Smarter People Don't Have Better Passwords, Study Finds

An anonymous reader shares a report: A study carried out at a college in the Philippines shows that students with better grades use bad passwords in the same proportion as students with bad ones. The study's focused around a new rule added to the National Institute of Standards and Technology (NIST) guideline for choosing secure passwords -- added in its 2017 edition. The NIST recommendation was that websites check if a user's supplied password was compromised before by verifying if the password is also listed in previous public breaches. If the password is included in previous breaches, the website is to consider the password insecure because all of these exposed passwords have most likely been added to even the most basic password-guessing brute-forcing tools.

Re:Don't look at intelligence, look at paranoia

[El+Cubano]

I wouldn't expect intelligence to factor into strength of passwords.

I agree with you up to here.

Instead, I would expect password strength to correlate to paranoia - people who think it unlikely someone will try to use their account will use a somewhat weak and easy to remember password...

While I don't specifically disagree with you here, perhaps a better correlation can be found by looking at cognitive burden. That is, while some people likely use the paranoia factor to motivate them to use/remember long and complex passwords, I suspect that most people think along the lines of, "I am just not willing to burden my brain with yet another long and complex password for blah blah blah."

That is not to say that cognitive burden is the only determinant, since things like organizational policy (e.g., in a school or business) might set and enforce minimum complexity with which the user must cope. Rather, in the absence of a forced minimum, users will employ the simpleest password they can comfortably get away with. Where comfortable is different for each individual.

Re:Don't look at intelligence, look at paranoia

[Lije+Baley]

A similar phenomena would be "security fatigue" -- the sense that it's either all pointless, or that as security measures grow more complicated, the costs exceed the benefits for more and more situations.