Dissecting Nudges in Password Managers: Simple Defaults are Powerful

Password managers offer a feature to randomly generate a new password for the user. Despite improving account security, randomly generated passwords (RGPs) are underutilized. Many password managers employ nudges to encourage users to select a randomly generated password, but the most effective nudge design is unclear. Recent work has suggested that Safari's built-in password manager nudge might be more effective in encouraging RGP adoption than that of other browsers. However, it remains unclear what makes it more effective, and even whether this result can be attributed to Safari's nudge design or simply its demographics. We report on a detailed large-scale study (n=853) aimed at clarifying these issues. Our results support that Safari's nudge design is indeed more effective than Chrome's. By dissecting the elements of Safari's nudge, we find that its most important element is its default nudge. We additionally examine whether a social influence nudge can further enhance Safari's RGP adoption rate. Finally, we analyze and discuss the importance of a nudge being noticed by users, and its ethical considerations. Our results inform RGP nudge designs in password managers and should also be of interest to practitioners and researchers working on other types of security nudges.