I found this TED talk called ‘What’s wrong with your Pa$$w0rd?’ and it looks at a survey conducted at a university campus in the USA which asked people what formats they used for their passwords and then did some statistical analysis on that data.
To summarise, the findings are that people choose passwords that suit them. Not only do they try to choose passwords that are easy to type, remember and come up but they choose passwords that are meaningful to them. For example, Monkeys were the most popular animal used in a password and the users say things like ‘Monkey is my nickname’ or ‘Monkeys are cute’ (see 15:21 in the talk).
This makes me think that by asking a human to choose a password we are asking a human to solve a machine problem. Machines and humans are good at different things. Are there other examples, studies or thought leaders looking at this interaction between humans and machines for security?