The Password Paradox: What’s With Our Risky Online Behavior?

We all have that one bad habit that we just can’t seem to break, even when we know it’s really not good for us. How often do you drive without being distracted by the radio, a snack or the buzz of a text message? It probably happens more often than it should. Well, it seems we’ve got the same “cognitive dissonance” when it comes to our passwords, too.

In reviewing the responses to our Psychology of Passwords survey, we found that cognitive dissonance – the psychological conflict that happens when you do something contrary to your beliefs, ideas or values – applies to our password practices, too. You know it’s bad for you, but you continue to do it anyway: We call this the Password Paradox.

Our data shows that most of us are well aware of what makes a password secure:


But even though we know what good passwords look like, we’re still not following through on these strategies to protect our online accounts. In fact, we’re using personal information to create passwords – initials, friends or family names were the most common (47%), followed by significant dates and numbers (42%), pet names (26%) and birthdays (21%). Because this information can be so easy to find – through quick searches online or even through casual acquaintances – using these details makes your accounts highly susceptible to hacking.

The Password Paradox also applies to password reuse. Reusing passwords across accounts is one of the most common ways a hacker can gain access to your personal information. When major breaches happen, hackers can try the same usernames and passwords on other websites. It’s an easy ticket to hack into other accounts. When asked if reusing passwords across accounts was risky, an astounding 91% of those surveyed responded yes, but two-thirds of them said they continue to reuse passwords anyway.

It seems there are many factors driving this behavior and reinforcing this paradox. So much more of our lives are taking place online, which means we need to remember more passwords for a growing number of accounts. Inevitably, password fatigue sets in. It’s not that we’re not informed. 75% of respondents indicated that they consider themselves aware of password best practices. But we continue to implement poor password practices because it’s just too hard to keep up and we want an easier way.

Thankfully, there are a few simple steps to help you avoid using (and reusing!) easy-to-crack passwords. First, use passphrases to create a strong password. Then, use a password manager like LastPass to securely store your passwords, so you only need to remember one strong master password. With National Cybersecurity Awareness Month in full swing, it’s a great time to work on breaking these bad online habits.

To learn more about the Psychology of Passwords research, download our executive report.

One Comment

  • Steve Kurtz says:

    Strong passwords are critical in today’s world. To that end I find that I make multiple passwords for the same login. This is especially true on sites that have federated login. It woudl be great id there was a LastPass option to “delete all other credentials for this site.” This would be useful when you have just find the correct password within LastPass and would like to remove all other instances for the site.