It is indeed difficult for ordinary people to remember (all) passwords particularly when:

* they have to make it 'strong' beyond recognition by all the rules floating around;
* change them frequently resulting a dozen different passwords, used for various reasons at various sites; and
* leaving them with no choice but to write it down on sticky notes or use more sophisticated tools such as 'password generators' which store their apsswords on a memory 'stick'.

This author however believes that there is an easier but more effective way, as described in this recent book 'SPAM 2 SCAM How 2 B E-SAFE', available from CreateSpace (https://www.createspace.com/3355182).

Check it out. Also please feel free to pass this around. Let us help as many netizens as possible.

This behavior will not change if humans have no means to perceive risks related to the handling of information items. Education is one way (see feedback above) but a purely rational approach will fail.

In normal life risk decisions are based on intuition, not an evaluation of a full decision tree. It needs the input of the value at risk quickly perceivable by a human. It took quite a while before a considerable portion of the world population started to perceive a value proxy like paper money as valuable. Only through an established ‘feeling’ of value these paper slips received better treatment.

To make some other example. The value of handwritings was well known to monks, but outside the scholar community books more valued for their inflammability with know consequences in history. The dangers of radioactive radiation could not be perceived by early scientists. Only after understanding the values at risk and introducing means to perceive this radiation they were able to change to more adequate handling procedures.

Information technology has done little to build on this and take the human element serious in this (wo-)man-machine system. There are no feedback mechanisms flagging consistently problematic actions, distinguishing high from low risk interactions.
But even the machines are mistreated. At least in interaction between COTS-systems, which make up the bulk of today’s information processing, there are no common standards in use, signaling what treatment a (valuable) information chunk should receive, which of the available(!) security mechanism should be applied in processing by the target system.

There’s a lot to do, not only on the desk.

I am a security professional and I will admit to be somewhat lax regarding my cubicle security. The company resolved that on my behalf be re-modeling our office space and making (most) everyone "mobile employees" meaning that we have no permanent desk space. We have lockers & laptops and can sit anywhere that there is an available workstation. The stated purpose of the change was to cut down on cubicles (we have a ratio of 1.8 people per workspace) and allows for more workspaces per square foot, the side benefit is that we HAVE to clean up our desks every night as we may not be sitting at the same space the next day!

This is very true being a security professional and handling sensitive issues as needed; when someone enters my office they look on my desk first before they look me in my face to talk....lol.....lol

I know this because I work on (termination of persons reports and photos, incident reports, accident reports and investigation reports); paperwork is covered and/or face down when @ my desk working and entry to my office is restricted. No Housekeeping staff is allowed entry to my office, unless I am present (even on my days off) and all important paperwork is shredded as needed before placed inside trash canisters.