Study Explores Why Many People Don’t Use a Password Manager

One of the easiest ways for hackers to gain access to accounts is to simply guess passwords. Hackers use lists of commonly used passwords and passwords that have been obtained in previous data breaches, and just try each one until the right one is guessed. This automated process can take seconds if particularly weak passwords are used to secure an account.

Brute force tactics only work because a lot of users fail to change default passwords, set weak passwords, or reuse passwords across multiple platforms. In the case of the latter, if there is a breach of one platform, the password can then be used to access all other accounts where it has been set.

Having – and enforcing – a password policy that requires users to set complex passwords will help to ensure that strong passwords are set, but employees often still set weak passwords and circumvent their employer’s password policy. For instance, setting a password of Password1! to meet the lower/upper case, number, and special character requirements.

The most secure passwords are randomly generated long passwords, but these are almost impossible to remember. The easiest way to get around this problem is to use a password manager. Password mangers can generate long, complex, random passwords, and save them securely in a password vault. A long, complex, and unique password can be created for all accounts, and the user will only need to remember one password – The one that provides them with access to their password vault.

Password managers are inexpensive and some solution providers such as Bitwarden and LastPass offer good free tiers, which provide most of the functions standard users need for zero cost. With the great security benefits that come from password managers and a low or zero cost, it would be reasonable to assume that most people would use a password manager, yet many people do not.

A recent study conducted by the Wall Street Journal explored why only 10% of people use a password manager and why the usual strategies for persuading people to start using an IT solution are not working.

The push approach, where users are told about the dangers of passwords, is not effective. Even when warned about the risks, people did not generally respond and sign up. The pull approach was also found to be ineffective. This is where the benefits of password managers are sold.

The study identified several “mooring factors” that prevent people from making a change. One of the main reasons is the effort involved. If you are already using a password manager, switching to a different provider is simple. You just export your passwords and import them into the new solution. The problem is getting started in the first place as it means entering passwords into the solution manually or setting new passwords for all accounts – Both options are time consuming.

Then there are issues with trust. Many people do not trust password manager developers, even though secure password storage is their primary business. Many password manager developers operate under the zero-knowledge model, and do not have access to users’ vaults, but there are still issues with trust.

Another key issue that needs to be overcome is the problem of what happens if the master password for the password manager is forgotten. That would mean no passwords could be accessed and the user would be locked out of all their online accounts.

To get around these issues, the Wall Street Journal made several recommendations. Password manager developers should make it much easier for people to get started, such as providing a feature that allows passwords to be imported from web browsers or spreadsheets.

To get around the trust issue, it must be made clear that password managers really do operate under the zero-knowledge model and that the solutions are truly secure. Another solution is to go open source, as some password managers have – Bitwarden for example. That means the source code is open for anyone to examine.

Finally, to get around the loss of access, biometric authentication should be supported. If a passphrase for the password manager is forgotten, a fingerprint or iris scan could be used or face recognition technology could be implemented.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.