Surveys conducted by Robbie Taylor, who is completing a PhD in Psychology, alongside Professor Maryanne Garry from the University of Waikato, found around half of the respondents infused their passwords with autobiographical memories.
“Many of the passwords our respondents told us about were facts—the old street name where they grew up or something else from their childhood,” says Robbie.
“A lot of people also said they mix and match different facts, like a pet name and a year, or that they substitute some letters for numbers or symbols. They’re meaningful units disguised to create a potentially more secure password.”
Around 10 percent of the survey respondents infused their passwords with episodic future thoughts, which are simulations of events that might happen in the future.
“We found many passwords were associated with memories that served functions. For example, some people used their passwords to help them achieve goals, like saving for a holiday,” says Robbie.
“These memories and passwords likely serve a directive function, by motivating and reminding people of what they want to achieve.”
Robbie says there’s one obvious explanation for why people infuse their passwords with personal information—because the passwords are easier to remember.
“People are trying to reduce the burden of remembering completely random passwords. People are potentially trading off security for ease of remembering.
“The other explanation we found some evidence for is people might want to recall these memories when they type their passwords. That is, people might use passwords like digital mementos. Many people keep meaningful photos and physical mementos around their office at work. Some people may not look at these mementos to remind themselves of the associated memories very often. But, perhaps people with meaningful passwords might think of those associated memories more often because they type their password frequently. It could be a strategy to savour certain memories.”
The study was inspired by a 2014 article in the New York Times.
“The article described the dilemma some companies faced following the September 11 attacks, in which a large number of their employees died,” says Robbie.
“One financial company needed to access the work files of the deceased, so they rang around asking family members for personal details to potentially find facts that could be in those passwords. The company found this method surprisingly successful.
“It’s quite an interesting behaviour and, as we found, it’s quite common.”