Skip to content
Chocolate
Naked Security Naked Security

Want to keep your password safe? Give up chocolate…

If you want someone to tell you their password, offer them chocolate first

A recent large-scale study of 1,208 people by the Université du Luxembourg has revealed how the potency of social engineering attacks can be increased with the help of a little chocolate.

Social engineering is the art of tricking people into doing things for you, such as handing over confidential information. It’s popular with criminals because for all the wizardry of stealing, cracking, sniffing, phishing and logging, the easiest way to get somebody’s password is sometimes just to ask for it, nicely.

The study was co-authored by Dr André Melzer who describes in the paper how criminals can increase the potency of social engineering attacks by using the sense of obligation we feel after receiving a small gift:

When someone does something nice for us, we automatically feel obliged to return the favour. This principle is universal and important for the way we function as a society. However, this internal pressure can also be exploited to achieve certain purposes, such as encouraging someone to divulge a password.

During the experiment, undercover researchers carrying University of Luxembourg bags asked passers-by about their attitude towards computer security, but also asked them for their password.

During the interview the researchers gave the interviewees gifts, and the effect of one gift, chocolate, was pronounced.

The research showed that this small gift greatly increased the likelihood of participants giving away their password. If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords. However, if the chocolate was received generally beforehand, a total of 43.5% of the respondents shared their password with the interviewer

It also seems that the more closely associated the gift and the question are then the more our sense of obligation ratchets up; in cases where users were offered chocolate immediately before being asked for their passwords the number goes up to 48%.

Unsophisticated thieves who turn up empty-handed needn’t give up hope though – 30% of the experiment’s control group (who only received chocolate after being asked for their passwords) still handed over their passwords.

What we don’t know (and this is where you should apply your salt pinch) is how many of the passwords were real.

As somebody who regularly has to ask for access to small companies’ computer systems, my personal experience is that insecure, oversharing of passwords is more the rule than the exception (one of 4 password mistakes small companies make in fact).

Our personal passwords are the keys to our digital lives, and our work passwords can be a gateway to both our employer’s confidential information and the personal, private data of their customers.

If somebody asks for your password, ask yourself if you’d be willing to hand over your house keys or the code for the company alarm system too. If you aren’t then you probably shouldn’t be handing over your password.


16 Comments

Infosecurity UK PR stunt from 12 years ago drives university research! Who said PR isn’t influential ;-)
http://www.theregister.co.uk/2007/04/17/chocolate_password_survey/

Did anybody verify that these passwords were actually CORRECT?? If you offered me chocolate in the street in exchange for a password I’d give you a fake one at the drop of a hat!!

Humans like chocolate, they also like free stuff ;)

You misunderstand – they weren’t offered chocolate in exchange for passwords, it wasn’t a trade and the research isn’t about the price of passwords. It’s about the fact that it’s harder to say no to somebody who is generous to you in advance of asking you a question.

As to did anybody check if the passwords were correct – from the article: “What we don’t know (and this is where you should apply your salt pinch) is how many of the passwords were real.”

They *did so* give up their (fake) passwords for chocolate!

You can put big words round it but that’s what it boils down to :-)

You don’t always have to react to an article especially when you didn’t read it…

For the researchers to “find out” if the passwords were authentic would be unauthorized access. Of course the researchers did not use the credentials. Therefore, any percentage given should not be interpreted for real world data. This experiment, I assume, was to proclaim awareness. Sociology is interesting. The researchers learned more about the subject based off of human interactions, as opposed to gaining a password. That is what I think it was all about. To see how people respond, unrestrained, free world action. Having a fond grasp of that would let the researchers know if the password the person gave was true or false without ever gaining unauthorized access. OSI Layer 8: The Meat Layer. GET PWNED.

I’ll give you a password for chocolate. I’ll give you 3 for beer.
But they won’t be my passwords.
Surely this study should be called “people give away random strings of characters for chocolate” because that’s about all it proves.

I always dislike when this study is brought up. If you offered me something free, I’ll give you my “password” as well; it just won’t be the right one and won’t work.

The study was published at the end of March 2016 so it hasn’t been around long. The people who took part were not offered something free. There was no offer of “I’ll give you this chocolate if you tell me your password”.

The participants were involved in a survey and given some chocolate – some were offered chocolate in the beginning, some in the middle and some at the end. During the session the participants were also asked to reveal their passwords.

People who were given chocolate at any stage in the proceedings up to the point where they were asked the password question were more likely to hand over a password. Not because the questioner offered them a deal or coerced them but because it’s harder to say no to people who are nice to you.

The lesson for social engineers is: if you’re going to phone somebody and ask them for their password, ask how their kids are first.

The lesson for social engineers seems to be, “Forget asking them about their children. Offer them chocolate, then they’ll give you a password almost half the time. Of course, the last laugh may be theirs when you try to login with it, because it might not be their password.”

See the article to which the first commenter refers. That was back on 2004. This research may have been dressed up differently, but, hey, it’s the same thing in different language. Maybe all it actually shows is that if you are nice to people, they will lie to you in the hope of a reward?

It’s true that people feel a social obligation. This knowledge is widely used in successful fundraising, although I have not seen the rationale stated explicitly. Fundraisers do know, though, that if you make a person feel special and do a lot of nice things for them, they’re more likely to say yes to your request. Why do you think big money donors get a personalized prospectus, fabulous meals, and lots of positive attention?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?