aswad
Sign in Get Paswad
Product
Passkeys Web passport Transaction signing Pricing
Solutions
For Banks For Fintech For Governments Insurance Healthcare E-commerce & Retail Education Gaming & Entertainment Crypto & Web3 SaaS & B2B Case studies
Developers
Docs Console
More
Security Compare Blog Sign in Get Paswad

Why We All Pick Terrible Passwords (The Psychology of password123)

Muslih Ali Muslih Ali in Passwords

We blame people for weak passwords, but password123 is the rational answer to an impossible request. The behavioural science of cognitive load, decision fatigue, and why the fix isn't nagging.

Share
People at work — where weak, reused passwords are quietly born

My first password, the one I made at maybe fourteen, was the name of my dog followed by the year. My dog has been dead for a decade and I'd bet money a version of that password still guards something I own. I'm a person who builds authentication software for a living, who can lecture you for an hour on signature counters and phishing resistance, and I still have to physically stop myself from typing the dead dog into the box. If I'm this bad at it, with all my professional incentives screaming otherwise, what hope does a normal human with an actual life have? None. And that's not a moral failing. That's the design working exactly as intended.

We love to treat bad passwords as a character flaw. The user is lazy, the user is careless, the user should know better. Every security awareness training is basically a finger-wag dressed up as a slideshow. But I've come to believe the opposite. Picking a terrible password is the rational response to an impossible request, and the people choosing password123 are doing something quietly sensible. Let me explain why, with the appropriate amount of self-incrimination.

Monitor covered in sticky notes with scribbled passwords
The monitor confessional. Every one of these is a cry for help.

Your brain has a budget, and passwords are a terrible purchase

There's a concept in psychology called cognitive load, which is just the formal way of saying your brain has a finite working budget and everything you do spends some of it. Remembering things, especially meaningless strings of characters with no story attached, is one of the most expensive purchases on the menu. Your memory evolved to hold faces, paths home, and which berries make you vomit. It did not evolve to hold K7$mxQ2!vrL9, and it resents being asked. Every time you invent a password, some ancient part of your brain runs the numbers and quietly votes for the cheapest option that clears the bar.

Stack that against the sheer volume. The average person now has somewhere north of a hundred online accounts. A hundred. Nobody is generating and memorizing a hundred unique high-entropy strings, and anyone who claims to is either lying or using a password manager, in which case the manager is doing the remembering and they're proving my point. Asking a human to be a vault for a hundred distinct secrets isn't a security policy. It's a practical joke that the entire industry has been playing on people for thirty years while acting surprised at the results.

Decision fatigue, or why the good intentions die by noon

Here's a thing that's well documented and deeply funny once you notice it: the quality of your decisions degrades over the course of a day as you make more of them. Judges grant parole more often after lunch. Shoppers buy worse the longer they're in the store. Your willpower isn't a fixed trait, it's a draining battery, and by the time some website demands a password at 4pm on a Thursday, you are running on fumes. The version of you that swore last January to take security seriously is not the version of you currently being asked to invent a twelve-character secret just to read an article about a knife.

So you do the thing. You reach for the password you already have, the one your fingers know, the dead dog and the year. It's not a decision so much as a reflex born of exhaustion. And honestly? Given the constraints, it's the efficient move. You've got actual things to think about. Spending precious end-of-day brainpower on the login for a forum you'll visit twice is, from your brain's accounting perspective, a bad trade. The terrible password is your brain refusing to overpay.

Nobody picks password123 because they're stupid. They pick it because they're out of budget and the website is the third thing this hour demanding the impossible.

Memorability beats security every single time

If you want to understand password behavior, internalize one rule: when memorability and security are in tension, memorability wins. Always. It's not close. A password you can't remember is a password that locks you out, and getting locked out has an immediate, concrete cost — the password reset dance, the email link, the "your new password can't match your last five" gauntlet of despair. Whereas the cost of a weak password is abstract, distant, and probably won't land on you specifically. We are wired to dodge the pain we can feel today over the pain we can only imagine.

A cat with the caption password123
This cat has the same password as your uncle. And possibly you.

Reuse isn't laziness, it's arithmetic

Password reuse gets the harshest moralizing, and it deserves the least. Think about what reuse actually is: a person facing a hundred locks and a brain that can hold maybe three keys, deciding to use the same key on most of the doors. That's not laziness. That's a reasonable allocation of an impossibly scarce resource. The math of the situation forces it. You cannot remember a hundred unique secrets, so you cluster them, and the clustering is rational even though it's catastrophic, because one breach now unlocks your whole life. The behavior is sensible and the outcome is a disaster, which is the most frustrating kind of problem there is.

And then there's the "I'll fix it later" trap, my personal favorite because I live in it. You use the weak reused password now, fully intending to come back and harden it once things calm down. Things never calm down. Later is a place that doesn't exist. The temporary password becomes the permanent one through nothing but the steady gravity of more urgent things, and five years on it's still there, faithfully guarding your stuff with all the rigor of a screen door. I have these. You have these. The fix-it-later password is the most common species of password on Earth.

The fix is not "try harder." It's removing the test.

So here's where I land after years of staring at this. Every solution that involves humans being more disciplined is going to fail, because it's fighting against memory, fatigue, and basic arithmetic — three opponents that do not lose. Telling people to pick better passwords is like telling them to be taller. The instruction is clear and the compliance is impossible. We've spent three decades nagging, and the most popular password on the internet is still, embarrassingly, some flavor of 123456. The nagging doesn't work because the nagging was never the bottleneck.

The only real fix is to stop asking the question. Take the secret out of the human's head entirely and put it somewhere that's actually good at holding secrets — the hardware in your pocket. That's the whole idea behind passkeys, and it's why I spend my days on Paswad instead of writing yet another guide to choosing strong passwords. When your device holds a cryptographic key you never see, never type, and never have to remember, every single problem in this article evaporates. No cognitive load, because there's nothing to load. No decision fatigue, because there's no decision. No reuse, because the key is unique by default and you didn't have to do anything to make it so. The terrible-password problem isn't solved by better humans. It's solved by not requiring humans to be vaults in the first place.

I'll probably never get to delete the dead dog from every dusty account it still guards. But I've stopped feeling guilty about it, and I've stopped believing the guilt was ever the point. The password was a bad idea executed on the worst possible hardware: us. We did our best. Our best was password123, and it turns out that was the only sane answer to an insane question.

Frequently asked questions

Why do people pick weak passwords even when they know the risks?

Because knowing the risk doesn't change the underlying constraints. Memory is limited, willpower drains through the day, and most people juggle over a hundred accounts. A weak, memorable password is the rational response to an impossible demand. The risk feels abstract and far away, while the pain of forgetting a strong password is immediate, so memorability wins every time.

Does forcing complex password rules actually help?

Not much, and often it backfires. Requirements like a number and a symbol just push people toward predictable patterns crackers already expect, and forced resets produce trivial variations like Summer2024 becoming Summer2025. Each rule adds friction without adding real strength, because it fights human memory instead of working with it.

Is password reuse really that bad?

Yes, because it turns a single breach into a master key for your whole digital life. One leaked site exposes every account sharing that password. The frustrating part is that reuse is a rational response to having too many accounts and too little memory — the behavior makes sense even though the outcome is genuinely dangerous.

If passwords are this broken, what's the alternative?

Passkeys. Instead of asking your brain to store a secret, your device holds a cryptographic key you never see or type, unlocked locally with your face or fingerprint. That removes cognitive load, decision fatigue, and reuse in one move, because there's no memorable secret to get wrong. The fix isn't trying harder; it's removing the test entirely.