Why don't we change our passwords?

The year 2020 is just a short step away, and the world of cybersecurity has changed a lot in the last 10 years. Thousands of threats of different types have appeared and been developed, and companies and users constantly try to cope with them as part of everyday cyber life.

Today's users are increasingly aware that cybersecurity is something that will accompany them forever, to prevent anyone from stealing their information, disabling certain systems or leaving them without money in the bank.

Like someone cautiously walking through a minefield, today's users live with antiviruses, firewalls, biometric readers, PINs and, of course, with countless passwords to cope with the different dangers that lurk on the internet.

The password is the most well-known of all these protective elements and, in some ways, it is also the most controversial security tool we use. This is precisely what we are going to analyze. Although today we are “cyber animals”, we will never stop being Homo sapiens with a smartphone in hand. 

As fast as technology advances, it will always be managed by people, by human beings who are what they are.

Some studies tell us that by the time you read these lines hundreds of data records will have been stolen, adding up to millions in a single day.

These thefts are based mainly on the vulnerability of the passwords we use because, although we are increasingly aware of the dangers online, our password behavior has not changed in recent years. If we did a survey to see how many people have changed their passwords in the last year, or whether they use strong passwords, or repeated ones, or if they protect them properly, we would realize the magnitude of this problem.

This leads us to try to explain what we could call the "Psychology of passwords" or, rather, why we find it so uncomfortable to change passwords every so often or use complex passwords instead of using our child's date of birth or our dog's name.


Limited memory access

The first psychological element to examine is our memory system. We have a limited memory system.

That is, we do not have unlimited capacity to access all our information, which differentiates us from a computer.

Additionally, our memory is not like access to a file or a video recorder that faithfully captures the reality we are filming. It is more like a creative system that constructs, or rather reconstructs, a memory imprint.

Therefore, when we ask a user to generate an 8-digit password that also incorporates numbers and symbols, we are asking for something that will test their memory capacity in the future.

One way to overcome this memory limitation is to give a meaning to the information we want to remember, so that when reconstructing our memory it has a special relevance that allows it to be more accessible. This is why our dog's name is easier to remember than the password 379_@lpjhYu48.  

When we are forced to use a password like this, we are forced to use a password management system or, in the worst case scenario, to write it on a post-it or document with the name “password”.

We must also bear in mind that not remembering something stresses people.

In fact, some studies indicate that the fear of not remembering our password and therefore losing access to our bank, email or photo album is what makes us not want to change a password.



Principle of Least Effort

On the other hand, human beings work or make decisions based on the Cost-Benefit Principle, also known as the Principle of Least Effort, according to which we do that which provides us with the greatest possible benefit at the lowest cost / effort. We apply this principle to make decisions such as where to go shopping, whether to smoke or stop smoking, or whether to change our passwords every six months.

As we have seen, changing our passwords is an effort for us. And if we are not able to see a benefit greater than this cost, it is normal for us to continue leaving the same password. It is clear that there is a benefit, or could be one, and that it conditions whether or not someone can hack our account.

As this benefit is a future possibility, but the effort to change the password is a cost that we must assume now, most users do not usually do it. Or they do so only after their account has actually been hacked.

This is also related to the way our brain works, which is based on predictions of events, which brings the story of Bertran Russell's "inductivist turkey" to mind. This story is useful to warn us about the dangers of drawing conclusions based solely on observations, even if we can include many observations.

It uses the example of a turkey that sees how each day it gets fed at 9 in the morning. This goes on for 364 days, which allows it to feel quite comfortable about drawing the conclusion that it will eat every day at that time and that, clearly, this will continue to be the case in the future. Day 365 in the life of this turkey is Thanksgiving Day and, instead of a succulent meal, at 9 in the morning it finds a knife in its neck.

Statistically, the turkey was right, just as most users who have not suffered any hacking in their lives think it is difficult or unlikely that this will happen to them tomorrow, which leads them not to worry too much about their passwords.

In short, changing passwords and using strong ones implies a cost weighed against a benefit that it is very possible we will not obtain because it is unlikely that we will be a hacking victim. And moreover, changing our passwords could pose an extra danger of forgetting the password and losing access to our email, our bank account or our photo albums.

And here we can make another psychological note, because people are more sensitive to loss than to gain. Imagine walking down the street and finding a €50 bill. We would undoubtedly be very happy, but that joy, if we could measure it, would be proportionally lower than the sadness and anger represented by losing €50 on the street.

The fear of losing something – our access to email or the photos of our last vacation – is greater than the joy of knowing that our system password is impenetrable.

Therefore, when the typical field to add a password appears, we generally consider it an obstacle to be overcome, which causes us to use passwords such as 123456 or qwerty. Something fast to move past that screen and continue what we were doing.

However, we mentioned earlier that we are all increasingly aware of the risks of the internet and that we know that cybersecurity actions are needed. This means we should also be aware of those potential threats or feel that, sooner or later, our password will be hacked. And this is true, but it also has an explanation in psychology.


Learned helplessness

To explain it we will use another animal, this time a laboratory mouse. Imagine a psychologist placing a mouse in a cage with an electrified floor. The mouse receives a small electric shock that it can stop if it activates a lever inside the cage.

Quickly, the mouse associates the behavior of operating the lever with the suspension of the electric shock, so it can move at will throughout the cage without the need to suffer the annoying shocks.

The mouse learns that its actions have consequences, in this case positive, so it can influence its environment and solve its problems. Now, imagine that the psychologist wants to make it more difficult for the mouse and manipulates the conditions of the experiment so that, even if the mouse operates the lever, the electric shocks do not cease.

That day, the mouse is put into the cage again and soon the shocks begin. The mouse quickly goes to the place where the lever is, to operate it. He does it again and again without seeing that this has the effect it did on other days.

The mouse becomes nervous and begins to move around the cage trying to see if there are other levers or other elements that can suppress the shocks. Occasionally, it operates the lever again, but without any results. At a certain point, the mouse goes to a corner of the cage and remains immobile while still receiving shocks.

It does nothing, just stays still. The mouse has entered into what is called "learned helplessness", which means that, whatever it does, it cannot influence that which is causing it harm.

This learned helplessness is an explanatory model of pathologies such as depression, but it can also explain in part why people do not change their passwords despite their fear of having their accounts hacked.

Some studies conducted by password management companies such as LastPass indicate that a large percentage of users – close to 90% – consider the issue of passwords to be a serious matter. But this same number of users also believes that it doesn't make any difference what you do, that no matter how good your passwords are your accounts will always be in danger.

That is, like the mouse in the cage, the user has learned a kind of helplessness that means they think there is nothing they can do in the face of a determined hacker who wants to steal their information.

It is precisely on this point, on user empowerment, that we must work so that they feel they have control over the cage lever; control and the responsibility to engage in safe behaviors in cyberspace.

Posted by Tim Ayling

Tim Ayling is currently the Vice-President EMEA at buguroo. With over 20 years' experience in the cybersecurity and anti-fraud industry, Ayling began his career in technical support, and moved on to System Engineering. He began his leadership career when he established Entrust Inc. in Australia in 2003 and was made Vice-President Asia Pacific in 2006. Ayling has held numerous leadership roles in large cybersecurity vendors, including serving as the Global Head of Fraud Prevention Solutions at Kaspersky Labs, as EMEA Director of Fraud & Risk Intelligence at RSA Security, as well as spending time in the cyber-security practice of KPMG.

Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities