Have you encountered this person?
They sit through your cybersecurity training at work, learn that their chosen passwords are weak, easily guessable, and put your network at risk. Yet they continue to use them.
There’s a study out now that says these folks cling to their bad passwords for two reasons.
One is that humans tend to overvalue things they create and own, and second, develop an “inordinate attachment” those things. In short, when we use a secret password that is significant to us, we are more likely to cling to it. We have an emotional attachment to our very personal passwords.
The study, by Karen Renaud, a cybersecurity professor at the University of Abertay in Dundee, Scotland, and by two information systems professors at Mississippi State, found that “admonishing” people for creating weak passwords likely triggered “defensiveness and little willingness to change their ways,” Renaud wrote in the Wall Street Journal. (Paywall)
The study is based on surveys of workers that asked them how they created the passwords they used. Two results: 64% used “a number I know” to come up with their password, while 49% used “family members, pets or famous people.”
The study suggests cybersecurity training should respect this emotional attachment. Renaud recommends trainers start with an acknowledgement of the effort required to develop and remember daily passwords. The approach should take a “shared experience” or “shared pain” perspective.
Then, the study authors recommend cyber trainers talk about solutions that make it easier to deal with passwords – such as password managers or memorable passphrases – both of which conjure up more secure passwords.
“The key is to understand that people aren’t choosing easy passwords just out of ignorance and laziness,” Reneaud wrote in the WSJ. “They also care more about their passwords than the rest of us can imagine.”