Many of us are vulnerable to hackers and eager to secure our online accounts, but lots of us also refuse to use an obvious solution: password managers.
Why? Our research has found that the typical reassurances and promises about password managers just don’t work. Fortunately, our research also suggests there are strategies that can persuade people to get past the psychological barriers and keep their data safe.
For the unfamiliar, a password manager stores your passwords securely and lets you access them with just one master password. Some password managers will fill in your password for you when you go to a website where you already have an account, and some will generate a strong password on your behalf.
Not so simple
In a study I conducted with my Ph.D. student Norah Alkaldi, we found that the two most common methods of persuasion were ineffective in getting people to adopt password managers. The first is the “push” approach—the idea that by showing people the dangers of using simple passwords, recording passwords on their computer or using the same passwords at different sites, we would push them to adopt a safer approach. Users, we found, don’t respond to the push strategy.
Managing Passwords
Multiple passwords—especially strong ones—are difficult to keep track of. A password manager can help, but many people don’t have a clear understanding of how they work. Here are the basics.
1. Creating a master password
After downloading a password manager, you need to create a master password that will give you access to all the passwords you store with the manager. As with any password, one good way to create a strong master password that you’ll be able to remember is to use a phrase unique to you, like mydogfido’sbirthdayisnovember19.
2. Master password saving
Managers don’t hold your master password, so they can’t access your passwords. If you forget your master password, you won’t be able to access them either, unless the manager you use also offers access through a fingerprint or facial recognition. Even if you’ve created a memorable master password, it’s important to keep a record of it. Write it down and store it in a safe location at home.
You can manually enter your passwords in the manager. When you need to create a new password, the manager will suggest one. Some will analyze all your passwords and suggest changes to weak ones.
All the passwords you enter in a manager are encrypted to protect them against hackers.
The manager will plug in the passwords you have stored as you visit the applicable sites. Many managers will sync your passwords across all your devices.
The other, “pull,” approach—focusing on the positives of password managers—didn’t deliver any better results.
With neither push nor pull nor their combination working, it isn’t surprising that only 10% of users have adopted password managers. It is as if there is a glass ceiling preventing password-manager usage across the population.
We wanted to find out why. We discovered two types of “mooring factors” that keep people from changing their behavior. They are seldom addressed when people are trying to persuade others to use password managers, but they have a powerful impact.
First, there was the effort required to enter all your passwords into the password manager. Many people have some of their passwords stored in their browsers, others written down somewhere and yet more memorized.
The second type of mooring factor involves concerns. People don’t trust the developer of the password manager: Why, they wonder, should they give the keys to their online world to a password-management company that they neither know nor trust?
People also fear they will lose all their passwords if they forget their master password. (My father dubbed those concerns about personal limitations “forgettories” after forgetting passwords of his own.)
Getting unmoored
All are valid concerns that are easily addressed.
First, the effort of migrating account credentials to the password manager should be acknowledged. Developers should focus their attention on easing the password-manager setup process as much as possible, perhaps importing people’s passwords from their browsers or from other repositories such as spreadsheets.
Second, when it comes to not trusting the password-management company, people should be reminded that these companies are in the business of storing passwords securely. They cannot afford to store passwords insecurely, because their entire business is built on the trust that comes from doing this well.
To that end, the source code of a password manager could be open and available to anyone to examine. Even though the average user couldn’t understand the code, influential experts could—and spread the word about the safety of using the password manager.
Some password managers permit access via a fingerprint or face biometric. Other password managers can ease users’ concerns about forgetting the master password by encouraging them to write down that password on a piece of paper and store it in a locked drawer or safe at home. Online hackers won’t be able to get hold of it, and users can refer to it whenever they need to.
Share Your Thoughts
What keeps you from using a password manager? Join the conversation below.
Then when users know they won’t forget it any more, they can feel comfortable destroying the record. Or they can leave it there so that if anything happens to them, their nearest and dearest will be able to close all their accounts and not have to struggle with online companies and have to provide legal certificates to tie up all the loose ends.
Users can also be encouraged to use a memory from childhood as a password—early teens are best. All humans have a memory bubble from that stage of their lives, and these memories will endure throughout adulthood. They are also probably not in any online database. So, for example, you can use a telephone number your parents had when you were young. You could also use an old address. So, if you lived at 3279 Dipdale Road when you were 10 years old, your password could be “3279 Dipdale Road aged 10.” Unless you’re still living there, in which case you might use the name of your 4th-grade teacher, the one who made you read that boring book: “Miss Amy’s Boring Book” or “Mrs. Mellville-Smith hated chewing gum.” The funnier you make the password, the more likely you are to remember it.
Those promoting password managers are currently relying on suboptimal strategies to encourage adoption. If we continue to do this, the glass ceiling will remain in place, uncracked. Improving adoption is a simple matter of explicitly addressing the mooring factors and raising awareness of the advantages of password managers and the risk of not using them. It is not that hard to do.
Dr. Renaud is a Chancellor’s Fellow at the University of Strathclyde in Glasgow, Scotland. Dr. Alkaldi is assistant professor in the Department of Computer Science at King Saud University’s College of Computer and Information Science in Saudi Arabia. They can be reached at [email protected].
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
