Another recent study on the use of passwords has identified a number of interesting facts about how passwords are reused. And one of the most interesting results of the study was information about the misuse of password managers.
In this most recent study the researchers were able to examine ("with careful attention to privacy," they noted) the password use information of 154 participants over 21 weeks. Those volunteers for the study used their own home computers that had special data collection software installed.
The results of the study were eye-opening. The researchers found that password reuse (using the same password or a minor variation of it on multiple accounts) was "extremely rampant." How rampant? Would you believe that four out of every five passwords that a user enters is a repeated password used on another account? Yep, that's 80 percent. This number appears to be much higher than was thought. Of course, an attacker who can compromise one password will then have the "master key" into many other accounts.
Another interesting result of the study regarding password reuse was which website users reused their passwords. The researchers found that passwords used on government websites tended to be reused less, perhaps because users considered government websites more important and reusing passwords could be a security risk.
What's surprising is that passwords used for online shopping and job search websites are more likely to be reused.
What a minute. Don't most users have their credit card information stored on these online shopping sites? And don't job search websites often contain confidential information such as payroll and employment information?
Aren't these the very sites that should have strong passwords?
Yet perhaps the most surprising result of the research regarded the use of password managers. Despite the fact that security professionals universally recommend that users should use password managers to store their passwords, those words fall on deaf ears. In this study of 154 participants only 19 used a password manager.
Because password managers allow users to store virtually an unlimited number of unique passwords, we would assume that those users who took advantage of a password manager would have strong passwords and would not reuse passwords. But that was not the case: those who used password managers also extensively reused passwords--and they were weak passwords, too. That's entirely counter-intuitive.
The researchers speculate that those who are using password managers are misusing them.
How are they misusing them? First, users are probably creating weak passwords--those that are easy to memorize--and then storing them in the password manager, instead of relying on the password manager's built-in random password generator. And despite the fact that a password manager can store an unlimited number of unique passwords, users are instead storing the same password over and over in the password manager, leading to password reuse.
The study concludes that in their "current forms" password managers may not be the "panaceas" for password management. They recommend that changes to password managers may be needed to "better facilitate their use as random password generators for non-expert users." (Some password managers, like KeePass, do provide a strong unique password whenever a new entry is made but users can override this password with their own).
In the meantime, here are our recommendations:
The content in this post would be especially useful in a section of your course dealing with privacy and security. Here are some questions you might assign to students or use as dicussion questions in class:
Never used a password manager before or would just like some tips? Watch our video created specifically for instructors: Use a Password Manager!
Suggestions for password managers you can use: 10 Best Password Manager of 2017
Tell your friends how they can use passwords correctly:
Click here to read the full study, "Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.