"Would You Give the Same Priority to the Bank and a Game? I Do Not!" Exploring Credential Management Strategies and Obstacles during Password Manager Setup

Authors: 

Sabrina Amft, CISPA Helmholtz Center for Information Security; Sandra Höltervennhoff and Nicolas Huaman, Leibniz University Hannover; Yasemin Acar, George Washington University and Paderborn University; Sascha Fahl, CISPA Helmholtz Center for Information Security and Leibniz University Hannover

Abstract: 

Password managers allow users to improve password security by handling large numbers of strong and unique passwords without the burden of memorizing them. While users are encouraged to add all credentials to their password manager and update weak credentials, this task can require significant effort and thus jeopardize security benefits if not completed thoroughly. However, user strategies to add credentials, related obstacles, and their security implications are not well understood. To address this gap in security research, we performed a mixed-methods study, including expert reviews of 14 popular password managers and an online survey with 279 users of built-in and third-party password managers. We extend previous work by examining the status quo of password manager setup features and investigating password manager users' setup strategies. We confirm previous research and find that many participants utilize password managers for convenience, not as a security tool. They most commonly add credentials whenever a website is visited, and prioritize what they add. Similarly, passwords are often only updated when they are considered insecure. Additionally, we observe a severe distrust towards password managers, leading to users not adding important passwords. We conclude our work by giving recommendations for password manager developers to help users overcome the obstacles we identified.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {289506,
author = {Sabrina Amft and Sandra H{\"o}ltervennhoff and Nicolas Huaman and Yasemin Acar and Sascha Fahl},
title = {"Would You Give the Same Priority to the Bank and a Game? I Do {Not!}" Exploring Credential Management Strategies and Obstacles during Password Manager Setup},
booktitle = {Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023)},
year = {2023},
isbn = {978-1-939133-36-6},
address = {Anaheim, CA},
pages = {171--190},
url = {https://www.usenix.org/conference/soups2023/presentation/amft},
publisher = {USENIX Association},
month = aug
}

Presentation Video