Why we still prefer words over random passwords

Over the first fifteen years of the 21st century, our use of passwords has skyrocketed. What began with perhaps just a single email account has grown to an average of more than eighty different password-protected accounts covering everything from social networking to home deliveries. And as we shift more and more of our data online, cyber-hacking and security flaws have also become an ever more real and high-risk threat, with breaches such as the Heartbleed security bug affecting over 500,000 websites across the globe.

« Our passwords haven’t evolved much since we first started making them. »

Today, most of us are familiar with good online security practices. Our passwords should have at least 8 alphanumeric and mixed-case characters, and we shouldn’t be repeating them across the web. But despite greater risk and better education on security, our passwords haven’t evolved much since we first started coming up with them. We’re still far too attached to the ‘words’ in passwords.

Back in 2001, Helen Petrie PhD — professor in human/computer interaction at City University London analyzed the passwords of 1,200 Britons from a CentralNic survey. Petrie identified four primary genres of password –‘family-oriented’, ‘fans’, ‘fantasists’ and lagging behind, ‘cryptics’, leading her to dub the computer password “a 21st century Rorschach inkblot test”. Fast forward to 2014 and we see the same behavior. In a recent article published in the New York Times, Ian Urbina shared insights from investigative journalism into the secret lives of our passwords and the psychology behind our choices for these strings of letters and numbers. The trend is clear: despite consistent education on the weakness of our favorite passwords, we’re still clinging on.

So why is that? It is clear that the human mind isn’t exactly well-equipped for retaining the complex and random strings of letters and numbers needed for good password security. The simple patterns we are able and willing to memorise are the easiest codes to break. But research from the likes of Petrie and Urbina would suggest that our human tendencies for personalized passwords run much deeper than simplicity or laziness.

Our first weakness for unsecure passwords comes from a very human sentimentality. Most of us choose to inject our passwords with a whole other level of meaning than what is demanded of us. And this isn’t just to help us remember them. Urbina refers to “keepsake passwords” which serve as a ritualistic commemoration of something important to us. Each of the people he spoke to from around the world had a different story behind their password choice, from lost loves to hidden secrets. For example, a lady called Rachel felt closer to her father through the word ‘Odessa’, his childhood home from a troubled past, whereas another case study, Mauricio, takes password change requests as an opportunity to remind himself of personal goals, from quitting smoking to calling his mother.

« Our passwords often better serve our emotional needs than our security. »

Every time we type these personal keepsakes — which may have no other place to be recalled — is a quiet celebration of what matters most. But this sentimentality is putting us at risk. The sense of privacy from these intimate details appears to be a more powerful force than a logical understanding of security. As a result, our passwords often better serve our emotional needs than our security. Researchers Joseph Bonneau and Soren Preibusch claim that our ineffective passwords — encouraged by sites with poor security standards — are in reality more of a psychological placebo for security than a reliable protection for our data.

Password ignorance is supported by another unhelpful psychological force. Our attachment to “keepsake” passwords is matched by an equally human inability to evaluate risk. Despite years of hearing the message for better security and repeated exposure to threats, hacking (and the ways this can impact our lives) isn’t a risk we feel as strongly as some others, at least until we are personally impacted by it. Passwords aren’t the only risk our brains fail to respond to rationally. Jeunese Payne, Research Associate at the Cambridge University Computer Lab, draws the comparison with our fear of flying compared to car travel, or our inability to perceive the risk of smoking. Sometimes knowledge can be completely ineffective at changing behaviour.

« Those personal passwords that we like to think are private, unique and special are in fact typical, predictable and not at all special. »

While we are seemingly pre-destined to make bad password choices, hackers have the tools to take advantage of that human fallibility. And those tools are not just technical. Rather than the half-man, half-machine who codes his way into your bank account, imagine the social engineer who has figured out how your mind works. Those personal passwords that we like to think are private, unique and special are in fact typical, predictable and not at all special in how they leave many of us open to attack. Hackers are psychologists. It is their skills at predicting us as people, as much as their technical prowess that lets them into our private online lives.

So rather than leaving little psychological doors open to our most important personal information, let’s find other ways to honor our relatives, exorcise our demons and motivate ourselves daily. Let’s start using secured passwords.