Passwords are often a security weak point, but not because of the level of security they provide. If a sufficiently long password is set following password best practices, the account would be well secured. A password of 15 characters containing upper- and lower-case characters, numbers, and symbols would take about a billion years to crack using the GPUs currently available, according to a study by Hive Systems. Increase it to 18 characters, and cracking the password would take 438 trillion years! The problem with passwords is the humans who use them.
Since so many passwords now need to be set to protect accounts, it is inconvenient to set a long and unique password for every account, and impossible for most people to remember them. This is why security experts recommend using a password manager. A password manager will suggest strong and unique passwords and will encrypt them in a secure password vault. The passwords will also be filled into the log-in boxes when required so they do not need to be typed or remembered. All that is required is for the user to set and remember one long, complex password – The one to secure their password vault.
In theory, a password manager will greatly improve security, but in practice that is not always the case. A recent security.org report has shown that some users of password managers make a fundamental mistake that puts them at risk of identity theft and fraud: a mistake so serious that every one of their accounts is at risk. A password manager can significantly improve security, but it is only as good as its weakest link. The weakest link is usually the master password that secures the password vault because if that password is compromised, all passwords in the password vault will be compromised. This is the most commonly cited fault with password managers, as you are putting all of your eggs in one basket.
The security.org report revealed that one-quarter of people are making a grave error with their master password. They are reusing a password for their password manager’s master password that they use on other accounts. Worse, that terrible security practice is increasing in prevalence. 25% of respondents this year said they use their password manager master password for other accounts, compared to 19% last year. Currently, 45 million Americans use a password manager, with is approximately 13.5% of the population of the United States. If the survey is representative of the country as a whole, that means more than 11 million Americans reuse their master password on other accounts. That is a very alarming finding, as one of the main security benefits of a password manager is to prevent this security howler. The master password for the password manager MUST be unique, long, and complex, as that is the one password used to protect users’ entire digital lives.
The Password Manager Annual Report 2022 is based on a survey of 1,047 adults in America and was conducted in November 2022. The survey confirmed that using a password manager greatly reduces the risk of identity theft. Individuals who did not use a password manager experienced identity theft at three times the rate of those that use a password manager correctly (i.e. they set a unique master password) – 35% versus 12%. The survey revealed that almost half of individuals who use a password manager that had experienced identity theft used their master password on at least one other account.
The survey also explored why people use a password manager. Out of the individuals who currently use a password manager, 65% started using one because they had too many passwords to remember, 54% said they use one to be able to easily access accounts across multiple devices, 51% used one to generate complex passwords, and 46% said they use them to manage multiple logins for certain applications. 37% said they use them to encrypt their passwords, and 19% of people said they use one so they only need to remember one password.
There was an even split between work and personal password use. 50% of respondents who use a password manager said they only do so for personal use, 46% use it for personal and work purposes, and 4% only use one for work. It should be noted that many employers use single sign-on, so employees only need to have one password, therefore the benefits of a password manager are greatly reduced.
The survey also indicates major changes in the usership of different password managers. In 2021, LastPass was the most popular password manager, but recent data breaches appear to have hurt its market share, dropping from first place in 2021 to 4th place in 2022. Bitwarden has increased its market share, helped by very competitive pricing, and is now in third place with a 10% market share. iCloud Keychain is second with 17%, with the Google Password Manager now the most popular with a 23% market share. The top three market-leading password managers are free to use, although with Bitwarden there is a charge ($10 per user per year) for the full product. Currently, two out of three users of password managers use a product that is free.
As for the reasons why password managers are not used, joint top of the list – cited by 28% of respondents – is people are not sure that they need one and that they are not secure. 16% of respondents said password managers cost too much, 15% of people said they don’t know how password managers work, and 12% said they are hard to set up. These findings suggest there is an education problem. Password managers are in fact secure if they are used correctly – i.e set a strong, unique master password. It should be noted that the two data breaches this year at LastPass (which were related) did not involve a compromise of user passwords.
The top four password managers in terms of market share (based on this survey) are free to use or have a free tier, so cost is not an issue. Password managers are also easy to use and configure. 69% of people who currently do not use a password manager said they would consider using one, and 31% of individuals who do not use one said they wouldn’t do. Interestingly, out of those that would consider a password manager, 39% had suffered identity theft or fraud in the past compared to 20% of those that refuse to use a password manager. Identity theft or fraud could be the factor that would change people’s opinions on the need to improve password security.