Features 10.10.2023

Unlocking the Mind: The Psychology of Password Creation

Is a successful password strategy the tech equivalent of the Holy Grail?

Passwords are, quite literally, a key to cybersecurity. They are also unanimously considered a total headache for everyone from Grandma to CISO. Etashe Linto considers the psychology behind familiar foe, the password…

Passwords. They’re keys to our virtual homes, codes to secret information, and cloaks that hide our data online. Passwords have remained faithful sentinels, guarding our digital identities across web and mobile platforms.

But, and there’s a big but, as useful as they are, we often find them lost in the thread of memory. We forget where we planted the numerals, placed the upper-case letters, and stood the sneaky exclamation marks, feeling them slip off the tip of our tongues. We exhaust ourselves as we default to reset that password for the hundredth time or create a weak password that is memorable but places us in the purview of hackers.

What about our memory affects our creation and recollection of secure passwords, and how do we tackle that with science to improve digital security?

The brain and password recall

We ingest large volumes of information every day. From the voices around us to the (more than) 300 million terabytes of data generated on the internet, our brains absorb more than their limits can bear.

Research exploring our working memory’s capacity has shown it can hold only a limited amount of information at a given time, prompting the brain to select which pieces to retain and discard. In the scientific paper, ‘More attention with less working memory, researchers explain that the brain selectively retains current and relevant information but inhibits what what the brain has already processed but is now outdated. If a password isn’t actively used, the brain may naturally prioritise other current information, potentially making it difficult to remember the password.

“Our emotional state can heighten or dim what we remember, a phenomenon called state-dependent memory” Dr Mason

Another limitation affecting password recall is interference, which occurs when new or similar information affects the retrieval of old information. For instance, creating a new, complex password similar to one used for another account may lead to interference because it can make it harder to remember the previous one. As Dr. Rihana Mason, cognitive psychologist and research scientist at Georgia State University, explains, “Interference makes it more challenging to process information, especially when there’s already high cognitive load. It makes cognitive processes more demanding, as the brain needs to navigate and resolve friction between conflicting pieces of information, which can further burden an already overloaded cognitive system.”

It’s tempting to default to risky password creation and management practices to navigate these limitations. We settle for weak passwords or reuse passwords across multiple accounts, even after exposure to data breaches. In their 2022 Annual Identity Exposure Report, SpyCloud found a 70% password reuse rate among those impacted by security incidents.

Reusing passwords lessens the cognitive work required for password management. But this upside comes at the cost of security, putting sensitive data at risk and exposing us to security breaches. Studies have shown that increased awareness of certain types of information—especially temporary materials like passwords—doesn’t strengthen its storage in working memory. Instead, it can hinder working memory’s ability to function optimally by consuming cognitive resources needed for more critical information.

Clearly, we need more thoughtful strategies and systems for addressing the brain’s constraints and creating and managing secure passwords to protect our data.

Creating strong and memorable passwords

!p9jKQ22a@C0Oz&evhlK is a password with a thick shell. Its components are so random, incoherent and disassociated with a birthday or pet name that even its creator could forget how to crack its weak points. And that’s the biggest challenge with password creation: balancing security with convenience. We need complex passwords that are easy to remember, which is hard to achieve with the brain’s hurdles and varying password requirements by different platforms.

Still, this challenge doubles as a necessity. When we balance security with convenience, we can better recall unique passwords and avoid the risks associated with weak password practices. The first step toward striking this balance is knowing the ingredients of strong passwords, and the second is employing science-backed techniques to create safe and memorable passwords.

The ingredients of a strong password

Not all passwords are made equal. Some are too short, too strained, too simple, leaning outside the core components of secure passwords. Strong passwords are formed with various materials and built on certain pillars that make them durable and sturdy enough to withstand several attacks.

The password !2Ɛ4 is as easy to crack as 1234

A password should be a constellation of numbers, symbols, and upper and lowercase letters, which creates complexity, increasing protection against data breaches. However, an alphanumeric combination alone does not guarantee safety. The password !2Ɛ4 is as easy to crack as 1234. Strong passwords marry multiple elements, with length being one marker of password security.

Testament to the importance of length in password creation is the Hive Systems 2023 password table, which shows that it takes only a few seconds for hackers to brute force a seven-character-long password, even if it combines all relevant elements. Jacob Hill, director of cyber operations and founder of GRC Academy, recommends using a minimum of twelve characters when creating passwords, noting that “longer passwords of sixteen characters or more provide even better security.”

One good way to ensure a long password is by using passphrases. Passphrases are strings of words that unlock sensitive data. They’re random but uncommon, can contain spaces and symbols, and are generally lengthy, making them highly unpredictable. “A passphrase like WhyDoesThisGravelTasteLikeChicken is lengthy by nature,” says Hill, “It’s also uncommon and silly, and both factors make it unique and closer to mind.” Essentially, the longer the password, the higher its entropy and resistance to brute-force attacks.

Making memorable passwords

Creating a strong password is easy. Mix the right ingredients in the right proportions, and you have a firm lock for your data. The hard part is crafting a password that’s as unforgettable as it is secure. To address this challenge, individuals need to understand what makes information memorable.

Emotions are one thing that affects our ability to remember. “Sometimes our emotional state can heighten or dim what we remember, a phenomenon called state-dependent memory,” says Dr Mason, explaining that if we learn something in a particular state, we are more likely to remember it later when in a similar emotional state. A strong emotional connection to an experience can ingrain a password in memory, making it easier to recall later. The second element that makes information memorable is personal meaning. When a piece of information is unfamiliar to us, our capacity to remember it decreases because our episodic memory cannot retrieve that specific information. The more familiar and meaningful things are to us, the better our recall of them.

Passwords that score high on easy-to-recall (like your dog’s name) score low on security.

One practical way to infuse emotion and personal meaning in password creation is using memory aids like mnemonics, which incorporate visualisation and association to solidify a piece of information in memory. In their study on mnemonics and password security, academics Deborah Nelson and Kim-Phuong L. Vu found that mnemonic techniques helped people create longer, more complex passwords, with image-based mnemonics resulting in better password recall. Mnemonic strategies prompt individuals to engage in cognitive processes involving meaningful connections.

“The letters and numerals in your passwords are easier to remember when you give them meaning. For instance, if my password is Run2pound, I can associate Run with the first letter of my name, 2 with my two sons, and pound with a frequently used hashtag. By doing this, I’m creating meaningful associations that make it easier to remember my set password,” Dr. Mason says.

Individuals can associate desired passwords with well-known knowledge structures like rhymes or familiar environments to create strong, easily retrievable passwords. Finally, for better recall, practice deliberately using spaced repetition and chunking. Both cognitive strategies help reduce interference, improve memory, and facilitate long-term password retention.

Building retrieval systems

In the paper Passwords Usage and Human Memory Limitations, researchers explain that the higher the number of unique passwords an individual has, the more they forget and mix up passwords. The finding reveals that, though malleable, the human brain is unreliable. We can’t count on it to remember multiple passwords at all times, especially in a growing landscape of digital platforms.

Retrieval systems like password managers help unburden the brain by generating and storing unique passwords for different accounts. As Hill notes, “You can have a master password to unlock the tool, then use it to generate randomised passwords for other accounts. This curtails the recall problem and risk of having multiple compromised accounts due to reusing passwords.”

Essentially, password managers reduce the pitfalls of forgetting. They also help detect vulnerabilities by monitoring the dark web to identify when a given password is compromised.

When selecting a password manager, there are five key factors to consider.

  1. Ensure the password manager encrypts sensitive data, including the URLs associated with passwords, to prevent attackers from gaining easy access to accounts.
  2. Note the provider’s compliance frameworks to understand their commitment to security.
  3. Seek user perspectives from community platforms like Reddit, which provide real-time information on the desired tool.
  4. Look for password managers that meet compliance requirements relevant to your organisation (such as FedRAMP).
  5. Research the provider’s history of incidents to gauge their security track record. It’s also important to ensure the proposed tool offers cross-platform support and robust backup options to prevent data loss in emergencies.

Sustaining security

Poor password management can lead to security breaches, and the global average cost of a data breach in 2023 is $4.45m (£3.65m). It’s a relief to know we have science-backed techniques for protecting our accounts from these attacks. We can balance security and convenience by applying the right ingredients, training our memories to remember information better, and building systems to aid password retrieval. Beyond these, organisations can add extra layers of security by infusing multi-factor authentication with authenticator apps and physical security keys. Further, they can integrate passwordless technologies into their security systems to enhance overall security.

Latest articles

Be an insider. Sign up now!