Already a customer?
Log a ticket
passwords for chocolate

Passwords For Chocolate: The Gift That Keeps On Giving

Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on email

Would you give up your passwords for free chocolate? Many people would, the media tells us – repeatedly. Why, though, does this story keep popping up?

Passwords are important. But not as important, it would seem, as chocolate. Since 2004, the idea that people will exchange their passwords for chocolate has made headlines several times. Numerous publications have indicated that the offer of free confectionery is all it takes to make folk forget basic security measures.

But how much truth is there to these assertions, and why do they keep popping up?

Let’s start at the beginning. The earliest of the chocolate for password studies we could find was reported on by the BBC on Tuesday 20th April 2004. “More than 70% of people would reveal their computer password in exchange for a bar of chocolate,” it declared. 34% would give it up even without the bribe.

Terrible, right? But what was the source of this information, and how reliable was it?

Passwords For Chocolate, Part 1

As the BBC reported, these stats came from a survey carried out for the Infosecurity Europe trade show that took place in London in April 2004. Commuters passing through the city’s Liverpool Street train station were questioned about their passwords and logins, and the results recorded.

While both worrying and amusing in equal proportions, this experiment was also inherently flawed. For a start, the passwords that were shared were not verified, so it could be the case that 70% of people are prepared to lie about what their passwords are in order to get free chocolate. (Security expert Bruce Schneier feels particularly strongly about this point.)

Bruce Schneir - passwords for chocolate
Bruce Schneier: “I would certainly give up a fake password for a bar of chocolate.”

And let’s not ignore the fact that the people carrying out this survey had an event to promote. It was very much in their interests to get headline grabbing results.

Passwords For Chocolate, Part 2

Bearing that in mind, it’s not surprising that three years later, the same people carried out the same survey in the same city, again at a train station – as the Register reported on 17th April 2007. Nevertheless, this time around there seemed to be have been a bit of an improvement in people’s cyber security awareness. Only 64% of those surveyed were willing to divulge their passwords in exchange for chocolate and “a smile”.

Liverpool Street Station - passwords for chocolate
Liverpool Street station – where commuters happily swap passwords for chocolate.

That would be encouraging, but in this version of the experiment, the survey was extended beyond random commuters at a busy train station to include attendees at the Infosecurity event – in other words, people who should know better.

We still don’t know whether the passwords that people gave up were real or not, of course, but it was interesting enough for news outlets to report on again.

More Passwords For Chocolate

Moving on a couple of years, in 2008, another variation of this survey was carried out, again outside Liverpool Street station. This time the results indicated how much more likely women are to share their passwords so they can get hold of cocoa-based treats.

“Woman 4 times more likely than men to give passwords for chocolate,” said the Guardian, on 16th April 2018 (we’re guessing the headline should read ‘Women’, otherwise it would have been a very quick survey). Specifically, 45% of the women among the 576 people surveyed were caught out, compared to just 10% of the men.

Of course, the same criticisms apply to this version of the study as to previous ones. Also, it’s not clear what the ratio of men to women was. Presumably it was 50/50, but if not, it’s easy to see how the researchers could have skewed the results to fit their agenda.

Speaking of the researchers, who might they be? Would it surprise you to learn that this survey was carried out by none other than Infosecurity Europe?

That’s three years in which this organisation apparently used chocolate to extract passwords from strangers – and always some time around April. Anyone would think they have a yearly trade show to promote.

And it’s not just in those years that Infosecurity Europe has garnered press coverage for carrying out highly unscientific studies. In 2002 and 2003, for example, it tempted commuters with cheap pens, and in 2005, theatre tickets were used to draw out personal information.

Passwords For Chocolate: What Now?

What conclusions can we draw from this? Most obvious is that Infosecurity Europe frequently carries out password surveys around the time that its trade show happens in June each year. Sometimes, the results are picked up by major newspapers and websites, and the surveys thereby do their job of promoting the upcoming event.

That’s fair enough. But what of the results? Can we trust them? No doubt Infosecurity Europe would be the first to accept that these studies aren’t in any way scientific. Without actually logging into other people’s accounts, there’s no way to know if the passwords that people share with them are real. That would be true whether this test were carried out by the organisers of a security event or researchers at a university.

Going on gut feeling alone, however, it seems likely that a large proportion of the passwords and personal information that people shared in these surveys was real – or at least close enough to the truth to be valuable.

That is, of course, worrying. Sharing passwords with strangers is obviously not a good idea, and the power of social engineering is such that many of us are more vulnerable than we might imagine. Even if only a fraction of the results were real, it would be too many.

Nevertheless, it’s important to know where our information is coming from, especially considering the rise of fake news in recent years. In the passwords for chocolate case, the statistics that news sources are so happy to share come from an unscientific survey from an organisation with a vested interested – one that has an event to promote.

Despite that, Infosecurity Europe’s work has plenty of value. The headlines these stories create help to shine a light on the importance of keeping passwords safe. It may be a little repetitive to keep banging on about social engineering, but if it makes people think more carefully about how they share sensitive information, then it really is a blessing.

Would the people in your business give up their passwords too easily? Find out with our Security Awareness Training.

Leave a Comment

Your email address will not be published. Required fields are marked *


TMB Privacy Policy

Why do we hold personal data?

Like any business, TMB Group has to keep personal data about staff, clients and potential customers. When you fill in the contact form on our website, for example, we need to keep a record so we can get back to you. Data is also held so we can deliver our services and so we can provide useful information, such as security update news.

What data do we keep?
Depending on our relationship with you, we’ll hold information such as your first and last names, your email address, your phone number and your postal address. We will also possibly have details about your business and those who work for you. If you’re a customer, then we may have some of your banking detail so we’re able to accept payments for the services we provide.

How is your data stored?

As a responsible IT company, TMB stores personal data on secured computer systems. Anything that is archived will be placed on encrypted drives.

We do use third-party customer management software, Autotask, which means data may be stored on their servers, but only the data we need to deliver our services. The same goes for the Microsoft services we use, such as Word, Excel and PowerPoint, which store information on Microsoft’s cloud servers. We also use Mailchimp for marketing purposes: to send emails and to manage subscriber lists.

These third parties are not permitted to share your data or to use it for marketing purposes. You can find Autotask’s privacy policy here: Microsoft’s privacy policy for Office 365 is here: Mailchimp’s policy is here:

How long do we keep your data?

We will keep your data in our systems until it is no longer relevant to our business, but you can request that we remove or update it at any time. We will also inform any relevant third parties of your request.

Access to your information

The key thing to remember is that your data belongs to you. That means you can request copies of your personal data any time you like, or to access and update it. You also have the right to be forgotten, so if you ask that we delete your data, we will do so or provide a valid reason why we are unable to. We will, of course, require proof of your identity before addressing any such request.

Depending on your request, your information may be provided to you electronically. In such cases, it will be provided in a commonly used format.

Unsubscribing and deletion

Unsubscribing is not the same as a request for us to delete personal data. If, for example, you unsubscribe from a mailing list, it is necessary to keep your email address on record to prevent marketing email from being sent to you. If we were to delete that information, we would have no way to tell if you have unsubscribed. Nevertheless, you still have the right to request erasure of your personal data.

Your right to complain

If, for any reason, you are unhappy with the way your personal data is treated by us, you have the right to complain to a supervisory authority. In the UK, that would be the Information Commissioner’s Office (ICO).

Website analytics

Anyone who visits our website will automatically have data about them collected via Google Analytics. This gives us broad information about what people are doing on our website and which pages they are looking at. It does not provide us with personal information that could be used to identify individuals.


Cookies are small text files that web browsers receive from websites. They are stored on your computer, and they enable sites to do things like remember if you’ve visited before, if you’re a customer, what your preferences are and so on. You are entitled to view our website without them, but you may lose this kind of functionality if you do so.

International data transfers

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

Data controllers and processors

TMB is the controller for marketing activity and personal data/special category data we hold on our own employees, but we are the processor when processing our customers’ personal data (e.g. buying a licence for a named individual).  We  may use sub-processors for processing data given to us by customers.

What we won’t ever do is sell your data. And if you sign up to our mailing list, you’ll only receive marketing material from TMB as a result – no one else.

For any questions regarding your data, contact TMB’s technical director, Richard Shuker, at or write to us at A1 Endeavour Business Park, Penner Road, Havant, Hampshire, PO9 1QN..