The biggest problem I see for the widespread adoption of password managers is the problem of edge and corner cases.
I can teach my parents how to use one of the more user-friendly ones, like Dashlane or 1Password, and it works great much of the time.
But for some percentage of sites, for a variety of reasons, the standard steps don't work: non-standard web forms, Javascript games, browser updates, obscure password rules, just to name a few common issues. For non-technical users, these issues are blockers -- indistinguishable from show-stopping bugs from a UX standpoint.
Since using a password manager really needs to be an all-or-nothing proposition in order to get into the habit of using it 100% of the time, this means that most users will not use one.
I'm sure the commercial managers will get better at addressing some of these over time, but I do not see a product that works flawlessly 99.9% of the time emerging anytime soon.
I agree. In my opinion most password managers focus too much on delivering features that nobody really needs (most of the time at least) and far too little on user experience and polish. This is, I think, one of the reasons why so few non-technical people bother with using a password manager. I've been working on my own open source solution, which puts a clear focus on simplicity and usability[1]. I wish other companies like LastPass and 1Password would start putting more effort in making their software more accessible to non-technical users rather than trying to out-feature their competitors.
I've had success with my parents and 1Password by only teaching them an extremely limited feature set: how to create new entries, update existing entries, and to copy and paste usernames and passwords. No browser extensions, no autofill features, no URLs, no vaults, no labels, etc.
I think that almost all the friction with respect to password managers relates to autofill, how to make it work, and in particular, how to recognize when and why it's not working.
For non-technical people, this is an intractable problem. It's too much even for a lot of technical people.
It's also why I doubt password managers in their present form will ever get widespread adoption. Their best features are just too finicky. Not due to any fault on the part of the authors -- it's just that the web is a mess, things change, and this kind of thing will always break from time to time.
So, my advice is to distill password management down to its simplest essence and just teach that to non-technical people in the hopes that it will more-or-less resemble the notepad/spreadsheet method, except with a password now.
I'm speaking out of personal experience trying to get non-average users (my friends and family, some of whom work in non-technical roles at software companies) to understand and use password managers.
Most of them can't and won't invest the time just to switch to 1Password. The average person isn't going to exceed that bar by a margin that even I, a software developer, wouldn't bother with.
When something is too technical for even an average developer to bother with (because it's unnecessary, not because it's hard), it is totally hopeless for the average user.
I think it’s mostly for everyone else. I’m very successfully using a password manager. I’ve tried to talk nearly everyone I know into using one as well, and it’s really painful for them. Even for people I can help daily, their setup somehow gets complicated enough that they go back to using their default 5 letter password for new things until I fix it.
A password manager can be an extra 10 seconds of work up front in some edge cases — input not detected correctly, signing up in an app, trying to quickly get through a flow when your password manager is logged out… People just revert back to the easiest path, which is their 5 letter password they’ve already used on a billion services.
Oh, and another rough edge case is when the autogenerated password doesn’t match the password requirements. Using a disallowed symbol, too long, etc
FWIW I'm a developer, and I think password managers are awful to code against. They don't document their expectations (to the best of my knowledge), it's hard to test because you need multiple password managers installed, plus the browser's built-in ones. I mean, even the link you shared feels more like alchemy than engineering (through no fault of the author, I might add): "do it kinda sorta like this and then hopefully it'll work most of the time!"
And it's hard to figure out why it doesn't work when it doesn't. The feedback cycle is nonexistent.
I disagree a bit with the article. The premise is that you shouldn't make login forms behave badly for password managers, and I agree with this. But at the same time, people using password managers are not necessarily the major use case for a site or some software. You should make it easiest for the largest number of people you can, and that might mean decluttering the UI and co-incidentally making it harder for password managers.
I agree that password managers are a huge win from a security perspective, but sadly I'm willing to bet they are still used by a tiny minority of people, even now they are built in to common operating systems.
I think one of the key points is how awful password managers are for non-technical people to use. It's not necessarily the developers' fault because it's difficult to interact with all the things they need to, but it makes it practically impossible to get someone to use one unless they're technical enough to be able to figure out all the random issues that come up all the time.
I'd love to be able to get some non-technical family/friends to use one, but there are just way too many times that showing someone how to use a password manager goes something like: "Okay, so now you've generated a password and you click 'Register' and... oh hold on, the page redirected for some reason and the pop-up to save the account info is gone, so, uh... well, I think there's a generated-password history page somewhere, let me just look through the Settings area even though it's not a setting... okay, there it is, so it should be this one. I'll just copy that and now I have to create a new vault entry for the site manually by typing in everything and pasting this password in there, and then..."
It's terrible, because a password manager that would just work and stay out of the way could make such a huge difference to general account security, but they all seem to still be difficult to use and require you to have a pretty good understanding of what's going on to be able to deal with random problems.
As well they should. I sometimes hate the password managers too as a web developer. I am also a 1Password user, and I hate sites that block clipboard, block pasting, block right click, basically block any kind of way I have to type even my username, not to mention annoying full size on screen keyboards that can only be used with the mouse.
I don't care about the reason they have to be so intrusive in UX, probably some malware fight and/or prevention. The fact is that if I am going to use 1Password or other password managers per site, with 25 characters long passwords with symbols and numbers, I want to be able to somehow fill that in without typing each letter. Some sites don't care about this use cases as they are trying to cover the asses of non-tech-savvy users. They must protect the password123 crowd, right? So password managers need to fight back, unfortunately.
I agree with your assessment of why traditional password managers have flaws, but I disagree with your conclusion.
Security has always been a balance between usability and safety, and when you set security policy, you always do it in the context of who is using it and their needs.
Integrating the password manager into the browser makes a lot of things easier as an end user. If I told my parents/grandparents and non-programmer friends to use something like DBG or Password Safe, they would just go back to guessable and reused passwords. Given the choice, I would rather have them use a browser based password manager.
If we're really talking about how to move the needle on protecting logins, I would rather push FIDO/U2F. Keeping a cryptographic second factor on your keychain, phone, or computer carries more added safety at a lower usability cost.
It's inconvenient. That's the primary reason why it won't gain mass adoption since any obstacle to your service will lower the registration / engagement metrics.
With password managers built into all modern browsers, casual users (which, lets be honest here, are by far the most of the web users) do not have to worry about typing passwords. Security be damned. If it is not invisible to the user, they will reject it.
On the other hand, having as many users as possible use any password manager at all is an immense challenge as-is. It really doesn't matter what gets them using one as long as they do. If an OS-native one happens to have the lowest friction, so be it.
For everyone else, sure, there might be 100 people in the world that will actually audit their open source password managers. But that isn't exactly moving the rest of the industry forward (be it from the engineering perspective or the user perspective).
In this case, (almost) perfect is the enemy of good.
I am all for using a better password manager. In fact, with PfP: Pain-free Passwords I developed one myself - and I invested much thought into making sure the master password cannot realistically be guessed unless it is absolutely trivial. However, most people will go with whatever is built in. So no excuses for browser makers to offer something that has been known to be very suboptimal for at least nine years.
Furthermore many sites make it difficult to use a password manager because it's hard to block automated password guessers and not interfere with password managers trying to enter passwords.
password managers are growing, but I'm not sure that 'most' people use them. Maybe 'most' software engineers or techies, but the average person probably has no idea what a password manager is.
That's my solution, but I've been unable to convince others to do the same. It's too complicated, they get confused, it doesn't work automagically enough. Whatever the reason, I have never successfully converted someone non-technical to using a password manager.
Very valid points, some of them are already addressed in the post.
Password managers do solve A problem, but I'm not sure they solve THE problem. They're great when you have a browser extension, but leaving the app, entering another app, and then copying and pasting on mobile is difficult.
There's also a trust issue with giving all your credentials to one app.
The biggest problem that password managers haven't solved yet, is adoption.
LastPass has 4 Million chrome installs. It has 1-5M android downloads.
That's still a drop in the ocean compared to how many users are out there.
I can teach my parents how to use one of the more user-friendly ones, like Dashlane or 1Password, and it works great much of the time.
But for some percentage of sites, for a variety of reasons, the standard steps don't work: non-standard web forms, Javascript games, browser updates, obscure password rules, just to name a few common issues. For non-technical users, these issues are blockers -- indistinguishable from show-stopping bugs from a UX standpoint.
Since using a password manager really needs to be an all-or-nothing proposition in order to get into the habit of using it 100% of the time, this means that most users will not use one.
I'm sure the commercial managers will get better at addressing some of these over time, but I do not see a product that works flawlessly 99.9% of the time emerging anytime soon.
reply