When we talk to people about passwords, especially about website passwords, generally what we teach them is some variant of 'do not write down your passwords and always use different ones on each service'. Time after time, what happens is that people follow half of this; they have only one common password, but they don't write it down.

It has recently occurred to me that there is a sensible explanation for this result (beyond the obvious one that it is the more convenient option if you are only going to follow one half of the teaching): the risks of common passwords are less intuitively obvious than the risks of writing passwords down. People can easily imagine the problems with writing things down, because it involves simple physical risks like someone stealing your piece of paper, but the problems of common passwords are more abstract and distant; attackers stealing password databases and the like are not so familiar for most people, and probably not as real as a result.

Thus, more or less faced with choosing between mitigating a risk that they easily understand and mitigating a risk that they don't really grasp, it's not surprising that most people mitigate the risk that they can easily imagine, even if this risk is in practice the smaller one.

(We already know that people routinely mis-estimate risks in various ways, so this should not be very shocking.)

Applications to other security risks and scenarios are left as an exercise to the reader, but I am already peering at all sorts of things through this new prism of moderate insight.