MENUMENU

Why humans are terrible at picking their own passwords

A Man Hunched Over a Laptop

Photo via Craig Sunter/Flickr (CC BY-ND 2.0)

We’re all susceptible to weakness.

Passwords are an odd facet of our digital existence, both annoying and drastically important. These combinations of important numbers, words, phrases, and dates guard our bank accounts, our work, our social media feeds, and every other access point we only want ourselves to breach. They are, in the words of the New York Times’ Ian Urbina, “like tchotchkes of our inner lives.”

It’s exactly their importance, however, that makes them too important an issue for mere humans to handle. Despite the thousands of listicles about how to craft the perfect password, humans are too often daunted by the memory and work it takes to remember truly random passwords to all of our accounts, so we either personalize our passwords or make them so simple no one could forget them—must we go through the annual ritual of learning the most common password is “password?” (However, “123456” finally unseated it in 2014.)

Luckily, machines are here to free of us of this great responsibility we are woefully incapable of handling. Security experts across the entire industry are urging people to use password managers. These third-party applications will randomly generate a password for every service you use, be it Twitter or your bank. They then encrypt these passwords behind one master password, meaning you only have to create and remember one strong password—and please don’t make it 123456.

It’s time to hand over the reigns to the machines.

While it sounds somewhat dubious to entrust all of your accounts to another company, that’s because we’ve been thinking about passwords wrong for about as long as we’ve had them. Asking any lay human to develop a secret code is a false problem. Passwords are often made up of personal information, birthdates, anniversaries, names of first pets, and locations of first kisses. Because we are social creatures by nature, it’s too often that these supposedly private details find their way into public life. It’s time to hand over the reigns to the machines.

In his lengthy exploration of the “secret lives” of passwords, Urbina found “pathos, mischief, and sometimes even poetry” in these phrases we craft. Urbina talks with a grieving mother who found her son’s password was a reference to his closeted homosexuality. He talks to a couple that fought over the husband still using his ex’s birthdate as his password. Another woman hid her accounts behind an anagram for “What would Sheryl Sandberg do?”

Memory was never the strongest suit of our species, so we too often make the password too obvious or simply pick one password we use across all platforms.

While these are charming anecdotes about this bizarre feature of all of our lives, they show the faulty nature of humans. Aside from passwords being unique to ourselves, we must also remember them. Memory was never the strongest suit of our species, so we too often make the password too obvious or simply pick one password we use across all platforms—a very, very dangerous habit.

Password managers solve this problem altogether. Not only do you have but one password to remember, but each of the passwords to your account are completely unique. And not just unique from each other, but truly unique from any other password. They remove the humanity of passwords and, therefore, their greatest weakness.

Perhaps no evidence shows how great a weak point humans are more than the yearly studies showing how incompetent we are at choosing our own passwords, often choosing convenience over security. Since 2011, research firm SplashData has analyzed millions of passwords each year and, despite the many high-profile hackings and headlines about cybersecurity, the most common phrases used are consistently “password” itself and the dreaded “123456.” In fact, in the top ten of 2014, five of the most common passwords could be replicated by dragging your finger across the top row of keys.

If password strength isn’t an issue for you, perhaps you are the in the one third of Americans that use the same password for every account. This is a dangerously common habit for reasons both obvious and not. The obvious reason is ubiquity: The more places this password exists, the easier it is to find.

The less obvious reason is it means that free Tetris app that asked for an account now has the same password as your email, the true access point for every account you use. Password retrieval systems are one of the most common methods for an intruder to access an account, and having access to your email opens these doors far too easily. If you go to your Facebook, for example, and click “Forgot Password, it will gladly give you—or whoever has control of your email—a chance to change it as they see fit.

Most of us have lived with passwords for the last two decades, and still we falter on understanding the basics of crafting a secure one. That is long enough to know humans can never be fully trusted with their own security online.

That said, password managers also raise some reasonable concerns: Why should I trust a random company with the keys to all of my information? Password managers, like LastPass, Keeper, and Roboform, encrypt your passwords with a key specific to the user. Administrators never see the password or the key to decrypt them, and the de-encryption is done locally on your own computer. They work like a double-blind study, with neither side truly knowing what’s going on other than the user entering their password.

You’ll notice that process includes as little human interaction as possible. The programs of the password manager and the account you’re accessing have a secret conversation without you, exchanging untranslatable bits of code you’re never meant to understand. By removing the lazy reliance upon routine or the emotional attachment to memory we humans pathetically try to make relevant, the machine bests us but, most importantly, keeps us safe from other humans.

Photo via Craig Sunter/Flickr (CC BY-ND 2.0)

Gillian Branstetter

Gillian Branstetter

Gillian Branstetter is a reporter and essayist who specializes in the intersection of technology, LGBTQ issues, and privacy. In April 2018, she joined the National Center for Transgender Equality as a media relations manager.