Writing a password down does not always imply that it will be written on paper. Users may also store passwords on their computers, often in an easily-readable file on the Windows desktop or in their Unix home directory. This may be even more dangerous because gaining access to a desktop machine can be fairly easy: if viruses and spyware can get in, then there's no reason a more dangerous attacker couldn't. For some systems, all it would take is a malicious email to gain access to all of the user's files.
Users may choose passwords that are simpler, but also easier to guess. Some, like the name of a spouse, child, pet, etc. will be fairly trivial for an attacker who knows the user to guess. Some users will simply use their own name or initials, favourite sport or team, things related to hobbies, artists, movie stars, birthdays or other significant dates. Simple knowledge of the gender of the user can limit the selections further: TheNetworkAdministrator.com [Chick, 2003] claims that while women will use their wedding date or children's birthdays, men will rarely use those.
Other passwords are easily guessable even if the attacker doesn't know the user. In the movie Hackers [Moreu, 1995], they claimed that the four most commonly-used passwords were ``love", ``sex", ``secret", and ``god." Real passwords may not be quite so simple (although those words do appear in many password dictionaries), but other common choices include ``password" and the username.
Users make up schemes to make new passwords based on an older one. For example, a user might have the following sequence:
Adams and Sasse note that while this would seem to increase memorability and thus security, in reality people often confuse the list (which would seldom be as nicely aligned with the months), which results in them having to write down their passwords [Adams and Sasse, 1999].
Even without that problem, none of these passwords is particularly hard to guess using a dictionary attack. If someone managed to find one password, it would be somewhat simple to guess what the next one would be, thus further limiting the effectiveness of changing passwords when it comes to stopping intruders who have already gained access.