Over the course of the 21st century our use of passwords has skyrocketed. What began with perhaps just a single email account has grown to an average of more than 80 different password-protected accounts covering everything from social networking to home deliveries. And as we shift more and more of our data online, cyber-hacking becomes an ever more real and high-risk threat: 2014 has been the biggest year of password breaches to date.
Today, most of us are generally familiar with good online security practices. Our passwords should have at least 8 alphanumeric and mixed-case characters, and we certainly shouldn’t be repeating them across the web. But despite greater risk and better education on security, our passwords haven’t much evolved since we first started making them. We’re still far too attached to the ‘words’ in passwords.
Back in 2001, Helen Petrie PhD – professor in human/computer interaction at City University London analysed the passwords of 1,200 Britons from a CentralNic survey. Petrie identified four primary genres of password -‘family-oriented’, ‘fans’, ‘fantasists’ and lagging behind, ‘cryptics’, leading her to dub the computer password "a 21st century Rorschach inkblot test".
Fast forward to 2014 and we see the same behaviour. In a recent article published in the New York Times, Ian Urbina shared insights from investigative journalism into the secret lives of our passwords and the psychology behind our choices for these strings of letters and numbers. The trend is clear: despite consistent education on the weakness of our favourite passwords, we’re still clinging on.
So why is that? It’s clear that the human mind isn’t exactly well-equipped for retaining the complex and random strings of letters and numbers needed for good password security. The simple patterns we’re able and willing to memorise are the easiest codes to break. But research from the likes of Petrie and Urbina would suggest that our human tendencies for personalised passwords run much deeper than simplicity or laziness.
Our first weakness for unsecure passwords comes from a very human sentimentality. Most of us choose to inject our passwords with a whole other level of meaning than is demanded of us. And this isn’t just to help us remember them. Urbina refers to "keepsake passwords" which serve as a ritualistic commemoration of something important to us. Each of the people he spoke to from around the world had a different story behind their password choice, from lost loves to hidden secrets. Rachel feels closer to her father through the word ‘Odessa’, his childhood home from a troubled past. Whereas Mauricio takes password change requests as an opportunity to remind himself of personal goals, from quitting smoking to calling his mother.
Every time we type these personal keepsakes – which may have no other place to be recalled – is a quiet celebration of what matters most. But this sentimentality is putting us at risk. The sense of privacy from these intimate details appears to be a more powerful force than a logical understanding of security. As a result, our passwords often better serve our emotional needs than our security. Researchers Joseph Bonneau and Soren Preibusch claim that our ineffective passwords – encouraged by sites with poor security standards – are in reality more of a psychological placebo for security than a reliable protection for our data.
Content from our partners
Password ignorance is supported by another unhelpful psychological force. Our attachment to "keepsake" passwords is matched by an equally human inability to evaluate risk. Despite years of hearing the message for better security and repeated exposure to threats, hacking (and the ways this can impact our lives) isn’t a risk we feel as strongly as some others. Passwords aren’t the only risk our brains fail to respond to rationally. Jeunese Payne, Research Associate at the Cambridge University Computer Lab, draws the comparison with our fear of flying compared to car travel, or our inability to perceive the risk of smoking. Sometimes knowledge can be completely ineffective at changing behaviour.
While we are seemingly pre-destined to make bad password choices, hackers have the tools to take advantage of that human fallibility. And those tools aren’t just technical. Rather than the half-man, half-machine who codes his way into your bank account, imagine the social engineer who has figured out how your mind works. Those personal passwords that we like to think are private, unique and special are in fact typical, predictable and not at all special in how they leave us open to attack. Hackers are psychologists. It’s their skills at predicting us as people, as much as their technical prowess, that lets them into our private online lives.
So rather than leaving little psychological doors open to our most important personal information, let’s find other ways to honour our relatives, exorcise our demons and motivate ourselves daily And start using secured passwords.
