The modern online world requires ordinary folks to remember dozens or even hundreds of passwords, so the aid of a password manager is essential. Getting all your existing passwords safely stored means you won’t forget them. But if you stop there, you’re missing the point. Now that you don’t have to rely on your own memory, you can and should change all the weak passwords to strong, unique ones. And of course, the master password that unlocks this trove must be something nobody could guess. Are you using your password manager correctly?
Stuart Schechter, Lecturer and Course Lead for UC Berkeley’s Usable Privacy and Security track, worries that you’re not. So much so that he encouraged his graduate students to find out just what you’re doing. At the 2021 virtual RSA security conference, Schechter and grad student David Ng revealed their findings. Yes, the study is from last year, but the problem remains unchanged.
The Password Is Dead, Long Live the Password
Schechter introduced himself as that guy who was wearing an N95 mask at the 2020 RSA Conference, an oddball among a sea of naked faces. He noted this wasn’t due to any kind of prescience about the coronavirus pandemic, but rather an aversion to making optimistic assumptions in the absence of data. Likewise, without any data he can’t assume that consumers are using password managers as they should.
Schechter harked back to a 2004 prediction from Bill Gates, who said we’d be using passwords less and less. “Microsoft spoke of eradicating passwords, as if they were a disease, like smallpox,” said Schechter. “But a separate camp bet on passwords multiplying, not going away.” He took a deep dive into the evolution of password managers, along with events like Microsoft’s 2006 release of CardSpace (intended to end passwords), and its declaration that Windows 10 meant the end of passwords. It didn’t, nor did Windows 11.
The benefits of using a password manager are myriad, among them protection against phishing scams. “You rely on your password manager to enter a password that you don’t even know. If you hit a phishing site, the password manager won’t fill it,” said Schechter. “You’ll have to go look it up in the password manager, and that alone is a big clue that you’re being phished.”
Our Top Password Managers
In an earlier study, Schechter and a colleague evaluated the ability of individuals to remember strong passwords. The good news? They determined that almost anyone can memorize one very strong password. The bad news, though, is that doing so required 20-30 training sessions no less than a half-hour apart and that the password could be forgotten if not used regularly.
All the benefits of using a password manager depend on three assumptions. We assume that:
users will memorize a strong password (the one that unlocks the password manager),
users will rely on the password manager’s ability to generate random passwords, and
users will change any passwords that are weak, reused, or compromised.
But are those assumptions accurate? Rather than opting for optimism in the absence of data, Schechter encouraged his graduate students to seek out the truth.
Data, Data, Data
Grad student David Ng went into great detail about how the group found their participants, winnowing an initial pool of almost 2,500 people down to about 100 who had used a password manager for more than five months; managed at least five passwords; and were willing to provide a screenshot of their password manager’s security dashboard.
So, did the participants use a strong master password? Very few had the password manager generate one that they then memorized. A much larger group worked up a password using a mnemonic device, as we at PCMag often suggest. Alas, the largest group admitted to reusing a familiar password as the master key to their password managers.
You can use a password manager to save keystrokes while leaving all your passwords set to 12345678 or some other terrible password. Proper use, of course, requires that you change those weak passwords to something generated by the password utility. The study found that barely a fifth of those relying on Chrome’s built-in password manager ever let it generate passwords. About half of those relying on third-party utilities took advantage of this feature.
The study went on to examine how (and whether) participants used the security dashboard feature’s ability to identify weak, duplicate, and compromised passwords. Results were discouraging. Even those participants who agreed that the password tool correctly identified passwords needing replacement didn’t often do anything about the problem. Reasons included that it was too much work, or that they worried updating the password could cause a problem.
Don’t Assume People Know What They’re Doing
Ng wrapped up the presentation with a warning to security experts and individuals. Just because people have password managers doesn’t mean they’re fully protected.
“Do not assume that people will choose strong master passwords,” he said. “Do not assume that they’ll use passwords created by the password manager. And do not assume that they’ll replace weak, reused, or compromised passwords, even when reminded.”
How To Do Passwords Right
You’ve seen that all too many people install a password manager and then don’t make proper use of it. Don’t be like them! Let their mistakes become your teachable moments.
Start with that master password. As noted, it protects your treasure trove of login credentials, so it has to be something that you can remember, but that nobody would guess. Follow our advice to turn a favorite poem or song into a password, or choose something unguessable from your personal life.
Don’t stop there! Enhance the protection of your treasured passwords by enabling multi-factor authentication. All the best password managers have it. Now even a malefactor who steals your unguessable password can’t get in, because only you have the other authentication factor. That factor could be biometric, or it could work through an app on the phone in your pocket (and nobody else’s).
Many password managers rate your saved passwords, flagging any that are lame, that you’ve used multiple times, or that have been exposed in a data breach. I know it’s tedious, but you must work through those and replace them all with long, strong new passwords. Start with the worst ones and do a few at a time, until all your passwords are perfect. You don’t have to think up those new passwords; your password manager will generate them for you.
Maybe you’ve resisted using complex passwords because you don’t want to type them on your phone’s tiny keyboard? Resist no more! Install your password manager’s mobile app and link it to your account. Now logging in on the phone is a snap, especially if you enable biometric authentication in place of the master password.
Take the challenge and learn to use your password manager correctly. If enough of you do, perhaps the next study will show that some people are smart enough to get the full benefit of these useful programs.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
“Tech Bargains Galore: Where Innovation Meets Affordability!”