Why people (don’t) use password managers effectively

Daniel Tkacik

Aug 16, 2019

Password managers generate complex, hard-to-guess passwords, and perhaps more importantly, they remember them for you. Sounds pretty great, given the plethora of accounts we deal with on a daily basis, right? Surprisingly, very few people use them.

“People don’t use password managers at the rate that you’d expect,” says Sarah Pearman, a Societal Computing Ph.D. student. “When they do use them, there’s a good chance they’re not using them effectively.”

People don’t use password managers at the rate that you’d expect.

Sarah Pearman, Ph.D. student, Societal Computing

A recent study by a team of CyLab researchers, including Pearman, provides some insight into how ineffectively people may be using password managers, potentially nullifying the benefits the managers are meant to provide.

The study, titled “Why people (don’t) use password managers effectively,” is being presented at this week’s Symposium On Usable Privacy and Security in Santa Clara, Calif.

In the study, the researchers interviewed 30 participants about their password practices. Nine participants didn’t use any password-specific tools at all, 12 participants used password managers built into web browsers or operating systems, and nine participants used 3rd-party separately installed password managers.

Two women standing at a podium

Source: Carnegie Mellon University's College of Engineering

Societal Computing Ph.D. student Sarah Pearman (left) and Language Technologies Institute Ph.D. student Shikun Aerin Zhang (right) present their study at the Symposium On Usable Privacy and Security in Santa Clara, Calif.

Not surprisingly, among the participants who didn’t use password-specific tools, some said that re-using passwords made it easy for them to remember them. One participant liked keeping his passwords listed in a note on his phone because he could bring the list with him anywhere.

“I know it’s dumb, but I save them in my phone in my notes,” said one participant. “So if someone has my phone, I’m through, right?”

Some participants in this first group were simply unaware that password managers existed. Others were reluctant to use password managers for other reasons, like concerns over the single point of failure (i.e. the master password required to use password managers).

“One thing I found to be most interesting was the reluctance to give up control of their passwords,” says Shikun Aerin Zhang, a Ph.D. student in the Language Technologies Institute and a co-author on the study. “They didn’t want to use randomly generated passwords because then they wouldn’t know their passwords.” 

Participants who used browser built-in password managers generally said that they did so because they saw prompts asking them to, or out of convenience to use features like autofill. None said they were using them for security reasons.

“It’s a no-brainer,” said one participant. “I’m 68 years old and I don’t want to have to remember more than I have to.”

Eleven of the 12 participants in this group said they were re-using passwords, further illustrating convenience as the main motivation for using built-in password managers.

“We had one participant in this group who said a person broke into her accounts because she used the same password for all accounts,” says Zhang. “She had banks calling her. She had to change everything. Now she’s using randomly-generated passwords, and wishes she had done that before.”

The researchers also encountered some participants who used 3rd-party password managers, but were using old passwords for their master password, or kept copies of their master passwords in an email folder or on a notepad.

“It’s like having a safe, but the key to that safe is everywhere,” Zhang says.

It’s like having a safe, but the key to that safe is everywhere.

Shikun Aerin Zhang, Ph.D. student, Language Technologies Institute

Given what they heard from participants in the study, the researchers recommend that password manager developers focus deeply on user experience design and usability testing.

“Don’t just see if a user can use the password manager for five minutes,” Pearman says. “See if they can transition their whole internet life over to it successfully and not get stuck somewhere.”

Lastly, the researchers say one additional barrier to taking passwords more seriously is that people have a misconception that their passwords are not at much risk. Some people think they are not important enough that anyone would want their passwords, or that attackers can only get their password by sitting in front of a computer and typing in guesses. 

“In reality, attackers use automated password-cracking tools that make billions of guesses very quickly,” says Pearman. “They try to crack as many passwords as they can, and then they try using those passwords to login to lots of different accounts. You’re a lot better off with a randomly-generated password that is harder for such systems to guess.”

Other authors on the study included CyLab faculty Lujo Bauer, Nicolas Christin, and Lorrie Cranor.