The biggest problem I see for the widespread adoption of password managers is the problem of edge and corner cases.
I can teach my parents how to use one of the more user-friendly ones, like Dashlane or 1Password, and it works great much of the time.
But for some percentage of sites, for a variety of reasons, the standard steps don't work: non-standard web forms, Javascript games, browser updates, obscure password rules, just to name a few common issues. For non-technical users, these issues are blockers -- indistinguishable from show-stopping bugs from a UX standpoint.
Since using a password manager really needs to be an all-or-nothing proposition in order to get into the habit of using it 100% of the time, this means that most users will not use one.
I'm sure the commercial managers will get better at addressing some of these over time, but I do not see a product that works flawlessly 99.9% of the time emerging anytime soon.
I think your barrier for dismissal is way too high. Simultaneously, the more popular a password manager / autofill is the more it gets tested as part of a QA or best practices process.
Anecdote: I was doing my periodic visit with my grandmother, where I tend to any overdue computer/software maintenance, resolve any questions she has, install new things if needed (i.e. someone got her a printer which she likes to use for printing photos, but it was still in the box.)
As we were going through some things, she didn't know her password for everything; she had a notebook, but it wasn't organized enough. Eventually we figured out or reset each password as needed. (She only has a few total!)
Part of me wanted to utilize a password manager; after all we could use some proper long, randomly generated ones! But I was there on the fence of... what happens when she's stuck and I'm not sitting next to her to help?
To be sure, I have about a billion online accounts. I use unique email addresses and passwords (and a password manager) so I don't really hesitate to create accounts that aren't asking me for any real information about me. And along with that, I come upon the edge cases where if you're using Firefox for Android and Bitwarden, the web site some how goes out of its way to ensure that I will end up having to type in a super complex password (or close my browser tab and walk away). My grandmother almost certainly won't hit those same edges cases. She's got email and one social media account and that's just about it. And she'll need to write down that one mega password for the password manager, and learn some new things.
So I'm not sure if it's right for her. Definitely a consideration, though, and to your point, sometimes I get angry and wish there were consequences for the companies that work so hard to break things like password managers on their web sites and in their software!
For a lot of users, a notebook next to the computer really is the best password manager possible. Someone physically stealing it really isn't the threat model we're worried about, and for the frequency of logging into things, it's not a big deal to have to copy out of a book. Make the passwords memorable phrases ("correct horse battery staple") etc to make them easy to type in.
> Make the passwords memorable phrases ("correct horse battery staple") etc to make them easy to type in.
(Insert obligatory XKCD on relative complexity)
... Gee, it sure would be nice if all sites simply allowed long-length passwords without bizarre, mutually-incompatible special character requirements.
At least the 2017 updated NIST guidelines swung back sane (less complexity requirements, 64 character maximum). So in... a couple decades we'll be able to reliably use long passwords.
An edge case I come across quite a lot: entering a long, random password into a new device (where copy-paste is never available).
I just got a new TV and wanted to sign into my Amazon Prime account. Unfortunately for me, that meant I had to enter my 32-character numbers/lowercase/uppercase/symbols Amazon password using the TV remote. I did not get it the first time.
A few months ago I got a new iPhone. They wanted me to type in my iCloud password so that all my settings and data could transfer automatically to the new phone. Similar results.
XKPasswd[0] is a nice tool to create easy to type and strong passwords. I set my own config with a structure that is specifically easy to type on phone keyboards but still has high entropy.
New iPhones don't always make you enter in your password right away. If you have your older phone or ipad nearby you can use it to setup.
I agree though, it's pretty bad once you hit those edge cases.
One nice thing with apple tv or an android box is you can typically use your phone as a remote keyboard for inputs and have access to the password manager from there. Works pretty decently with the apple remote app.
This case works well with iOS' built-in Apple TV remote, at least with 1password. Any text field selected on the ATV brings up a keyboard on the iPhone, and if it's a password field 1password works as it normally would for any other phone app.
This is why WebAuthn is a better solution long-term. It won't work with all sites initially, but the sites it does work with will work consistently, with a dead simple user experience. No obscure password rules or edge cases where some part of the usual workflow is broken; everything just works.
All we need now is a couple viable first-factor implementations in browsers and major sites, and WebAuthn can start to take over. It's really, really unfortunate that WebAuthn has been a W3C recommendation for almost a year now and yet no major browsers have integrated WebAuthn into their credential sync system so it can actually start to be used as a password alternative.
Agreed. You use a physical key to unlock your front door, your car, and your bank account. Why not use the same safety model for email and other online websites?
I've avoided any sort of autofilling stuff, I just use keepassxc and launch it when creating or checking a password. It's still a huge improvement over any past workflows. Even aside from being a password list, it's also an account list, something I think I've always wanted.
I've met people who just have a local spreadsheet they keep passwords in, because they've used Microsoft Office for years but haven't been tempted to try a proper password manager yet. If only they knew how similarly simple it could be.
I can teach my parents how to use one of the more user-friendly ones, like Dashlane or 1Password, and it works great much of the time.
But for some percentage of sites, for a variety of reasons, the standard steps don't work: non-standard web forms, Javascript games, browser updates, obscure password rules, just to name a few common issues. For non-technical users, these issues are blockers -- indistinguishable from show-stopping bugs from a UX standpoint.
Since using a password manager really needs to be an all-or-nothing proposition in order to get into the habit of using it 100% of the time, this means that most users will not use one.
I'm sure the commercial managers will get better at addressing some of these over time, but I do not see a product that works flawlessly 99.9% of the time emerging anytime soon.
reply