Security crumbles in the face of sweet bribes

It also showed that 34% of respondents volunteered their password when asked without even needing to be bribed.

A second survey found that 79% of people unwittingly gave away information that could be used to steal their identity when questioned.

Security firms predict that the lax security practices will fuel a British boom in online identity theft.

Security shock

The survey on passwords was carried out for the Infosecurity Europe trade show due to take place at Olympia in London from 27-29 April.

The survey data was gathered by questioning commuters passing through Liverpool Street station in London and found that many were happy to share login and password information with those carrying out the research.

Pet names are often used for passwords

As well as people simply telling the questioners their passwords or saying they would hand them over in exchange for some confectionery, a further 34% revealed the word or phrase they used when asked if it had anything to do with a pet or child's name.

Family names, pets and football teams were all used by those questioned to provide inspiration for a password.

The survey found that, on average, people have to remember four passwords, though one unlucky respondent had to remember 40.

Many adopt very unsafe tactics to remember these login names. Some of those questioned simply use the same password for every system they must log on to.

Those that used several passwords often wrote them down and hid them in a desk or in a document on their computer.

Almost all of those questioned, 80%, said they were fed up with passwords and would like a better way to login to work computer systems.

Stolen goods

A separate survey carried out for RSA Security found further evidence of the lax password and security habits of Britons.

It found that many people volunteered important personal information, such as their mother's maiden name or their own date of birth, when questioned during a street survey.

Such information is coveted by identity thieves as these facts are often used by sites as security checks.

The RSA survey found that maintaining online identities is becoming a burden for many people who, on average, use 20 sites that require them to register and then log on afterwards.

To make these different online personas easy to manage, two-thirds use the same password for all the different sites.

Of those questioned 33% said they shared passwords or wrote them down to make it easy to remember which one to use on which website.

"We are amazed at the level of ignorance from consumers on the need to protect their online identity," said Tim Pickard, spokesman for RSA Security.

Tony Neate, from the National Hi-Tech Crime Unit, said the British economy loses millions of pounds a year as a result of identity fraud.

"This can only increase if people do not become more aware of their responsibilities to protect their virtual identities," he said.

Your comments

So Tim Pickard for RSA Security is "Amazed at the level of ignorance from consumers on the need to protect their online identity," ? I am amazed at the stupidity of the IT industry in creating this problem in the first place. It is not just passwords that need to be remembered, user names also vary, as each site has its own format and character restrictions, e.g. some allow dot & some don't, some allow slash and some don't, etc. so it is impossible to devise a unique login name that meets all possible websites' requirements. That is before you ask the question why does this site need login details at all? Whatever happened to anonymous logins?
Philip Mulholland, Edinburgh, Scotland

I work for a high profile IT company and I am amazed at the number of people that use common everyday names or words as passwords. We have to use 'alphanumeric' passwords i.e. 'mer45cedes' as an example. As a word of advice to anyone who is confronted with the common practice of using 'mother's maiden name' when setting up an account online - don't use her real maiden name, use anything else you like. You don't have to use the real name, just remember a fictitious one for 'computer use only'. Also, don't use your name as a log-in, use something alphanumeric such as your car and car registration number i.e. peugeotrv02tkn - it is just as easy to remember (usually) but harder to crack.
Jon, Horsham, UK

The idea that we can remove all risk is foolish Jim, Milton Keynes UK

It is interesting that security companies are highlighting the issues of people using the same password for multiple systems and sites as a security flaw whilst many companies are calling for single login for their corporate systems including many government departments. Using a single password is no more insecure than using a different one for every system. Both can result in security breaches. The problem is not with how many passwords however but educating people not to reveal the information to anyone.

It is impossible to create a fully secure system (apart from putting it in a room with no network connectivity, never turning it on and banning people from using it). The idea that we can remove all risk is foolish. Business should take the lead with support from Government to educate users in to how they can mitigate the risks of identity theft. This can be done through web sites and paper literature. The exercise should be repeated at least twice and preferably more frequently.
Jim, Milton Keynes UK

The first person or company able to provide a low-cost, effective, secure alternative to the problem of us 'ignorant' consumers not being able to remember or manage a multitude of passwords (without writing them down and/or using the same password in lots of places) will be richer than Bill Gates. Humans are not the problem - systems are the problem.
Ross Gerring, Perth, Australia

So we're not supposed to use the same password for different systems and we're not supposed to write them down. Some of my work systems require a password change every 30 days - what are we supposed to do?!
Ian, Bristol, UK

They have no way of knowing that the passwords given were the real passwords (how could they check?). If they were offering chocolate, I would imagine even the slowest witted people would manage to give a random word in order to get a freebie.
Tom Turner, London/Oxford

I don't know why people are so unimaginative with their passwords Paolo, Italy

I don't know why people are so unimaginative with their passwords. I use the registration numbers of our various family cars from the sixties and seventies...indelibly stamped on my brain - the data's probably untraceable now.
Paolo, Italy

Is this a serious journalistic article or just a piece of propaganda for the IT security community? Did they actually test every single person's passwords? Or perhaps people just gave a random word to a) get their free chocolate, or b) get the annoying researchers out of their face..
Anon, UK

Remember, writing down passwords isn't always a bad thing. If, for example, people wrote down passwords for websites accounts, they might be able to have more unique passwords rather than the same one for all... It's a trade off between having more unique passwords and the risk of someone finding/losing the piece of paper.
Chris, Wales, UK

I use the internet a lot, and I'm probably registered at 80+ sites. How on earth are you supposed to remember over 80 individual passwords?! Until the software companies or website managers make it easier to access and use their systems users will always 'share' passwords across sites or simply use words or phrases they can easily remember.
Mark, Sheffield

I have six passwords for systems at work alone all need changing every three months and I cannot repeat a password that has been used as one of the previous six I have used. I then have personal logins to various web sites. How do I remember them all if I don't write them down? In theory these security measures make things safer but in reality everyone uses the same password for everything or keeps them on a list.
Phil Barrett, Leeds

Are you sure this is not "70% of people would lie and pretend to reveal their computer password in exchange for a bar of chocolate"?
Roger Savery, Buxton, UK

I think that the worst thing that you can be asked to do is to keep changing your password. When you have tens of systems which require a password, if you have to keep changing them, you have to write them down to remember them - it's just too hard to remember otherwise. Time to step back and think about security taking real people in to account, not some imaginary perfect user.
Martin Millmore, Reading, UK

I'd reveal my "password" to anybody if they were offering me free chocolate! My password is "givemefreechocolatenowplease"!
Mark, Coventry, West Midlands.

Go and buy Roboform and save all your passwords which can be as difficult as you like on a pendrive which you can take with you. Even has a password generator. Then you can almost forget about passwords
Graeme Williams, London UK