Maybe IT needs to tone down its security awareness efforts. New research by psychologists into password strength delivered the non-intuitive conclusion that users who are well briefed on the severity of security threats will not, as IT had hoped, create stronger passwords to better protect themselves.They actually tend to create much weaker passwords because the briefings make them feel helpless, as if any efforts to defend against these threats are pointless.The research, from a Montclair State University study \u2014 detailed here in\u00a0a story from\u00a0The Atlantic \u2014 suggests that IT staffers need to make sure that they emphasize how powerful a defense passwords, PINs and secure phrases can be in defending against threats, at least until we are able to deploy better authenticators.Prof. Stanislav Mamonov, who oversaw the study, said the results had been unexpected. \u201cThe reason, Mamonov thinks, has a lot to do with people\u2019s perceptions of surveillance,\u201d the Atlantic story said. \u201cHe guessed that study participants would have wanted to protect themselves against it. Instead, he says, the magnitude of the threat seems to have instilled a sense of helplessness that made them less likely to put an effort into securing themselves.\u201dThis is just wacky enough to be true. It makes sense that, when users try to internalize things such as Yahoo\u2019s half-billion users getting breached and\u00a0a huge DDoS attack made via IoT devices, they might feel that no defense \u2014 at least nothing a user can do, such as choosing a password \u2014 is enough to defend against these attacks.But that\u2019s looking at it wrong. Yes, these huge attacks are, sadly, part of a normal IT day. Each user, though, only has to defend one person\u2019s data. A complicated password \u2014 or an even longer, but memorizable, password phrase \u2014 can help, especially if the user never, ever uses the same password\/phrase for more than one service.Users who want to keep their own data safe might think of the use of truly strong passwords as something like that old shark defense: When swimming in shark-invested waters, use the buddy system \u2014 if a shark attacks, give him your buddy.In other words, your password only has to be stronger than those of your colleagues. Attackers will spend only so much time on any one account. At a certain point, it\u2019s no longer cost-effective, so they\u2019ll move on to another. The secret is to make sure that the time it takes to crack\u00a0your credentials\u00a0is more than the thief can justify. This works as long as most of your colleagues use easy passwords.Another analogy is the two friends who find themselves being pursued by a tiger. The first guy starts running fast. \u201cWhat are you doing?\u201d the first friend asks. \u201cYou can\u2019t outrun a tiger.\u201d The reply: \u201cI don\u2019t have to outrun the tiger. I merely have to outrun you.\u201dYour password doesn\u2019t have to be beyond the capabilities of the cyberthief. It simply needs to be better than most of your colleagues\u2019 passwords.