Do Password Managers Improve Password Hygiene?

Abstract

Password managers purport to increase users' security by improving password hygiene: generating unique random passwords when users create new accounts, replacing users' weak and reused passwords, and determining which sites are safe to send each password to. We conducted a study of password manager users to measure their password hygiene. While structured as a survey, we asked participants to upload anonymized screenshots with four hygiene statistics calculated by their password managers: the number of passwords their password manager classified as (1) reused, (2) weak, and (3) compromised, as well as (4) the total number of passwords stored. Regardless of password manager, most participants had weak or reused passwords that they confessed they `"should replace." Nearly a third (30%) had passwords that their password managers knew to be compromised and that the participants confessed they should replace. When creating new accounts, more than a third of participants using third-party password managers (29/81, 36%) and the majority of those using Chrome's password manager (48/61, 79%) preferred to "create a password myself" rather than "allow my password manager to create a random password for me.'" We also asked how participants had generated the all-important ``"master" password used to protect the passwords stored by their password manager. A quarter (19/81) of those using third-party password managers confessed to re-using an existing password.