The Psychological Reasons Behind Risky Password Practices

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."

Cognitive Load

[Jarik+C-Bol]

The way I see it, password reuse is a matter of cognitive load. Most people are unable or unwilling to attempt to remember the umpteen dozen unique passwords they would need on a daily basis, if they where to attempt to use unique secure passwords on every service/device they use. This results in password reuse, more or less out of sheer laziness. It is probable that among this group, there is a cognitive bias against using password keychain services and tools, because it 'feels' like putting all your eggs in one basket. (somewhat flawed) Logic dictates that if someone breaches the master password to your keychain, and they have all of them, which is no different than using the same password everywhere. (of course, this is not entirely the case, but like I said, cognitive bias)

Now, as for using 'good' passwords, it follows a similar pattern, with most people unwilling to dedicate the time and effort to memorize what amounts to a 'good' password, when they can remember their spouses birthday and their first pet's name just fine.
Of course, we have seen time and time again articles arguing both sides of the court, that long random passwords are either effective or not, and correct horse battery staple passwords are effective or not, so this portion of the discussion is going to be long, stupid and frustrating for evangelists on both sides.

Honestly, I've reached a point where I use 'good' passwords where it matters, (main email, financial items, Amazon etc) and just sort of hope for the best when I re-use the same 'decent' password everywhere else (forums, etc)

I say 'good' because we're at a point there have been enough breaches that we're all probably fucked anyways.