skip to main content
10.1145/3576915.3623150acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

"I just stopped using one and started using the other": Motivations, Techniques, and Challenges When Switching Password Managers

Published: 21 November 2023 Publication History

Abstract

This paper explores what motivates password manager (PM) users in the US to switch from one PM to another, the techniques they employ when switching, and challenges they encounter throughout. Through a screener (n = 412) followed by a main survey (n = 54), we find that browser-based PMs are the most widely used, with most of these users motivated to use the PM due to convenience. Unfortunately, password reuse remains high. Most participants that switch PMs do so for usability reasons, but are also motivated by cost, as third-party PMs' full suite of features often require a subscription fee. Some PM-switchers are also motivated by recent security breaches, such as what was reported at LastPass in the Fall of 2022, with some participants losing trust in LastPass and PMs generally as a result. Those that switch mostly employ manual techniques of moving their passwords, e.g., copying and pasting their credentials from their previous to their new PM, despite most PMs offering ways to automatically transfer credentials in bulk across PMs. Assistance during the switching process is limited, with less than half of participants that switched receiving guidance during the switching process. From these findings, we make recommendations to PMs that can improve their overall user experience and use, including eliciting and acting on regular feedback from users as well as making PM settings more easily reachable and customizable by end-users.

References

[1]
Nora Alkaldi and Karen Renaud. 2016. Why do people adopt, or reject, smartphone password managers?. In Proc. EuroUSEC.
[2]
Nora Alkaldi and Karen Renaud. 2019. Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs. In Proc. HICSS.
[3]
Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J Atallah, and Eugene H Spafford. 2015. ErsatzPasswords: Ending Password Cracking and Detecting Password Leakage. In Proc. ACSAC.
[4]
Fahad Alodhyani, George Theodorakopoulos, and Philipp Reinecke. 2020. Password Managers-It's All about Trust and Transparency. Future Internet, Vol. 12, 11 (2020), 189.
[5]
Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Yasemin Acar, and Sascha Fahl. 2023. "Would You Give the Same Priority to the Bank and a Game? I Do Not!" Exploring Credential Management Strategies and Obstacles during Password Manager Setup. In Proc. SOUPS.
[6]
J. Craig Anderson. 2013. Identity theft growing, costly to victims. https://www.usatoday.com/story/money/personalfinance/2013/04/14/identity-theft-growing/2082179/.
[7]
Salvatore Aurigemma, Thomas Mattson, and Lori Leonard. 2017. So much promise, so little use: What is stopping home end-users from using password manager applications?. In Proc. HICSS.
[8]
Salvatore Aurigemma, Thomas Mattson, and Lori Leonard. 2019. Evaluating the Core and Full Protection Motivation Theory Nomologies for the Voluntary Adoption of Password Manager Applications. AIS Transactions on Replication Research, Vol. 5, 3 (2019), 1--21.
[9]
Hristo Bojinov, Elie Bursztein, Xavier Boyen, and Dan Boneh. 2010. Kamouflage: Loss-Resistant Password Management. In Proc. EuroUSEC.
[10]
Joseph Bonneau, Cormac Herley, Paul C van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc IEEE S&P.
[11]
Alan S Brown, Elisabeth Bracken, Sandy Zoccoli, and King Douglas. 2004. Generating and remembering passwords. Applied Cognitive Psychology, Vol. 18, 6 (2004), 641--651.
[12]
Rahul Chatterjee, Joseph Bonneau, Ari Juels, and Thomas Ristenpart. 2015. Cracking-resistant password vaults using natural language encoders. In Proc IEEE S&P.
[13]
Sunil Chaudhary, Tiina Schafeitel-Tähtinen, Marko Helenius, and Eleni Berki. 2019a. Usability and Security in Password Managers: A Quest for User-Centric Properties and Features. Computer Science Review, Vol. 33 (2019), 69--90.
[14]
Sunil Chaudhary, Tiina Schafeitel-Tähtinen, Marko Helenius, and Eleni Berki. 2019b. Usability and Security in Password Managers: A Quest for User-Centric Properties and Features. Computer Science Review, Vol. 33 (2019), 69--90.
[15]
Sonia Chiasson, Paul C van Oorschot, and Robert Biddle. 2006. A Usability Study and Critique of Two Password Managers. In Proc. SOUPS.
[16]
Mark Ciampa. 2013. A Comparison of User Preferences for Browser Password Managers. Journal of Applied Security Research, Vol. 8, 4 (2013), 455--466.
[17]
Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas Christin. 2018. ?It's not actually that horrible": Exploring Adoption of Two-Factor Authentication at a University. In Proc. CHI.
[18]
Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The Tangled Web of Password Reuse. In Proc. NDSS.
[19]
Michael Fagan, Yusuf Albayram, Mohammad Maifi Hasan Khan, and Ross Buck. 2017. An investigation into users' considerations towards using password managers. Human-centric Computing and Information Sciences, Vol. 7, 1 (2017), 12.
[20]
Dinei Florêncio and Cormac Herley. 2007. A large-scale study of web password habits. In Proc. WWW.
[21]
Anuj Gautam, Shan Lalani, and Scott Ruoti. 2022. Improving Password Generation Through the Design of a Password Composition Policy Description Language. In Proc. SOUPS.
[22]
Maximilian Golla, Benedict Beuscher, and Markus Dürmuth. 2016. On the Security of Cracking-Resistant Password Vaults. In Proc. CCS.
[23]
Ameya Hanamsagar, Simon S Woo, Chris Kanich, and Jelena Mirkovic. 2018. Leveraging Semantic Transformation to Investigate Password Habits and Their Causes. In Proc. CHI.
[24]
N. Huaman, S. Amft, M. Oltrogge, Y. Acar, and S. Fahl. 2021. They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites. In Proc. IEEE S&P.
[25]
Identity Theft Resource Center. 2021. 2021 Consumer Aftermath Report: How Identity Crimes Impact Victims, Their Families, Friends, and Workplaces. Technical Report. Identity Theft Resource Center. https://www.idtheftcenter.org/event/2021-consumer-aftermath-report/
[26]
Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices. In Proc. SOUPS.
[27]
Blake Ives, Kenneth R Walsh, and Helmut Schneider. 2004. The domino effect of password reuse. Commun. ACM, Vol. 47, 4 (2004), 75--78.
[28]
Ari Juels and Thomas Ristenpart. 2014. Honey Encryption: Security Beyond the Brute-Force Bound. In Proc. EUROCRYPT.
[29]
Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. 2014. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers. In Proc. USENIX Security.
[30]
Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes, and Sven Bugiel. 2018. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. In Proc. USENIX Security.
[31]
Raymond Maclean and Jacques Ophoff. 2018. Determining Key Factors that Lead to the Adoption of Password Managers. In Proc. ICONIC.
[32]
Peter Mayer, Collins W. Munyendo, Michelle L. Mazurek, and Adam J. Aviv. 2022. Why Users (Don't) Use Password Managers at a Large Educational Institution. In Proc. USENIX Security.
[33]
Peter Mayer, Yixin Zou, Byron M. Lowens, Hunter A. Dyer, Khue Le, Florian Schaub, and Adam J. Aviv. 2023. Awareness, Intention, (In)Action: Individuals' Reactions to Data Breaches. ACM Trans. Comput.-Hum. Interact. (2023).
[34]
Peter Mayer, Yixin Zou, Florian Schaub, and Adam J. Aviv. 2021. "Now I'm a bit angry:" Individuals Awareness, Perception, and Responses to Data Breaches that Affected Them. In Proc. USENIX Security.
[35]
Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, and Paul C van Oorschot. 2012. Tapas: design, implementation, and usability evaluation of a password manager. In Proc. ACSAC.
[36]
Alexandra Nisenoff, Maximilian Golla, Miranda Wei, Juliette Hainline, Hayley Szymanek, Annika Braun, Annika Hildebrandt, Blair Christensen, David Langenberg, and Blase Ur. 2023. A Two-Decade Retrospective Analysis of a University's Vulnerability to Attacks Exploiting Reused Passwords. In Proc. USENIX Security.
[37]
Sean Oesch and Scott Ruoti. 2020. That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. In Proc. USENIX Security.
[38]
Sean Oesch, Scott Ruoti, James Simmons, and Anuj Gautam. 2022. ?It Basically Started Using Me:" An Observational Study of Password Manager Usage. In Proc. CHI.
[39]
Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don't) use password managers effectively. In Proc. SOUPS.
[40]
Hirak Ray, Flynn Wolf, Ravi Kuber, and Adam J. Aviv. 2021. Why Older Adults (Don't) Use Password Managers. In Proc. USENIX Security.
[41]
Johnny Saldaña. 2013. The coding manual for qualitative researchers 2nd ed.). SAGE, Los Angeles. OCLC: ocn796279115.
[42]
Sunyoung Seiler-Hwang, Patricia Arias-Cabarcos, Andres Marín, Florina Almenares, Daniel Diaz-Sanchez, and Christian Becker. 2019. "I Don't See Why I Would Ever Want to Use It": Analyzing the Usability of Popular Smartphone Password Managers. In Proc. CCS.
[43]
Frank Stajano, Max Spencer, Graeme Jenkinson, and Quentin Stafford-Fraser. 2015. Password-Manager Friendly (PMF): Semantic Annotations to Improve the Effectiveness of Password Managers. In Proc. PASSWORD.
[44]
Elizabeth Stobert and Robert Biddle. 2018. The Password Life Cycle. ACM Transactions on Privacy and Security (TOPS), Vol. 21, 3 (2018), 32 pages.
[45]
David R. Thomas. 2006. A General Inductive Approach for Analyzing Qualitative Evaluation Data. American Journal of Evaluation, Vol. 27, 2 (Jan. 2006), 237--246.
[46]
Karim Toubba. 2022. https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/.
[47]
Xiaoyuan Wu, Collins W. Munyendo, Eddie Cosic, Genevieve A. Flynn, Olivia Legault, and Adam J. Aviv. 2022. User Perceptions of Five-Word Passwords. In Proc. ACSAC.
[48]
Samira Zibaei, Amirali Salehi-Abari, and Julie Thorpe. 2023. Dissecting Nudges in Password Managers: Simple Defaults are Powerful. In Proc. SOUPS.

Cited By

View all
  • (2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
  • (2024)Selection of Machine Learning Methods for Keylogger Detection Based on Network Activity2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10427503(19-24)Online publication date: 3-Jan-2024
  • (2024)User AuthenticationCybersecurity10.1007/978-3-031-68483-8_8(165-189)Online publication date: 29-Nov-2024

Index Terms

  1. "I just stopped using one and started using the other": Motivations, Techniques, and Challenges When Switching Password Managers

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
      November 2023
      3722 pages
      ISBN:9798400700507
      DOI:10.1145/3576915
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 21 November 2023

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. authentication
      2. password managers
      3. passwords
      4. privacy
      5. security

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      CCS '23
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)316
      • Downloads (Last 6 weeks)60
      Reflects downloads up to 30 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
      • (2024)Selection of Machine Learning Methods for Keylogger Detection Based on Network Activity2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10427503(19-24)Online publication date: 3-Jan-2024
      • (2024)User AuthenticationCybersecurity10.1007/978-3-031-68483-8_8(165-189)Online publication date: 29-Nov-2024

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media