Most people are guilty of tweaking the same password across countless accounts; the thought process being it makes it easier to remember. Just add a “1” or an exclamation point and call it a day. This common strategy might not be as clever or as convenient as some think.
Professor of Cyber Security and MIS Mikko Siponen is co-author study, “Questioning a security assumption: Are unique passwords harder to remember than reused or modified passwords?” that was published in Computers & Security. This research challenges the deeply held assumptions that unique passwords are too hard to remember. Siponen and co-author Naomi Woods (University of Jyväskylä in Finland) found unique passwords are easier to recall than reused or slightly modified ones.
A large-scale experiment involving thousands of password entries over several weeks was conducted with participants divided into groups that created either unique passwords, reused passwords, or “modified” passwords—those that use a single base word with small variations, such as “Siponen1,” “Siponen2,” or “SiponenUA.”
Participants who used unique passwords remembered them more easily and entered them correctly more often than those who relied on reused or modified versions.
The reason, Siponen explained, comes down to a psychological concept known as interference theory. “If you reuse or slightly change passwords, you may remember a password, but for the wrong account,” he said. “That confusion makes it seem like your memory is bad, when really it’s just interference between similar passwords.”
The research found that users’ confidence in their memory didn’t correlate with actual performance. People underestimated their ability to remember unique passwords.
So, what’s the takeaway for the average internet user juggling dozens of logins? Siponen said while password managers can still be effective tools, those who prefer to manage passwords manually might do better than they think, as long as each password is truly unique.
“If you use password management software, this issue isn’t as relevant, because the program stores and generates passwords for you,” he said. “But if you remember your passwords yourself, our findings show that unique ones are the easiest to keep straight.”
He also emphasized the importance of multi-factor authentication and keeping any written password records secure.
The research took several years to design and included two experiments lasting 10 and 12 weeks each, producing more than 20,000 recorded password entries, making it one of the most extensive password memory studies to date.
Siponen hopes the findings will help reshape how people think about online security and themselves.
“Much of it comes down to psychology,” he said. “People believe they can’t remember unique passwords, so they don’t even try. But our study shows they can—and that belief might be one of the biggest security risks of all.”