"The experiment found that out of 576 people questioned this year, 21% were quite happy to reveal their passwords in exchange for candy."
The problem with that quote (and the story it comes from) is it characterizes 120 people as complete buffoons with less self-restraint than a 3-year old.
The byline for the story states that a "study finds more than one in five people easily duped into revealing their passwords for a sweet treat." Now, from my understanding, there is a touch more social engineering going on than this. Researchers approach commuters in a transit station and ask a number of questions like how many passwords they have to remember and whether they use things like pets, family members, or sports teams for inspiration.
No doubt it is disturbing that 1 in 5 people will so willingly give up their password, but let’s give them a little bit of credit here. They are away from the office and on their own time. The perceived risk level is going to be very low. Perhaps the conversation starts out with the participant being anonymous. Maybe after getting some answers, the researcher chats casually for a while with the participant. Then in what might appear as an afterthought, the researcher asks for a business card so he/she can send a follow-up email.
Ask yourself how easy it would be to fall into that trap?
Giving out a password in exchange for a candy bar is idiotic. Being duped by a smooth-talking "researcher" with a series of carefully planned survey questions (and some candy for your trouble) is not. These types of vulnerabilities are far more indicative of failures in IT policy and user education than weak-willed workers desperate for a sugar fix.
Oh, the story that set me off is this one: Sweet-toothed employees willing to exchange passwords for candy. It’s a sensationalist headline to an article that spins a story intended to shock more than inform. It makes me feel dirty linking to it, and sorry for the 120 people it mocks and demonizes.