You know two-factor authentication tokens, the ephemeral, six-digit numbers you use as a second layer of security when logging into, say, your email? Those constantly updating, randomly generated numbers are one of the easiest ways to protect your accounts from being hacked. But for some time now, I've harbored a pet conspiracy theory about those codes: Maybe they aren't as random as we're led to believe.

It began with an observation: My codes often seem to include elements that make them easier to remember. Elements like single-digit repeats (111 293; 134 441); multi-digit repeats (112 222); palindromes (353 595); ascending or descending sequences (345 564); repeating number order (618 514); and combinations thereof (876 565). Occasionally I'll get lemons, like 031 472 or 253 741, which are less appealing in an (admittedly vague) aesthetic sense and more difficult to remember. But more often than not, the passcodes that appear in my Google Authenticator app seem tailored to reduce the cognitive burden of storing them in my working memory, the short-term storage bin our brains use to stash information for a few precious seconds before forgetting it forever.

I'm not the only one who's had this sense about 2FA codes. When I mentioned it to my editor, her eyes lit up in recognition. Andy Greenberg, WIRED's senior security writer, told me the thought had crossed his mind. And when I asked cognitive psychologist Marisca Milikowski, an expert in people's knowledge of numbers, she said she'd noticed it too.

"Many of these numbers, they're really nice," she says to me while discussing the above examples, all of which recently showed up in my Authenticator app. "I mean, look at 876 565. When you get 876, it's like you only have one thing to remember. And when there's 565 behind it, well, that's a lovely pattern, too."

As it turns out, there's evidence that subjective qualities like loveliness are correlated with a number's memorability. In the 1990s, Milikowski conducted several studies on what makes numbers more or less easy to remember. In one, she found that, for numbers between one and 100, single digit numbers, teen numbers (12-19), doubled numbers (11, 22, …, 99), and large tabled numbers (numbers that appear in multiplication tables, e.g. 49, 27, 36) made a more indelible impression on test subjects than the remaining, "Other" numbers, like, say, 37.

In another experiment, she had test subjects rate each number between 1 and 100 on a variety of scales, including a good-bad spectrum. The 12 top-rated numbers, in order of goodness, were 10, 100, 36, 8, 24, 66, 16, 4, 1, 88, 21, and 12. The 12 lowest-rated numbers were 37, 93, 41, 51, 39, 17, 13, 59, 29, 43, 53, and 67. Notably, all of the good numbers belonged to a privileged, more memorable category, all the bad numbers to the less memorable Other category. In a follow-up study, Milikowski found that, in a short-term memory task, test subjects were not only more likely to correctly recall all the numbers from the good list than the bad list; they were also far more inclined to misremember numbers from the "bad" list, recalling different Other answers like 63, 19, 83, and 79. That's precisely the kind of mistake you want to avoid making when reproducing a 2FA passcode.

Milikowski never studied 6-digit numbers, but at the end of our conversation, she hypothesizes that, deliberately or no, 2FA codes do include elements that improve their memorability. The big one, she says, is repetition: "Even when the passcode contains what I call 'bad' numbers, it is, I think, saved by the patterns."