Studying the Impact of Managers on Password Strength and Reuse

TL;DR

This study systematically examines how password managers influence password strength and reuse, revealing they generally improve security but depend on user strategies and features like password generators.

Contribution

First large-scale analysis of password managers' impact on real user passwords, including entry methods and user strategies, providing new insights into their effectiveness.

Findings

Password managers generally improve password strength and uniqueness.

Benefits of password managers depend on user strategies and features.

Managers without password generators may worsen security issues.

Abstract

Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.