
biometric technology such as fingerprint and iris scanners,
or be able to log on using smartcards or tokens. When asked
whether they would feel happier using internet banking if their
bank provided biometric and smart card technology to verify
their identity, 86% of workers said that this would make them
feel safer, and most of them said that it would also encourage
them to use online banking as they felt it would make their
information more secure.
Seventy one percent of workers would download contacts or
competitive information to take with them to their next job,
which shows they think it valuable enough to risk stealing
it (80% in 2003 and 54% in 2002).
Men were more likely to take information with them to their
next job (76%), whereas 64% of women would take the information
with them. By stealing confidential information such as contacts,
workers are not only taking a vital asset to a competitor they
could also expose their employer to prosecution under the Data
If workers came across a file containing everyone's salary
details, 71% of workers didn't think they would be able to
resist looking at it (75% in 2003 and 61% in 2002). A further
23% said they would also pass the information around the office.
Many of the workers who said that they would keep the information
confidential said that they worked in personnel and finance
departments, so they had access to the information anyway.
Claire Sellick Event Director for Infosecurity Europe 2004
- Europe's leading information security event said "This
survey proves people are still not as aware as they could be
about information security, this often comes down to poor training
and procedures. Employers should make sure that their employees
are aware of information security policies and that they are
kept up-to-date. Clearly the workers are fed up with having
to remember multiple passwords, and would be happy to replace
them with alternative identification technology such as biometrics