Why Don’t People Use Password Managers?

With so many passwords to create and remember, keeping track of those passwords can become a problem. Best practices for creating passwords include setting a unique password for every account and ensuring the password is strong and difficult to guess. Complex passwords are difficult to remember so users often reuse the same password for multiple accounts, change each password only slightly, or write them down on a Post-It note, in a book, or in a file on their computer. All of these practices are very risky.

Take password reuse for example. Reusing a password on multiple accounts means that if one password is obtained in a security breach, all other accounts will be at risk. Password spraying attacks are common and take advantage of password reuse. Usernames and passwords obtained in one data breach are used to try to access accounts on an unrelated platform.

Storing passwords in plaintext, whether that involves physically writing them down or storing them in an unencrypted file on a computer is also risky. If a computer is hacked or the Post-It is found, all accounts can be breached.

The easiest solution by far is to use a password manager. A password manager includes a secure password generator for generating unique and complex passwords, and the passwords are then encrypted in securely stored in the user’s password vault. They are then auto-filled on websites whenever they are visited. They make following password best practices easy, so why do so many people refuse to use them?

Password Manager Myths

There are several password manager myths that can easily be busted. The truth is that using a password manager of virtually any type is better than the alternative – password reuse or other terrible security practices.

I store passwords in my browser so don’t need a password manager

Browser-based password managers are convenient, but from a security perspective, they are not particularly good. Even browser-based password managers that encrypt passwords have flaws that can be exploited. Browser-based password managers are not as secure as software-based dedicated password managers. Many malware variants are able to steal passwords from browsers, and browsers such as Chrome and Edge keep a record of sites visited where either a password has been entered or a user has told the browser password manager that they do not want to store their password. With that information, a brute force attack to guess the password becomes much easier.

Unnecessary Cost

Personal password managers are not expensive and represent great value for the security they provide, but there are password managers that offer great security that can be used free of charge such as Bitwarden and LastPass. You won’t get all the features if you don’t pay, but you will get enough to make using the free password manager worthwhile, and it will certainly improve security.

It takes too much time

Using a password manager does not take up much time. In fact, it takes less time than using an alternative system. When a password is entered for a website, the password manager will prompt the user to store the password. That can be done with a single click in most cases. Every time the user visits that site in the future, the password will be suggested and auto-filled. That is much faster than typing in a password.

Password managers are not secure

A common myth is that a password manager is not secure when that is certainly not the case. Most password managers now operate on a zero-knowledge basis, where the developer has no access to a user’s passwords. If a password manager provider suffered a data breach, all passwords in the user’s vault could be obtained, but since passwords are encrypted, that isn’t a problem. There is an issue if the user’s master password for accessing their vault is compromised, so it is important to ensure that a long passphrase is used and to set up 2-factor authentication.

I already have a good system

Let’s be honest. You don’t. What you have is a system. The problem is hackers are well aware of how people get around following password best practices, and systems can usually be worked out. Do you replace letters with numbers? Add numbers or a symbol to the end of your current password? Using modern GPUs, passwords can be cracked very quickly and any system or pattern makes it even easier.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news