Despite Data Breaches, Password Manager Trust Issues Persist
Survey indicates 65 percent of users don’t trust password managers even though 58 percent report data hacks.
- By Richard Seeley
- December 4, 2020
Users are walking wide-eyed into danger. Data and IT security professionals must feel like they are watching a horror movie where the teenagers decide to go into a garage (where a maniac with a chainsaw is lurking) rather than get into a car and drive away. A recent survey indicates that although users fear cyber criminals who prey on people who use weak passwords, they resist using password managers.
"Protecting accounts and devices with a password is a primary method of securing data, but it presents its own problems, including how to remember all your passwords," states a report by PasswordManager.com, a company formed by analysts, researchers, and experts to promote internet safety. "One solution is using a password manager, a software application that generates hard-to-hack passwords and stores them in an encrypted database protected by one master password."
Rather than using your cat's name and birthday, this technology provides industrial-strength passwords that can automatically be invoked when you log into each application so you don't need to memorize them, frustrating would-be hackers. However, a survey of 1,283 Americans aged 18-55+ conducted by PasswordManager.com and YouGov, a market research and data analytics company, found a majority of Americans don't trust password management technology.
Some survey results are sure to cause chief security officers to lose sleep: nearly 58 percent of Americans have experienced a data breach; 85 percent know that using the same password is risky; and 65 percent do not trust password managers.
The report describing the survey results notes that "... rather than using a password manager, the majority of Americans rely on many less secure methods of password management, including using the same passwords across multiple accounts. The reuse of passwords can actually lead to more data breaches -- once hackers have a password for one of your accounts, they will try to use it to access others."
Security experts warn that one employee using an easily guessed password, such as qwerty123, can expose corporate applications and databases to cybercriminals. In the COVID-19 era -- with large numbers of employees working from home on often minimally secured Wi-Fi networks -- the vulnerability may be greater than ever.
End users are aware of the dangers. The survey found that a significant number of respondents had experienced hacks of their personal data. Over one in five (21.1 percent) had a financial account breached, including banking, credit cards, and PayPal. Nearly as many (19.3 percent) suffered email hacks or had a social media account breached (18.8 percent).
Despite recognizing and experiencing the danger, users don't change their behavior. The PasswordManager.com survey report notes: "While the majority of people know that using the same password or a variation thereof is risky, 23.5 percent of survey respondents said they do it anyway. This reveals a level of cognitive dissonance when it comes to safe and smart password habits."
Reusing simple passwords may be common due to the sheer volume of accounts users need to log into for work or personal reasons. As PasswordManager.com pointed out: "A recent study found that the average person has 70-80 accounts that require passwords. Considering that many programs have specific password parameters in place, it's not surprising that people turn to a variety of tactics -- many of them risky -- to keep track of it all."
The survey found a variety of homegrown methods are being used to keep track of passwords:
- Nearly 40 percent of survey respondents said they write their passwords on paper
- Over one in five (22 percent) store passwords on their phone or another device
- Nearly a third (30 percent) said they rely solely on their memory
"Despite the fact that password managers exist to help people keep track of this information, only 22.5 percent of Americans use a password manager app," according to the survey report.
Lack of trust in companies providing password management technology is a significant roadblock to its adoption, PasswordManager.com explains: "Thirty-four percent of respondents said they worry that their password manager could be hacked, while 30.5 percent said they don't trust password manager companies with their information."
Improving Protection: Pessimistic Prospects
Multifactor authentication (MFA), which uses facial recognition, fingerprint, or security questions to access a device or account, is an alternative to passwords but it is not in wide use, according to the survey. Slightly less than 10 percent of respondents said they would rather use MFA than password managers. "While MFA does provide better security than a password alone, it is still not a widely used security method," the report notes.
For those hoping a technology fix will help prevent data security breaches, the PasswordManager.com survey report paints a pessimistic picture: "Beyond not currently using a password manager, 48.4 percent of individuals say that nothing could motivate them to use one in the future."
Education is often viewed as a way to overcome resistance to new technology, but in the case of password managers, it may have to come from the school of hard knocks.
"Experiencing some type of data breach, including getting an important account hacked, or experiencing identity theft or financial losses, would motivate 35.8 percent of people to start using a password manager," the survey report concludes.
Rich Seeley is an editor at TDWI.