Identity theft (the lazy way)

Supposedly you need to register for something and a valid Identity Number (מספר זהות) is required. What would you do?
-->><<---
Or the actual photo of someone's id card:
-->><<---
Or full credit card information.
-->><<---

.. Nah, just kidding. I won't be surprised if some wisely crafted google query could get you even this though.

For a full personal information however there is nothing better than a good old resumes.
http://www.google.com/search?hl=en&q=%D7%AA.%D7%96.+%2B+%D7%A7%D7%95%D7%A8%D7%95%D7%AA+%D7%97%D7%99%D7%99%D7%9D
Most of the them contain more than enough information for a successful identity theft. This is obviously not some local phenomenon and happens all over the world. What sets Israelis apart however, is an overwhelming tendency to include ID numbers and helluva other personal information.
Fresh from college applicants tend to do this to fill their otherwise empty resumes, some search for jobs in government/military sector. Another source of the problem is recruiting agencies. Upon application you usually will be asked for ID number. Sole purpose of this is to ease applicants tracking in their internal database. The problem is that some agencies decide to spice up the resume and add an id number, among other things.
Anyway, next time some your friends decides to put his or hers CV for public viewing, remind them, for example up to what degree exactly the ID card is checked for validity at the bank on opening a new account.

Password Habits

Data on users' password habits is hard to come by. Most available researches base their publications on data collected with help of control groups. While these results are fairly good and representative, it makes sense that there will be a number of inaccuracies dragged alongside due to how usually control groups assembled and people who generally participate in them (I was unable to find any research on the subject with good explanation of their selection criterion. Why is that never discussed in depth?). Fortunately for us, these inaccuracies or impurities are rather insignificant, and the collected information still can be successfully extrapolated over the general public. After all, most of us share similar preferences when it comes to remembering things.
Here I would like to present some real life statistics, albeit based only on ~48000 samples, it should give a good view of password selection habits. Only the actual results are shown, it's left up to the reader to draw any conclusions.

Background information:

• Source data is a list of 48595 username-password pairs, coming partially from a public discussion board (28595) and partially from a corporate network resource (20000). Users awareness about information security is unknown, but we could assume with a great deal of certainty that the users' expertise represents a complete spectrum from 'casual user' to 'technically inclined'.
• We can also assume that the average age for the 20000 list is 20+ (people working in the company are most likely after a college, army, etc.)
• Alpha-numeric and general characters allowed. Minimum password length is 6.
• Initial password generated by the administrator is 10 characters long, consist of interleaving cases and numbers. E.g. UaI7VyijSt
• For passwords from public discussion board: users with last access date - registration date difference no greater than a week were removed. This is done in order to clean up the list from one-time users who presumably chose a common, simple to remember, combination. This should remove a great share of non representative passwords and give us better statistics.

Results:

1. Overall distribution by length (X axis - length, Y axis- distribution percentage):
2. Combination match in a publicly available wordlist (~3349730 words): 5.12%
   Distribution by length:
   
3. Consists solely of numbers: 11.91%
   Distribution by length:
   
4. Top 30 most frequently occurring passwords:
5. Has a numerical suffix (remaining characters are alphabetic): 19.83%
   Has a numerical prefix (remaining characters are alphabetic): 2.81%
   
   Top 30 suffixes/prefixes:
6. Original passwords assigned by server retained (under assumption that the passwords of the form UaI7VyijSt are indeed system assigned and not user chosen): 1.44%
7. Capitalized (remaining characters are lowercase/numbers/general): 2.41%
   
8. All letters are uppercase (remaining characters are either numbers or general): 0.19%
9. Consist solely of same repeating character (e.g. aaaaaaa, 33333333): 0.74%
10. A double pattern (e.g. funkyfunky): 2.84%
11. Password is an username derivative (e.g. username: vikk -> password: Zvikk007): 1.52%
    

Authorized Personnel Only

A couple of weeks ago I decided, that a time has finally come to abuse my student status and purchase one of those, too good to be true, discounted Egged (Israeli Transport Cooperative) bus passes. Instructions at Egged's site on getting the card were surprisingly thorough. And so, I went wandering through Central Bus Station in search of platform number 19 opposite of which, according to the instructions, cards would be selling.
The only thing in front of the platform was a shady door marked with "Authorized Personnel Only". It didn't looked much like a box-office. At this point I am not sure whether it was my overwhelming confidence in Israeli bureaucracy or more likely just a brief moment of stupidity, but since there were no other doors in vicinity of the platform I went in.

Walking through the halls didn't yield much except of two workers, man sitting in front of bunch of computers at a commanding office of some sort and a teller, of whom neither showed even a slightest interest in an obvious stranger.
Eventually after some ten minutes of poking at offices another teller asked me if she can be of any assistance, and even that was not before a couple seconds of confusing blabbering from my side accompanied by 'Where the hell am I?' facial expression.

OK, lack of even the simplest physical security measures. Workspace with confidential data left unattended (raw materials for cards plus UNLOCKED terminal interface). Workers not instructed in basic security measures. Not that surprising really. But a box-office location being specified by its back entrance for personnel and not by the actual window for general public (located, apparently, near platform 17)?