Send email Copy Email Address

Annabelle Theobald

How password managers need to improve

Online stores, social media accounts, online banking - internet users need passwords everywhere. These passwords should be as long and complex as possible in order to adequately secure the accounts. A mammoth mental task or even worse: creating a pile of endless sticky notes with passwords. Password managers can help here. However, the added security they provide is often not fully realized in practice, as setting up the tools correctly is often cumbersome and time-consuming. This is shown by a qualitative study by CISPA researcher Sabrina Amft. She explains where users fail and has recommendations for developers on how to better design their tools.

Password managers are much more than just the digital equivalent of a password notebook. The programs not only archive the login data for various internet services, they also have two other useful functions: They can generate very strong and complex passwords for users and they are able to verify whether users are really logging in to the advertised website and are not just being lured to a fake site. "In order for the helpful functions of these programs to really work, users have to set them up correctly. And that's often a lot of work," says Sabrina Amft. Sabrina works CISPA Faculty Prof. Dr. Sascha Fahl's team in Hanover. Amft's study "'Would You Give the Same Priority to the Bank and a Game? I Do Not!' Exploring Credential Management Strategies and Obstacles during Password Manager Setup" does not provide representative figures. Rather, the researcher is interested in taking stock of how the tools are actually used and what obstacles are encountered when configuring them. In collaboration with research colleagues from CISPA, Leibniz University, George Washington University and Paderborn University, she surveyed 279 users of password managers and examined 14 popular tools and how they work. 

Password management on the assembly line

"In our experience, users often have one password that they use in a modified form for many accounts. It is also not uncommon for this to be rather weak. Password managers allow them to create a unique, complex password for each account and manage it easily. However, they must first create a new password for their existing accounts and save it in the password manager. With an average of 100 Internet accounts per person, this is no easy task," says Amft, explaining the problem. And so it is not surprising that her study shows that users usually do not include all their internet accounts in the programs. "What is surprising, however, is that they don't do this for conflicting reasons. For example, some stated that they do not include so-called trash accounts, i.e. accounts that are unimportant to them, in the password manager because security is not so important. Others, for example, did not enter important data such as their online banking password because they don't trust password managers enough." 

Justified concern or overcaution?

There have been attacks on major password managers such as LastPass or Norton in the recent past. "So the concern is not entirely unfounded," says Amft. According to the researcher, the consequences of such attacks can vary. "If the manufacturers have proper encryption, then hackers can steal the encrypted data set, but ultimately they have to put a lot of energy into trying to access the data." A report in the IT trade magazine Heise from September 2023 shows that attackers are not shying away from this effort. Cybercriminals are now able to crack the password vaults that they were able to capture last year via a third-party cloud system and thus obtain access data to crypto wallets and empty them - in other words, steal cryptocurrencies such as Bitcoin. The provider Norton Life Lock warned its users in January 2023 that hackers had attempted to gain access to customer data by trying out popular passwords en masse - and were successful in some cases. All the more reason to protect the password managers themselves with a very strong password. Despite the two cases, it is clear to Amft that the decision against password managers is generally the worse choice: "Weak passwords that are used for more than one account are a much bigger security problem than password managers. Not least because incidents with password managers are communicated and compromised data is reported."

Convenience before security

Amft's survey of password manager users shows once again what has also been shown in many other studies: Convenience takes precedence over security for most users. Many of those surveyed stated that they used the tools primarily because they wanted to save themselves the trouble of entering and managing passwords. "Security is more of a secondary factor for them," says Amft. It is therefore not surprising that almost none of the study participants chose the most secure way of entering all accounts and updating the associated passwords to a stronger alternative. The majority of users, on the other hand, stated that they only transfer accounts and their passwords to the password manager when they visit the relevant sites in their everyday lives. "In addition to the fact that entering all accounts directly is very time-consuming, the fact that many users do not have an overview of their internet accounts plays a role here," explains Amft. The majority of respondents stated that they had replaced at least some passwords with more secure alternatives. 

Integrated password managers are used differently

Differences in usage behavior were particularly evident in the comparison between password managers that were purchased separately and those that are integrated into most browsers today. "People are often not even aware that they are using a password manager when they store their passwords in Google Chrome or Mozilla Firefox, for example."

Passwords are rarely entered manually in the integrated versions of the programs. Convenience and efficiency are even more important to their users. "It's actually a good sign when security tools are designed in such a way that users hardly notice that they are using them. In the past, the integrated versions of password managers were unfortunately often not secure enough, but there has been progress in recent years." When asked for a recommendation, Amft advocates programs that also work offline. "The data is then only stored locally on the device. Unfortunately, it's a little  inconvenient to synchronize these programs on multiple devices ."

Recommendations for developers

"Some providers already have promising approaches. For example, some password managers scan websites visited by users and their email accounts in order to generate a list of suggestions for where a password has been created in the past. If such scans only run locally, they can also be implemented in compliance with data protection regulations," explains Amft. Displaying popular pages could also be a solution if scanning is not possible. "We also need more automation overall. The process of adding and updating passwords must be designed in such a way that it runs as smoothly as possible. The import of existing passwords must also be made secure. Password managers should offer their own interfaces for this so that no local password lists have to be stored in plain text." According to Amft, developers could counter the mistrust of programs by introducing data protection labels that evaluate the encryption and other security mechanisms used and give users an easy way to assess the security of the programs. "To make the tedious task of collecting passwords easier, a playful approach could also be fruitful. Users should be motivated by incentives to record their accounts and replace weak passwords." This is the only way to finally make the password notebook a thing of the past.