[Reading Time – 1 minutes 24 seconds]
Virtually all security professionals agree that the most secure means of managing all of our long, complex, and unique passwords that we have for all of our different accounts (you do use long, complex, and unique passwords, don’t you?) is to use a password manager. But a just-published researched paper showed that just using a password manager does not help users have strong passwords. Rather, users have to use a password manager in all three of the phases of managing passwords in order for it to be effective.
Prior research has shown that those who use password managers do not always have strong passwords. What is coming to light is that it’s not a fault of the password managers but rather how these password managers are being used. For example, a study in 2017 showed that many users are misusing password managers.
Users are creating weak passwords–those that are easy to memorize–and then storing them in the password manager, instead of relying on the password manager’s built-in random password generator.
And despite the fact that a password manager can store an unlimited number of unique passwords, users are instead storing the same password over and over in the password manager, leading to password reuse.
Use Password Managers – and Use Them Correctly
This latest research paper presented at the USENIX security conference clearly demonstrated that “password managers indeed influence password strength and reuse,” according to the researchers. But this is only when users use a password manager for all three phases of handling passwords:
- Password creation (using the manager’s built-in password generator),
- Password storage (saving the uniquely generated passwords in the manager),
- Password entry (using the manager to enter the passwords into the online prompts that ask for a password).
In the words of the researchers, “Using a workflow . . . from password creation through storage to entry leads to stronger passwords.” Passwords that are entered manually into a prompt instead of using the password manager’s automatic entry feature are weaker, as are passwords that are created and stored in a manager that does not have a built-in password generator (like the Google Chrome Auto-Fill feature of its web browser).
So, the big takeaway is that password managers do work–but only if we use them for password creation, storage, and entry.