Users don't understand how attacks occur

Many users think that an outside attacker will not be able to guess, for example, their spouse's name. If they realized that attackers use password dictionaries that often include common first names, they might realize that such a password is actually fairly easy to guess.

In addition, many users assume that attacks are always from the outside. Unfortunately, this isn't true. Discontented and former employees account for up to 65% of security breaches according to the FBI [Handley, 2002]. If the attacker is inside the company, they probably know or can find out things such as a spouse's name, children's names, and any number of other commonly-used password items. (For some examples of common passwords, see the end of Section 2.1.)