Password Managers: You’re Doing It Wrong

May 21 · 4 min read

Are you using your password manager correctly? A study out of UC Berkeley finds that many people are falling back on lazy password habits that make these security tools less effective.

By Neil J. Rubenking

If we’ve told you once, we’ve told you a million times—get a password manager and use it! Judging from the financial success of the password manager market, you’re paying attention. But are you using your password manager correctly?

Stuart Schechter, Lecturer and Course Lead for UC Berkeley’s Usable Privacy and Security track, worries that you’re not. So much so that he encouraged his graduate students to find out just what you’re doing. At the virtual RSA security conference this week, Schechter and grad student David Ng revealed their findings.

The Password Is Dead; Long Live the Password

Schechter harked back to a 2004 prediction from Bill Gates, who said we’d be using passwords less and less. “Microsoft spoke of eradicating passwords, as if they were a disease, like smallpox,” said Schechter. “But a separate camp bet on passwords multiplying, not going away.” He took a deep dive into the evolution of password managers, along with events like Microsoft’s 2006 release of CardSpace intended to end passwords (it didn’t), and its declaration that Windows 10 meant the end of passwords (it didn’t).

Using a password manager has one intrinsic risk—you’ve put all your eggs in one basket. In the unlikely event that a hacking crew cracks your password manager, you’re in trouble. The benefits of using a password manager are myriad, among them protection against phishing scams.

“You rely on your password manager to enter a password that you don’t even know. If you hit a phishing site, the password manager won’t fill it,” said Schechter. “You’ll have to go look it up in the password manager, and that alone is a big clue that you’re being phished.”

In an earlier study, Schechter and a colleague evaluated the ability of individuals to remember strong passwords. The good news? They determined that almost anyone can memorize a very strong password. The bad news, though, is that doing so required 20 to 30 training sessions no less than half an hour apart, and that the password could be forgotten if not used regularly.

All the benefits of using a password manager depend on three assumptions: We assume that users will memorize a strong password; that they’ll rely on the password manager’s ability to generate random passwords; and that they’ll change any passwords that are weak, reused, or compromised. But are those assumptions accurate? Rather than opting for optimism in the absence of data, Schechter encouraged his graduate students to seek out the truth.

Data, Data, Data

So, did the participants use a strong master password? Very few had the password manager generate one that they then memorized. A much larger group worked up a password using some kind of mnemonic, as we at PCMag often suggest. Alas, though, the largest group admitted to reusing a familiar password as the master key to their password managers.

You can use a password manager to save keystrokes while leaving all your passwords set to 12345678 or some other terrible password. Proper use, of course, requires that you change those weak passwords to something generated by the password utility. The study found that barely a fifth of those relying on Chrome’s built-in password manager ever let it generate passwords. About half of those relying on third-party utilities took advantage of this feature.

The study went on to examine how (and whether) participants used the security dashboard feature’s ability to identify weak, duplicate, and compromised passwords. Results were discouraging. Even those participants who agreed that the password tool correctly identified passwords needing replacement didn’t often do anything about the problem. Reasons included that it was too much work, or that they worried updating the password could cause a problem.

Don’t Assume People Know What They’re Doing

“Do not assume that people will choose strong master passwords,” he said. “Do not assume that they’ll use passwords created by the password manager. And do not assume that they’ll replace weak, reused, or compromised passwords, even when reminded.”

How about you? You have a password manager, right? Have you checked its dashboard? Have you replaced those lame, easily guessed passwords? If not, it’s time you got serious.

Originally published at

PC Magazine

PC Magazine: redefining technology news and reviews since…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store