password fatigueHere’s a scene that’s probably familiar: a website has notified you of a data breach and forced you to change your password. You visit the website and enter a new password, but it doesn’t meet the security requirements for password length or complexity. You think of another password that works, but it’s one you’ve already used before on this site, so it’s rejected. Finally, flustered and frustrated, you input a password you’re currently using on another site – a big security no-no – but at this point, you don’t care anymore. While this is frowned upon, this is very likely something we’ve all done at some point as a result of password fatigue. Continue reading as we detail password fatigue and the difficulties Internet users face in managing their cybersecurity.

What is password fatigue?

If you’ve struggled to manage dozens of distinct passwords that are all at least 8 characters in length and using at least one uppercase letter, symbol and number, then you’re already familiar with password fatigue — also referred to as password chaos or security fatigue. This phenomenon refers to the confusion consumers feel from attempting to remember so many unique passwords. There are too many passwords required for consumers to access services, and it’s nearly impossible to remember them all. Now that more devices, including toys and thermostats, are accessing the Internet than ever before, it’s likely that password fatigue will only get worse. The more passwords that are needed to access things, the harder it’ll be to come up with strong passwords, which might increase the overall insecurity of the Internet.

Why is this happening?

Password fatigue isn’t a new concept and has been discussed at length since at least 2002. Since then, numerous studies and articles have detailed the severity of the issue. Though security researchers and other experts have proposed a number of causes for password fatigue, there are likely two key issues contributing to the problem:

  • The password system has critical limitations. One of the first things advocates of abandoning passwords tend to mention is how ancient the concept of the password is – it’s a very old idea that has had few innovations in its implementation over the years. With regard to computers, the modern user login system can be traced back to MIT in the 1960s, and even back then it had security limitations. Having been invented over 50 years ago, login systems were definitely not designed with the World Wide Web, identity theft or data breaches in mind. It’s partly for this reason that many companies are eager to implement biometrics or password-less logins. It’s also the reason why many tech professionals, including Bill Gates, have long called for the end of passwords.
  • The human mind wasn’t designed for a world run on passwords. Just as the password system has limitations that make it inept for today’s hyper-connected world, its saturation also reveals some of our own limitations. Intel found that the average person has 27 unique accounts, and over one-third of people forget passwords weekly. Throw in regular mandatory password resets, character requirements and length minimums, and you can begin to see why bad passwords, which are much easier to remember, persist. Unfortunately, human memory is finite and it’s much harder to recall information that can’t be contextualized (e.g., a random string of nonsense characters with no semantic meaning).

What can we do about password fatigue?

As depressing as password fatigue might sound, the fact that more and more security experts are acknowledging that it exists is a good thing. This could mark a critical turning point in cybersecurity management, which means in the future, we can potentially expect password and security systems to take into account human psychology as well as the need for something more robust and flexible than a password. Until then, here are some important practices you can maintain:

1. Continue to follow the basic password tips. Although memorizing 27 strong and entirely unique passwords might be out of the question for those of us who aren’t super geniuses, that doesn’t mean we can’t apply the recommended security standards to our most important accounts. Financial accounts and other accounts containing key personal information (like your full name, credit card details, address and social security number) should retain the highest degree of security possible, which means each account should have its own unique password. For other accounts that don’t contain such information, you might be able to get away unscathed using slightly less complex passwords, especially if you use other security features like two-factor authentication. However, remember that any account which can be used to access other accounts (like email addresses or social media profiles that list personal details) should be protected to prevent exploitation.

If you still want the same level of security across all of your accounts but can’t remember all your passwords, you should probably use a password manager. This would only require you to memorize one strong password that will protect all of your accounts in a digital safe. Alternatively, you can go with the relatively low-tech solution of managing a ledger of passwords by writing them down and storing them in a secure location, like a safe or locked filing cabinet, that would be really difficult for anyone other than you to access. If you’re going to use this method, be aware that you’ll need to lock up your passwords every time you access them, as leaving them in an easily-accessible location can leave your accounts open to essentially anyone who comes into your home.

2. Use mnemonics and familiar phrases to make good passwords. While there is often a trade-off between passwords that are complex and passwords that are memorable, there’s a compromise that involves turning familiar and sensible phrases and ideas into complex and hard-to-guess passwords. For example, you can create a password like “!WimacsF5823#” and use a mnemonic device like “why is my aunt Cate so funny” to remember it. Keep in mind, that your kids’ or pets’ names, your wedding anniversary or any other common personal information should not be used in a password, as these pieces of information can likely be easily located on your social media profiles. If you need help coming up with some phrases or need inspiration, there are many online resources that provide good examples of how to do this.

3. Consider investing in other cybersecurity measures. Cybersecurity is more than just a strong password, and while passwords play an important role in securing our accounts, thankfully they’re not the be-all and end-all. Other things, like taking advantage of two-factor authentication, ensuring that you only log into your accounts over HTTPS connections and updating your technology frequently play just as much of a role as your passwords in keeping you safe.

For more information on technology and cybersecurity, keep reading our technology blog.