Password Managers: You’re Doing It Wrong
Are you using your password manager correctly? A study out of UC Berkeley finds that many people are falling back on lazy password habits that make these security tools less effective.
If we’ve told you once, we’ve told you a million times—get a password manager and use it! Judging from the financial success of the password manager market, you’re paying attention. But are you using your password manager correctly?
Stuart Schechter, Lecturer and Course Lead for UC Berkeley’s Usable Privacy and Security track, worries that you’re not. So much so that he encouraged his graduate students to find out just what you’re doing. At the virtual RSA security conference this week, Schechter and grad student David Ng revealed their findings.
The Password Is Dead; Long Live the Password
Schechter introduced himself as that guy who was wearing an N95 mask at last year’s RSAC, an oddball among a sea of naked faces. He noted this wasn’t due to any kind of prescience about the coronavirus pandemic, but rather an aversion to making optimistic assumptions in the absence of data. Likewise, without any data he can’t assume that consumers are using password managers as they should.
Schechter harked back to a 2004 prediction from Bill Gates, who said we’d be using passwords less and less. “Microsoft spoke of eradicating passwords, as if they were a disease, like smallpox,” said Schechter. “But a separate camp bet on passwords multiplying, not going away.” He took a deep dive into the evolution of password managers, along with events like Microsoft’s 2006 release of CardSpace intended to end passwords (it didn’t), and its declaration that Windows 10 meant the end of passwords (it didn’t).
Using a password manager has one intrinsic risk—you’ve put all your eggs in one basket. In the unlikely event that a hacking crew cracks your password manager, you’re in trouble. The benefits of using a password manager are myriad, among them protection against phishing scams.
“You rely on your password manager to enter a password that you don’t even know. If you hit a phishing site, the password manager won’t fill it,” said Schechter. “You’ll have to go look it up in the password manager, and that alone is a big clue that you’re being phished.”
In an earlier study, Schechter and a colleague evaluated the ability of individuals to remember strong passwords. The good news? They determined that almost anyone can memorize a very strong password. The bad news, though, is that doing so required 20 to 30 training sessions no less than half an hour apart, and that the password could be forgotten if not used regularly.
All the benefits of using a password manager depend on three assumptions: We assume that users will memorize a strong password; that they’ll rely on the password manager’s ability to generate random passwords; and that they’ll change any passwords that are weak, reused, or compromised. But are those assumptions accurate? Rather than opting for optimism in the absence of data, Schechter encouraged his graduate students to seek out the truth.
Data, Data, Data
Grad student David Ng went into great detail about how the group found their participants, winnowing an initial pool of almost 2,500 people down to about 100 who had used a password manager for more than five months; managed at least five passwords; and were willing to provide a screenshot of their password manager’s security dashboard.
So, did the participants use a strong master password? Very few had the password manager generate one that they then memorized. A much larger group worked up a password using some kind of mnemonic, as we at PCMag often suggest. Alas, though, the largest group admitted to reusing a familiar password as the master key to their password managers.
You can use a password manager to save keystrokes while leaving all your passwords set to 12345678 or some other terrible password. Proper use, of course, requires that you change those weak passwords to something generated by the password utility. The study found that barely a fifth of those relying on Chrome’s built-in password manager ever let it generate passwords. About half of those relying on third-party utilities took advantage of this feature.
The study went on to examine how (and whether) participants used the security dashboard feature’s ability to identify weak, duplicate, and compromised passwords. Results were discouraging. Even those participants who agreed that the password tool correctly identified passwords needing replacement didn’t often do anything about the problem. Reasons included that it was too much work, or that they worried updating the password could cause a problem.
Don’t Assume People Know What They’re Doing
Ng wrapped up the presentation with a warning to security experts and individuals. Just because people have password managers doesn’t mean they’re fully protected.
“Do not assume that people will choose strong master passwords,” he said. “Do not assume that they’ll use passwords created by the password manager. And do not assume that they’ll replace weak, reused, or compromised passwords, even when reminded.”
How about you? You have a password manager, right? Have you checked its dashboard? Have you replaced those lame, easily guessed passwords? If not, it’s time you got serious.
Originally published at https://www.pcmag.com.
