Cognitive psychology deals with human attention, memory, and problem solving. It can also provide many insights into how we handle our computer security in general, and how we choose passwords in particular.
Most people know that they are supposed to choose passwords that are hard to guess, relatively long, and contain a mix of characters. But given that the most popular password is "password", people are obviously not making choices in line with those guidelines. So how do we actually make password decisions? Here are five things we do and how cognitive psychology explains them.
1. Pick easy-to-guess passwords – It is hard to remember a completely random string of 8 characters with upper case letters, lower case letters, numbers, and special characters. A name or date (which are among the most common choices) is easy to remember, reducing how hard we have to work every time we log in. In other words, memory issues makes us choose less secure passwords.
2. Reuse passwords across sites – Again, memory plays a role here. An active web user may have hundreds of passwords to remember across every e-commerce site, social media platform, discussion forum, and news site. While security advice says we should have different passwords on each site, it is just not possible to easily remember so many different passwords – especially if they follow the hard-to-guess guidelines.
3. Sharing passwords – almost half of people say they have shared their passwords with friends, family, or co-workers. This is a conscious choice that people make, usually because they reason that they can trust the people they share the password with. The convenience and ease of use are important, and since users trust the people they share with, they tend to reason that their choices are unlikely to significantly compromise security.
4. Writing down passwords – Another memory issue. Many systems require people to choose passwords that conform to set of guidelines. If it is too difficult for people to memorize these passwords– which is often the case– they will write them down to make sure they don't forget and/or they don't have to go through the long process of resetting the password when they inevitably do forget.
5. Mnemonics – When people try to follow password guidelines, they do some creative thinking to make them easier to remember. Mnemonics are a good way to do this, and using them is common advice regarding password choice. They can be any technique to aid memory, and in passwords, mnemonics often manifest when people use common names or words, replacing letters with representative numbers or symbols (e.g. o=0, i=1, e=3, a=4, s=5 or &, B=8, etc.). They also show up when people choose phrases (e.g. "IluvMyD0g!") that are hard to guess.