Studying the Impact of Managers on Password Strength and Reuse
This addresses the security problem for online service users by providing empirical evidence on password manager efficacy, though it is incremental as it builds on prior work with new data collection methods.
The study conducted the first large-scale investigation into how password managers affect real-life password strength and reuse, finding that they generally improve both metrics but their effectiveness varies with user strategies and can worsen issues if lacking password generators.
Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.