Giving Up Passwords for Chocolate

I am just sick of this story: people are willing to reveal their passwords for a bar of chocolate.

I haven't seen any indication they actually verified that the passwords are real. I would certainly give up a fake password for a bar of chocolate.

Posted on April 21, 2008 at 12:22 PM • 52 Comments

Comments

RichApril 21, 2008 12:54 PM

Another option is to give up a real password, and then immediately change it -- you probably were overdue to change it anyway. :-)

Aaron Lemur MintzApril 21, 2008 1:05 PM

Oh no, people gave up their name and telephone numbers, as well!

Note to self: business cards are a security risk.

The MailmanApril 21, 2008 1:05 PM

> I would certainly give up a
> fake password for a bar of chocolate.

Then again, if they were giving away chocolate on the street, it was probably not a cheap product (I assume some kind of industrial milk chocolate bar loaded with way more sugar than actual cocoa); so the trade boils down to bad chocolate for a bad password. Fair enough.

The MailmanApril 21, 2008 1:05 PM

> I would certainly give up a
> fake password for a bar of chocolate.

Then again, if they were giving away chocolate on the street, it was probably not a cheap product (I assume some kind of industrial milk chocolate bar loaded with way more sugar than actual cocoa); so the trade boils down to bad chocolate for a bad password. Fair enough.

PaulApril 21, 2008 1:05 PM

Don't accept sweets from strangers. All children know that - how do you know they've not been tampered with? :-)

artiedApril 21, 2008 1:11 PM

chill brucie baby

first off - its just garbage journalism - as you said there was no verification of the passwords

second - every woman on the planet can give a false number at a seconds notice after years of practice fobbing off dweebs like we - doing so for a chocolate reward would be as natural as breathing to them

MoeApril 21, 2008 1:17 PM

This also works for ATM PIN numbers, as was demonstrated here in some TV show. The decoy stood right in front of the bank. Many people afterwards said that hey assumed this was a legitimate thing, since otherwise the "interviewers" would not be allowed to stand right there, wouldn't they?

nikApril 21, 2008 1:18 PM

They did this at InfoSec. People attending it make their living in security. It is in their interest that the numbers are much higher than reality.

Dom De Vitto April 21, 2008 1:51 PM

I actually think this would work in reality.

Psychologically most people like to tell the truth.
Also more people like a 'fair' trade.

Add these together, and I'd say that most people, given that they believe they are anonymous, and the person can't capitalise on the information, would give their real password, or at least one they had used in the past.

I think asking for a recent, but not current password, would further disarm people and they would go ahead and spill the beans.

But yes Bruce - it's tiring.

Trichinosis USAApril 21, 2008 2:00 PM

Not only would I not give a real password, if they gave me white chocolate, I'd be quite happy to give them passwords for things I have no account on at all. After all, people are always telling me that white chocolate isn't really chocolate.

Heck, if they got Jon Anderson to give me a nice big bar of white chocolate while dressed in a tiger striped speedo, I'd gladly give them the password I had on ramstein.af.mil (which was on an AT&T 3B2 that probably hasn't been in commission for at least 15 years now...)

SpiderApril 21, 2008 2:06 PM

Even a fake password could potentially give them some information. If it was a make of a car, even if it wasn't the right one, they could focus on different car makes and brand names of other things, focusing a brute force attack. It would have to be a fake password that is absolutely nothing like what one of your real passwords would ever be like.

Jeff PettorinoApril 21, 2008 2:07 PM

I agree that this story is getting tedious. I have to wonder at the validity of this as a "test" of a persons security savvy. Without a test to determine if the password is real, it's little more than a media side show, isn't it?

JonApril 21, 2008 2:23 PM

I wonder what would happen if they offered chocolate only if the password was up to some measure of strength. Like if the interviewer claimed to be a sysadmin, wanted to know the password, and would give out chocolate if the password was good enough. I think the users would be in a different frame of mind in this case and would be more curious to see if their password is good than paranoid that their password won't be good for long.

HarryApril 21, 2008 3:07 PM

The thing is, Bruce's readers probably aren't the ones at risk for falling for this. Me, I'd give the password "password" and get the choc. A'course I have plenty of practice creating fake data at the drop of the hat, as so many websites and stores needlessly ask for unnecessary info. There's a lingerie store that now has "John Doe" as a customer because they wanted a name for a cash transaction.

PS - it's against Federal law for a U.S. store to require a phone number on a check.

gApril 21, 2008 3:16 PM

Chocolate is dangerous in the wrong hands! We should ban chocolate from airplanes.

Carlo GrazianiApril 21, 2008 4:18 PM

I'm more interested in the psychiatric disorder that makes one capable of giving away perfectly good chocolate in exchange for a mere password. Isn't there help for these people?

sooth_sayerApril 21, 2008 5:07 PM

Kids post their nude pictures on web .. to advertise their "sexuality" ..

Does it really matter at all if these people loose their "privacy" because someone has their password?

It's a new world out there Bruce and it's every different in many ways from security freeks

ACApril 21, 2008 5:10 PM

Guess I'm overly paranoid (or am I?) - my 1st thought on seeing someone giving out chocolate would be, is there a drug or poison in the mix? Maybe the whole "you can have this in exchange for your password" thing is just a cover.

alanApril 21, 2008 5:10 PM

But is it GOOD chocolate or is it that waxy crap they pass off as chocolate here in the states?

alanApril 21, 2008 6:10 PM

Conclusion: People trying to steal your passwords better offer you chocolate.

Mark J.April 21, 2008 6:34 PM

We're talking about Londoners here. They probably have so many surveillance cameras pointed at them that their passwords are no secret anyway.

thiefhunterApril 21, 2008 7:11 PM

It's a pretty specific subset who do this, though: only people who actually stop to participate in a survey on the street. Most of those who walk on by probably wouldn't have taken the bait. Or the chocolate. That's my theory.

paulApril 21, 2008 8:28 PM

I'd give up someone else's password for some decent chocolate. OK, not someone I liked or someone who could get me fired...

Well, maybe not.

I'm much more concerned about the results for free thumb drives (which cost not much more than chocolate bars to distribute these days, and could do much more damage than most passwords).

Jonadab the Unsightly OneApril 21, 2008 9:51 PM

> It would have to be a fake password
> that is absolutely nothing like what one
> of your real passwords would ever be like.

That probably depends on the complexity of your passwords. If your real password is Chuvatsnya-Blesto'gnostle.Imbozen!Olszewski and the fake one you give out is Argniabek,Hioroftrusien_Claustozhivov~Takeda you're probably going to retire the hardware before they manage brute-force the real password from that pattern, assuming you've got the retry delays set to increase with each failed attempt.

But most normal people are not creative enough to think of *one* even halfway unguessable password, much less another to give out as fake.

An IT professional, we can hope, would be able to make up a phony password on the spot, if called upon to do so. I mean, we have to cough up *real* passwords all the time for this and that and the other thing, so it should be a practiced skill. I've got to the point where I can generate a reasonably memorable but not particularly guessable password in a couple of seconds, based on arbitrary requirements. Eight alphanumeric chars? TqbfJ0ld Sixteen chars case-insensitive all-alphabetic? Twmgtmehtttwhhlw Any length and number of characters I want, easily memorable? Hypopulchrous-Roustabout-And-Indefatigable-Pretensor
There are plenty more where those came from.

But in my experience normal people are doing pretty well if they can come up with anything significantly more complex than the answers to those "security" questions at Yahoo! mail and Live.com and so forth. If a non-geek gives you a password, whether in exchange for chocolate or not, my money says there's a very strong chance it's a real password.

SejanusApril 22, 2008 1:04 AM

Yeah, I've read this few days ago. It's amazing how flawed some "scientific" investigations could be. It's no wonder why people do not believe in statistics et cetera.

James LickApril 22, 2008 2:09 AM

Anyone who has ever given away something free on a web site in exchange for filling out a form knows from experience that at least half the responses are obviously fake.

TheDoctorApril 22, 2008 4:07 AM

Frequently, when you download something thats "free", you are asked to give your eMail address (and it's not checked).

So that poor guy youdont@need.toknow is surely REALLY mad about me.

DaveApril 22, 2008 4:51 AM

So the true story is that there's a security breach in some journalists' methods by which you can get chocolate and a good perve out of them without having to divulge any of your own information.

I wonder if you can go back again and give them a different password and get another chocolate bar...

Speaking of which, I'm a London office worker... where's my good-looking woman bearing candy ?

Jeremy DuffyApril 22, 2008 5:40 AM

Bruce, did you read the recent story about people giving up their e-mail password to Reunion.com? Reunion then spammed all their contacts with invites to Reunion.

Mahalo also asks for an e-mail password. It's become a horrifying trend.

SteveJApril 22, 2008 6:09 AM

More useful was the technique Bruce covered where "attackers" gave away USB keys containing "malware", which phoned home to the researchers to confirm that it had been run.

http://www.schneier.com/blog/archives/2006/06/...

It doesn't really matter whether or not someone will give you their real password, if they will in any case run your code with their privileges.

The fact that "passwords for chocolate" is a better headline than "running unknown code on USB keys" is useful information in its own right, though. It means that people passing the story around think that giving up your password is obviously bad. So it points to a problem - why don't they think that running code on a USB key is equally stupid and hence noteworthy?

Richard BraakmanApril 22, 2008 6:47 AM

@SteveJ: Maybe they think that running code from a free USB key is _so_ stupid that they just don't expect their computer to do it for them without asking.

Mr Risk vs. RewardApril 22, 2008 7:57 AM

People have such short memories…

It wasn’t that long ago when there was a leaky pipe at Cadbury’s Marlbrook factory, which resulted in tens of thousands of chocolate bars becoming tainted with salmonella.

Well, they have to get rid of them somehow, don’t they!

Sexy researcher: “Excuse me sir, give me your computer password and I’ll give you this lovely chocolate bar for free!”

Man: “Fwar. My password is QPR.”

Sexy researcher: “Thank you. Here you are, sir!”

[Man stuffs chocolate bar in mouth]

Man: “Yum yum. Now if you’ll excuse me, I seem to have eaten something that’s disagreed with me….”

[Man hobbles off clutching stomach…]

Colossal SquidApril 22, 2008 9:02 AM

"Bruce, did you read the recent story about people giving up their e-mail password to Reunion.com? Reunion then spammed all their contacts with invites to Reunion."

I got a bunch of spam from Facebook a while back for the same reason.
Bastards.

FDHYApril 22, 2008 10:15 AM

It'd be fun to give her a fake password. Then it'd be even more fun to go into a social engineering bit and tell her about how you know other people's passwords too.

phred14April 22, 2008 10:40 AM

It's not just information, it can happen in the physical world, too.

A key part of the whole "give me your password" scam frequently is to make the scammer appear authoritative - that he/she is someone qualified and with a need to know the information they're asking for. One of the posts here talked of someone official-looking standing in front of a bank, and they wouldn't have been allowed to be there if they weren't official.

A few years back at the Hosstraders' Hamfest in New Hampshire, every half hour or so they would announce on the P.A. that they were trying to track down some "pole pigs" (utility transformers) that were stolen at the previous hamfest. After thinking about it a bit I came to this realization: Those transformers weigh several hundred pounds, and would not be trivial to steal. If I saw 2 guys in blue jeans and flannel shirts rolling them up a 2x12 ramp into a truck, I might be inclined to mention it to someone. On the other hand, I I saw 2 guys in coveralls with a company logo of some sort, and a truck with a small crane/winch, I would expect that they are qualified and authorized - that they are supposed to be picking up those transformers.

On the other hand, either these guys were way ahead of the curve on copper theft, or they have really unusual needs. I would think that having the utility company connect to a privately-owned transformer would be a rather rare and traceable event.

raiApril 22, 2008 10:49 AM

I touch type in qwerty, my passwords are things I can remember like pamanderson now you figure out if Im typing on the home keys or on a dvorak keyboard

;~}

raiApril 22, 2008 10:57 AM

I just had a thought, base in my comment. For those admins who want to change peoples passwords every month, this is a strategy you can use to allow them to keep the same password for a long time, Just make it so that when you go to the keyboard prompt for the password, the the keyboard is no longer a recognized type but is scrambled to other meanings for the duration of the password input. the scramble of the keyboard could be changed as often as you wish without letting the users even know that it works this way. It not unbreakable but its better.

paulApril 22, 2008 11:45 AM

""Bruce, did you read the recent story about people giving up their e-mail password to Reunion.com? Reunion then spammed all their contacts with invites to Reunion."

I got a bunch of spam from Facebook a while back for the same reason.
Bastards."

You can blame Facebook and Reunion.com, but you can also blame whichever of your friends gave their email password to an application that says "we're going to look through your contacts list and send email to people on it".

2eatwhoApril 22, 2008 1:18 PM

'...The American dream...eating bonbons'
Swordfish, Gabriel.
Point: people will give up security to get $ and to have pleasure, especially when those in charge think this way.

-read- or consider that today, everything is like a box of chocalates...

Angel oneApril 22, 2008 1:20 PM

the real problem is that we're continuing to design security systems which rely on untrained users to be the ultimate defense against attackers. If, for example, two factor authentication was used, you wouldn't have to worry about people giving away their passwords for a candybar.

SteveJApril 22, 2008 2:52 PM

@Richard Braakman: "just don't expect their computer to do it for them without asking."

Fair point, but not relevant in this case. According to the testers they did not use autorun:

"The executable was masked as a jpeg image, taking advantage of Windows' default of hiding file extensions, as well as embedding a custom icon in the executable."

A real attacker might use autorun as well, I suppose, on grounds that there's no harm in it.

But in my comment I didn't mean that the targets of the test don't think running code is stupid in the same way that they think giving up their password is stupid. Obviously plenty of targets failed both tests.

What I meant is that the researchers who repeat the chocolate-password experiment, and the journalists who report the story and annoy Bruce, obviously think it's remarkable that the trick works. So why don't they think it equally newsworthy that the USB trick works?

SteveJApril 22, 2008 3:00 PM

@Angel one

If your second factor is some kind of physical token, you do still have to worry about people lending them, or reading the numbers off them to an attacker, or using them on an attacker's behalf. Mitnick's "The Art of Deception" recounts anecdotes in which attackers convince employees to do exactly this kind of thing to circumvent two-factor systems.

So two-factor authentication doesn't necessarily mean "you don't have to worry" if the second factor is a physical token. It does raise the bar, though, and biometrics might be even better, if you can get it right.

acApril 23, 2008 8:17 AM

Why not just say: I'll give you my password if you give me your password. You go first.

(A play on the old "I'll get naked if you get naked" line)

Not newsApril 23, 2008 9:34 PM

@SteveJ
"So why don't they think it equally newsworthy that the USB trick works?"

Simple: "password for chocolate" is only 3 words. Fewer words wins. Blame "Headline Mentality" and shrinking attention spans.

SteveJApril 24, 2008 5:55 AM

@Not news:

No, I don't think it's that (although it's a fair suggestion). For two reasons:

1) In this case, as an example, the actual headline used wasn't "passwords for chocolate" anyway, it was "Security is No Match for Chocolate and Good Looking Women". So clearly short isn't everything.

2) You could come up with an equally short headline for the USB key thing: "Security is No Match for Freebies and Good Looking Women". Although my personal preference would be "Beware of Geeks Bearing Gifts".

ArtikelverzeichnisMay 15, 2008 8:05 PM

I mean, we have to cough up *real* passwords all the time for this and that and the other thing, so it should be a practiced skill. I've got to the point where I can generate a reasonably memorable but not particularly guessable password in a couple of seconds, based on arbitrary requirements. Eight alphanumeric chars?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..