������Ƶ

Last year, revealed that his iPhone password was 000000. In 2016, hackers slid into , probably because his password was “dadada”.

like these are the poor quality locks that hackers love to break. The obvious solution is for people to choose stronger passwords, but encouraging users to change their password behaviors has proven much harder than anticipated.

Why, exactly, has this been so challenging? to explain the stasis is that people don’t know how to create strong passwords, nor do they know how. The theory has prompted so that now, even school children can tell you what .

Still, weak passwords persist …

The next theory to explain why people don’t choose strong passwords is that they’re and . To date, the organizational response to apathy and laziness has been to deploy stringent control mechanisms. IT departments write and disseminate p, and people are expected to comply. Kaspersky that 40 percent of employees fear being punished for cybersecurity incidents, which suggests that organizations are threatening sanctions to make their policies harder to ignore.

…

What is going on here? Let’s go back to the beginning. Most training and awareness campaigns deliver their training based on two implicit assumptions: (1) that behavior can be changed by giving people the facts, and (2) that a switch to stronger passwords is a simple matter of replacing the existing routine with a different and better one.

Both of these assumptions are flawed. In the first place, behavioral science research suggests that behaviors are informed by , and , and . Because this is so, assumption two also fails to stand: it is not simply a matter of swapping one routine for another.

While spending time at Mississippi State University as a Fulbright scholar, I worked with Robert Otondo and Merrill Warkentin to find out whether another behavioral bias could be in effect to influence how closely people cling to their password creation routines – what’s known as the. When people own physical items such as coffee mugs or particular items of clothing, they can develop an emotional attachment for the endowed item, which leads them to value it disproportionately. This effect can also make people reluctant to relinquish it. Any attempt to suggest that the endowed item is flawed is seen as a threat, which makes people defensive. This can then encourage them to cling even more tightly to the owned item.

Most worrying, in the password context, is that they overestimated the strength and protection that these passwords afforded them, because their emotional attachment made them over-optimistic.

revealed that people not only had personal password creation routines, but were reluctant to entertain any suggestion that they should change them. They felt attached to them the way that they might feel attached to an old beloved coffee mug. That being so, they reacted defensively to suggestions that they were flawed, and ought to be replaced.

Many used something they already knew, such as a pet name or their own birthday. Others had developed an algorithm. They might have a root password and then personalize it for each different site, use a pattern on the keyboard or make up a silly sentence. Most worrying, in the password context, is that they overestimated the strength and protection that these passwords afforded them, because their emotional attachment made them over-optimistic.

This finding should make us re-examine the way we carry out security awareness and training campaigns. If we want people to replace their existing password creation routines, telling them that their existing routine is flawed may be the wrong strategy. Instead, practitioners and educators should consider how to design campaigns so that they don't trigger the defensiveness of the endowment effect. Figuring out how to do this is the next stage of our research.