My theory on why people wind up using common passwords

February 18, 2009

When we talk to people about passwords, especially about website passwords, generally what we teach them is some variant of 'do not write down your passwords and always use different ones on each service'. Time after time, what happens is that people follow half of this; they have only one common password, but they don't write it down.

It has recently occurred to me that there is a sensible explanation for this result (beyond the obvious one that it is the more convenient option if you are only going to follow one half of the teaching): the risks of common passwords are less intuitively obvious than the risks of writing passwords down. People can easily imagine the problems with writing things down, because it involves simple physical risks like someone stealing your piece of paper, but the problems of common passwords are more abstract and distant; attackers stealing password databases and the like are not so familiar for most people, and probably not as real as a result.

Thus, more or less faced with choosing between mitigating a risk that they easily understand and mitigating a risk that they don't really grasp, it's not surprising that most people mitigate the risk that they can easily imagine, even if this risk is in practice the smaller one.

(We already know that people routinely mis-estimate risks in various ways, so this should not be very shocking.)

Applications to other security risks and scenarios are left as an exercise to the reader, but I am already peering at all sorts of things through this new prism of moderate insight.

Comments on this page:

From at 2009-02-18 02:36:54:

Schneier's prescription for passwords is: get a strong password (preferably randomly generated), write it down on a card and PUT IT IN YOUR WALLET. Because your wallet is something you always have with you, something you pay attention to, and if someone takes it, you will notice it quickly and will be able to react quickly. Makes total sense, but the problem is that writing a password is considered – incorrectly – an absolute no-no.

It's completely idiotic to believe that people can just remember a number of strong passwords.

Even more idiotic are policies that impose complexity rules on the password, require frequent changes, but ask the user to create it. For example, at work we have to change every 30 days, and the password has to contain at least one digit and one non-alphanumeric character. The result is that most users use "password!1", and then "password!2" the next month, and so on and so forth. Completely pointless.

- Nixar

Written on 18 February 2009.
« Design versus construction
Appearances are deceptive in the (anti-)spam world »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Feb 18 01:45:42 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.