1. Password Managers:
Attitudes & Adoption
Olger Hoxha
Professor Ramakrishna Ayyagari
University of Massachusetts Boston
May 2016
2. 2
1. Introduction
As society continues to become more globalized, the importance of data and
information increases as well. In the modern world, people are carrying out banking
transactions on their phones, posting about their day on social media, and purchasing
goods online more and more everyday. With this surplus of information, there is also a
growing need to secure these transactions. Secure authentication techniques and Unique
IDs are vital towards the integrity of the information posted and transacted online. In this
information age, hackers are improving their methods of intrusion, forcing authentication
experts to discover and create numerous ways to authenticate users through various
platforms.
Text-based passwords, RFID tokens1
, and biometrics are just a few of the
different ways that users can authenticate themselves. Although some of these methods
are more secure than others, when a cost-benefit analysis is run, the added user effort
causes them to fail tragically compared to text-based passwords [2]. In theory, text-based
passwords do a fantastic job of securely authenticating a user. For example, a relatively
simple password such as “Apple123$” would take around 2.03 hundred thousand
centuries to brute force into, assuming 1 thousand guesses a second; or 1.77 hours
assuming 1 trillion guesses a second. Simply repeating the password to be
“Apple123$Apple123$” would cause the time to rise to around 1.28 hundred billion
trillion centuries, or 1.28 trillion centuries, respectively [6]. A complex password
consisting of upper and lowercase characters, numbers, and symbols is virtually
impossible to hack into, especially if 12 characters or more. According to the same
1
RFID, Radio-frequency identification, is a technology in which a device is used to
identify someone or something near by, wirelessly.
3. 3
calculator, 10 characters would take a week, 11 characters would take 1.83 years, and 12
characters would take 1.74 centuries, assuming 1 trillion guesses a second [6].
As great as text-based passwords are in theory, in practice, they can definitely
prove to be unsecure. The reason for that is that users tend to create simple and easy to
guess passwords. According to a study, 62% of users created passwords of 10 characters
or less [1]. Although that seems like a big number, according to the Brute Force
calculator that would take 1 week to crack assuming 1 trillion guesses a second [6]. In a
famous example, RockYou, a company developing widgets and games for social media
websites such as Facebook or Myspace, had been storing users’ account information in
plain text format in a database. This turned into catastrophe in 2009 when the RockYou
database was hacked and the company’s 32 million user accounts were released to the
public. Since then, researchers have analyzed the passwords to discover a very interesting
statistic: the top 10,000 most common passwords make up 22% of all passwords on the
site [7]. That means that it would take a hacker, according to the haystack calculator, 10
seconds to go through that list on an online database, and they would have a 22% chance
of getting a hit on a random account; a 1 in 5 chance of opening an account, easily
resulting in 1 unlocked account each minute. Users are the weakest link in the
authentication chain, but it doesn’t just stop there.
Of course, a user could definitely and easily add an extra character or two to that
password which would add a whole new level of security, however, if a data breach
occurred, similar to the RockYou website, the user would still be greatly affected. In
theory this should not be the case, as one password being exposed in a website should not
be worrying users about the potential problems in another website. Security professionals
4. 4
and researchers constantly try to educate the public of the benefits of having unique
passwords for each account and each website. But do they listen? It’s very obvious that
the answer is a profound “No.” Studies show that more than 80% of users tend to reuse
passwords in multiple places [1]. This opens them up to serious security vulnerabilities; if
their password were to be hacked in one website, many of their other accounts could be
vulnerable to an intruder as well. A study by researchers at Microsoft tells us that users
had 25 accounts on average in 2007 [4]. Almost 9 years later, this number has almost
definitely increased, which essentially means that the task of creating and memorizing
25+ completely different passwords each with 10-14 characters or more, is daunting, if
not simply impossible for the average user. As password breaches become more and
more common, security experts are continually increasing their recommendations for the
number of characters and complexity of passwords. However, these requirements are too
high for the public, and users subsequently tend to fall short. With these increasing
requirements, an older technology is becoming relevant again to bridge the gap between
recommendations and actual usage: password managers.
2. Password Managers
A password manager is “software for storing all our passwords in one location
that is protected and accessible with one easy-to-remember master passphrase” [3].
Additionally, the software is able to generate passwords based on criteria that one desires,
i.e. uppercase character, lowercase character, number, symbol, and minimum or
maximum length. The main purpose of the software is to keep all of your secure
passwords in an encrypted database, either online or on your computer, that can only be
accessed with the master passphrase. This frees users from having to remember 25
5. 5
different passwords; they would only need to remember 1 complex password. A
recommendation would be at least a 12 character alphanumeric password with a symbol.
According to the Brute Force calculator, that would take a supercomputer 1.74 centuries
[6]. Which, from a security standpoint, is more than adequate enough for the purposes of
daily use.
2.1. Browser-based
There are three types of password managers; although mainly the same design,
their slight variances add major degrees of usability for users. The main type that users
might have come across is browser-based password management. For the past few years,
browsers have started “remembering” passwords; some even offer to generate a password
for the user. After entering a username or a password on almost any website, a popup
asks if you’d like to save this account and password for future use, see Figure 1 for an
example. After saying yes, the next time one tries to log into the site, the username and
password will already have been entered in for you. This type of password management
is high on the usability scale because it makes authentication seamless. Most times, you
can just click on a website, and you are already logged in, no need to click authenticate at
all. On the other side, this fails the security requirement. The database is essentially wide
open. If someone were able to steal their laptop, all of their accounts would be
completely vulnerable. Although the thief might not be able to see their passwords,
depending on the browser, they would have full access to the user’s accounts because
there is no security check or authentication in order for the password to populate
automatically. However, on some password managers, there is no additional security
check before showing all of the passwords in plain text; this is a serious security concern.
6. 6
2.2. Desktop-Based (KeePass)
Another type of password management is desktop-based software. This type of
system is generally “hidden” in the taskbar or menu bar of the computer. If a user comes
across a website requiring authentication, they would open the program on the taskbar,
enter their complex password, and be shown a list of all of their passwords. They can
then search for the website, and copy and paste their username and password to their
browser. This type of password management has a medium level of usability. It requires
users to have to open a separate application and enter a complex password in order to find
their password for that website, which could add 10-15 seconds to authenticate the
account, which easily adds up considering users are likely logging 7-10+ times a day. In
addition, it requires users to be on the original computer to actually access the passwords,
making it impossible to access accounts if on a different computer. On the other hand,
this type of software is high on the security scale because all of the passwords are
encrypted, and even if someone were to steal the computer, they would not be able to
access the database, if the master passphrase is complex enough. As an example, let’s
look at a popular free, open source option, KeePass.
When you first open up the program, it will require the master passphrase, see
Figure 3. After entering in the correct master passphrase, the user is shown the main
menu of the program, see Figure 4. On the left side of the program is a database with
different groups and folders for the corresponding accounts. A Facebook or Twitter
account could go into a folder called “Social Media”, and Bank of America could go into
a folder called “Banking,” to make the user experience easier. In the middle of the screen
is the list of username and password entries. The password is not shown even after
7. 7
arriving at this screen, and instead, only the copy function for the password is allowed.
This adds an additional level of security against a possible “shoulder surfer.”
The new entry page has a number of features geared towards security, see Figure
5. In the middle of the screen is a loading bar, notifying the user of the level of security of
their password. The lower the quality, the easier the password is to hack or possibly
guess. This could help users understand what a strong password actually entails. In
addition, it might be a wake up call for some users who believed that their password is
“good enough” only to find out it’s actually a very weak password. In addition, on the
right side of the password field are buttons that lead to the built-in password generator,
see Figure 6. This allows the user to dictate the necessary requirements for a password,
and the program will generate the strongest password possible out of the requirements.
The user no longer has to worry about if a password is strong enough or not, because the
program will take care of that step. Since there is no longer a need to remember
passwords, other than the master password, the generated passwords can be 30+ digits
long without an issue, creating the most secure passwords possible.
8. 8
Figure 1: Do you want to remember this password in Internet Explorer
Source: https://blogs.msdn.microsoft.com/ieinternals/2009/09/10/why-wont-ie-
remember-my-login-info/
Figure 2: Stored User Names and Passwords in Windows & Internet Explorer
Source: http://www.howtogeek.com/howto/windows-vista/create-a-shortcut-to-the-
stored-user-names-and-passwords-dialog-in-windows/
9. 9
Figure 3: Entering the Master Password in KeePass
Source: http://keepass.info/screenshots.html
Figure 4: KeePass’ Main Program Window
Source: http://keepass.info/screenshots.html
12. 12
2.3. Cloud-based
The last version of password management systems is cloud-based. It is very
similar to desktop-based systems, however, as the name implies, the databases are stored
on the “cloud,” in other words, remote 3rd
party servers. Generally, these databases are
accessible through a website. As with desktop-based systems, a single complex master
password is required to gain access to the database. An added functional piece is the
accessibility of the passwords through mobile devices.
As an example, Figure 7 has screenshots of an online advertisement for
1Password, a popular cloud-based password manager. The first screenshot shows the
consolidation of all of the accounts into one list or vault. The next screenshot
demonstrates how the interface is built into the web browser, and after entering the
master passphrase, the user is shown that the iCloud information is available.
Additionally, similar to KeePass, a password generator is available directly on the
browser. The last screenshot is the program, 1Password, operating on a mobile device,
alluding to the cloud functionality, and added usability in terms of portability.
Of course, 1Password is not the only cloud-based password manager in existence
that offers mobile apps, LastPass, for example, has been downloaded between 1,000,000
and 5,000,000 times on the Google Play store, and as of May 17, 2016, has been rated an
average of 4.6/5.0 based on 74,329 reviews [8]. This not only maintains the high level of
security required for proper password management, but it also achieves a higher level of
usability compared to desktop based managers by allowing one to access passwords on
your phone or through a quick website if you’re on a different computer.
13. 13
With all of these added security measures and features, one wonders how these
types of password managers fare in terms of usability and real life scenarios.
Interestingly, there has been only 2 prior papers done on with a usability study regarding
password managers, the first by Chiasson et. al [9], and the second by Karole et. al [10].
The first was a usability study of two desktop-browser password managers, PwdHash,
and Password Multiplier. These password managers are different than the typical
managers we described earlier; instead of essentially acting as a vault, they would be
browser add-ons that hashed2
passwords based on the website it was being used on. The
user would enter their normal password: any word or phrase they want, and based on the
website, it would map the phrase into a stronger password. The hash would make the
password more secure by adding extra characters and special characters. This seems like
a fantastic and easy way to easily add an additional level of security, however, their
results say otherwise.
The majority of candidates had trouble using the software. At times, they thought
they had correctly used it, when in reality; they had not activated the hash mechanism, or
had only activated it once, and assumed that all future passwords would be given the
same treatment. This gives users a false sense of security. It’s possible that this is might
cause even weaker passwords because users might believe that there is the additional step
of hashing occurring, when in reality it is not. Additionally, users had no way of
receiving feedback for their actions; specifically, knowing whether or not they activated
the program, or changed passwords. With all of the usability concerns in the study, we
2
Hashing is when a password goes through a function and turns into a cryptic set of
characters. The same password will always end up into the same cryptic set of characters,
and the process cannot be reversed. Ex. “Apple” will always turn into “3nF@7A83.”
However, “Apples” will always turn into “Bs8a$Cf1.”
14. 14
felt that it is best to not include the specific programs, or types of password managers in
our research, as we feel there are better, more usable options. However, we must note that
the Chiasson et. al [9] study made a very important contribution by identifying 4 question
sets that described different aspects of the password management interaction (see Table
1): Perceived Security, Comfort Level with Giving Control of Passwords to a Program,
Perceived Ease of Use, and Perceived Necessity and Acceptance. These question sets
facilitate further research and studies in the field of password management, and provide a
good starting point for our model development.
Perceived Security
My passwords are secure when using PwdHash.
I do not trust PwdHash to protect my passwords from cyber criminals.
Comfort Level with Giving Control of Passwords to a Program
I am uncomfortable with not knowing my actual passwords for a web site.
Passwords are safer when users do not know their actual passwords.
Perceived Ease of Use
PwdHash is difficult to use.
I could easily log on to web sites and manage my passwords with PwdHash.
Perceived Necessity and Acceptance
I need to use PwdHash on my computer to protect my passwords.
My passwords are safe even without PwdHash.
Table 1: Question Set with Sample Questions from Chiasson Study [9].
15. 15
In a study by Karole et. al [10], three types of password managers are tested for
usability: phone (KeePassMobile), USB (RoboForm2Go), and online (LastPass). In this
study, phone is similar to desktop-based password management software, except the
software is solely installed on a phone, and not connected to the cloud. This adds
usability in the form of a mobile database. USB is also similar to desktop-based password
managers; however, with the added functionality of being available on a mobile USB
stick. The online version refers to the cloud-based, which was mentioned earlier.
The Karole et. al [10] study uses the question set from the Chiasson et. al [9]
study, editing only the specific questions to fit into the type of password management
software. The study was focused and touted primarily as a usability study, with a extra
questions relating to the constructs found in the Chiasson study. In the end, the study
found that users had an easier time performing tasks with the online password manager,
as opposed to USB, and especially phone. Interestingly, however, their findings also
showed that users preferred cloud-based password managers least, out of the three
options, which the author attributed to lack of trust in the online software. Users likely
did not find the software secure enough to allow it to gain control of their entire
passwords. We seek to integrate the above two studies by incorporating trust in password
manager usability studies.
These two studies, while making important contributions, have their drawbacks.
For one, both studies have relatively small number of participants, the first having 26
people, and the second study having only a sample pool of 20 people. It’s difficult to
assume that the general population will have similar feelings with password managers
based on such a small sample. Additionally, none of the studies look at the adoption rates
16. 16
of password managers. In the second study [10], users deemed cloud-based password
managers as being very easy to use, however, that doesn’t mean much if they don’t
actually use the program after the study is over. Security research is generally conducted
in order to promote better security practices. If better methods of security exist but are not
being taken advantage of, then it is obvious that there is a serious discrepancy that needs
to be addressed. The first way to discover if there is a disparity or not, is by having
accurate adoption rates.
Moreover, little research has been done into figuring out the underlying reasons
for the adoption rates, and average users’ attitudes towards password management
software. The question sets identified by [9], and later reused by [10] are a great first step
towards figuring out the beliefs of users, but there needs to be more concrete reasoning.
What is it about the technology that makes users like them, or hate them? Is it possible
that average users simply do not know that the technology exists? Once they hear about
the technology, are they more likely to use it? Would students consider using this type of
software if it was made available to them for free, either a separate company, or possibly
a school? All of these questions are important in continuing the discussion of password
managers, in the pursuit of better security practices.
In the Karole et. al [10] study, of the 20 participants, 10 were college students
acquiring a technical degree. In agreement with their sample population, we felt it is of
great importance to focus on college students. As more and more companies are realizing
the importance of the college student market, it’s imperative that password management
companies do the same. For the same reasons that credit card companies target college
students, and Spotify and Amazon offer lower-priced college discounts, password
17. 17
management software companies must target college students with discounts in order to
grab a hold of that age bracket, and attract them towards the usability and security of
password managers. With this thinking in mind, we plan to focus our research
specifically on college students at the University of Massachusetts Boston.
Our first hypothesis is that adoption levels of password managers will be
extremely low. Simply based on preliminary conversations with students and colleagues
in the university, we realized that not many people even understood what a password
manager was or did. Additionally, for this exact reason, we also hypothesized that
awareness of the technology and software will be low. Simply put, people won’t know
that the technology exists, and that, we think, is one of the major factors in why people
aren’t adopting the technology. Our last hypothesis is that people will perceive the
technology to be easy to use and useful, meaning those constructs, stemming from the
Technology Acceptance Model, will be consistently rated on the higher end. If all our
hypotheses are correct, then we will have essentially carved out 2 groups of people:
people who have used password managers and believe they are easy to use and useful,
and people who have never heard of them before or have never actually used them.
Understanding why people use password managers will provide guidance for people who
haven’t yet adopted similar tools, thereby improving their authentication security.
3. Study Design
In order to validate our hypotheses, we conducted a study to discover the levels of
adoption of password managers across universities while specifically looking at students
at the University of Massachusetts Boston. Additionally, we sought out to determine the
underlying reasons for the current levels of adoption, and to see if there were any
18. 18
correlations between interest or intent to use and other possible attitudes regarding the
software.
3.1. Overview
We surveyed students at the University of Massachusetts Boston, in IT courses
and general business courses. We first showed the participants a two-minute long
advertisement from 1Password, a popular cloud-based password manager, which offers a
good explanation of password managers, how they work, and why they might be a better
option for the average consumer; see Figure 7 for screenshots of the video. The video was
shown on a projector to the entire classroom. Afterwards, we distributed a single-sided
27-part likert-scale questionnaire, mainly composed of general password management
questions, history with password management software questions, and a few qualifying
and self-identification questions. All of the surveys were completed in person, and took
an average of 5-10 minutes.
3.2. Participants
Exactly one hundred responses were collected. All of the participants were
undergraduate students enrolled in the University of Massachusetts Boston. Of the
participants, 61 were male, and 37 were female. As mentioned, the questionnaire was
distributed in business or IT courses, as such, the majority of the participants were from
majoring in business or technology related fields. 64 of the students had business related
majors (Accounting, Marketing, Finance, Supply Chain, etc.), and 32 had technology
related majors (Information Technology, Management Information Systems, and
Computer Science). In addition, there were a few sprinkling of other majors such as Art,
Economics, and Mathematics.
20. 20
3.3. Model Development
In developing our model, we relied heavily on two prior works: The Technology
Acceptance Model and the question set in the Chiasson study, see Table 1 [11].
Chiasson’s question sets include Perceived Security, Comfort Level with Giving Control
of Passwords to a Program, Perceived Ease of Use, and Perceived Necessity and
Acceptance. The scales were based on previous studies contextualized for password
managers. For example, Perceived Ease of Use and perceived usefulness were drawn
from the Technology Acceptance Model [11. We captured the concept of Perceived
Security with a more established construct of Trusting Belief-Specific Technology—
Functionality taken from McKnight’s Trust in a Specific Technology [12]. We felt this
was important because security is really the main function of password managers, and the
questions derived from this construct could easily be reworded for our study.
Chiasson’s construct, Comfort Level with Giving Control of Passwords to a
Program, was replaced with another of McKnight’s more esablished constructs from his
Trust in a Specific Technology paper, Trusting Stance—General Technology [12]. This
would also be useful to cross reference other constructs to see if a participant’s answers,
specifically with interest to use, would be swayed through their general trust in
technology. Finally, we added another construct which stemmed from information
security Fear Appeal research, Perceived Severity, which can also tie into necessity if
users believe the severity is high enough, their necessity for such a product will also
likely be high [13]. All of these prior works mentioned contained questions for each
construct. We reused a great deal of these questions, and reworded them to fit our
context. We felt these constructs would help us determine the underlying feelings that
21. 21
people have towards password managers. See Table 2 for the Constructs, Definitions, and
Sample Items.
3.4. Limitations
This study is not without some limitations. There was an obvious need to explain
password managers to users, and we deemed the best possible way to do that was through
a video. We thought users would not understand or care enough to read a paragraph
explaining password managers and answer a survey based on the paragraph, therefore, we
decided on a video advertisement. This was another limitation, after a thorough search on
the internet, there were limited option for videos explaining what password managers
were, and that were less than 2 minutes long. 1Password’s advertisement was the only
real possibility of showing a video in classes. The responses might be specific to
1Password. Additionally, although we gained 100 responses about 1/3 were technology
students which might have skewed the statistics, and cause generalizability across other
respondents.
Variable / Construct - Definition Sample Item
Perceived Ease of Use - “The degree to which a
person believes that using a particular system would be
free of effort.” [11]
Learning to operate a password manager
would be easy for me.
I would find it easy to get a password
manager to do what I want it to do.
Perceived Usefulness - “The degree to which a person
believes that using a particular system would be free of
effort.” [11]
Using a password manager would enable me
to manage my passwords more quickly.
I would find a password manager useful in
managing my passwords.
22. 22
Perceived Necessity - The degree to which users
believe that using a particular system would be
necessary for them. [9]
I need to use a password manager to protect
my passwords.
My passwords are safe even without using a
password manager.
Perceived Threat Severity - “‘How serious the
individual believes that the threat would be’ to
himself- or herself.” [15][13]
If I were to have my password
compromised, I would suffer a lot of pain.
Having my password hacked would be
likely to cause me major problems.
Trusting Belief-Specific Technology—Functionality
- “Users consider whether the technology delivers the
functionality promised by providing features sets
needed to complete a task.” [14]
1Password has the functionality I need.
1Password has the ability to do what I want
it to do.
Trusting Stance—General Technology - “The degree
to which users believe that positive outcomes will
result from relying on technology.” [12]
My typical approach is to trust new
technologies until they prove to me that I
shouldn’t trust them.
I generally give technology the benefit of
the doubt when I first use it.
Table 2: Constructs, Definitions, and Study Measurement Items
4. Findings
After watching the video, users perceived password managers to be very useful
and very easy to use. Additionally, they felt that a possible password hack would be very
severe for themselves. Moreover, during the actual survey, multiple users asked questions
similar to “Does this actually exist?” which almost foreshadows the low awareness and
even lower adoption rates that our study would later discover.
23. 23
4.1. Awareness, Adoption & Interest
We posed three questions towards awareness, adoption, and future interest of
password managers. When asked if they had ever heard of password managers before
watching the video, 39% answered yes, see Figure 8. Of the 39, 13 had actually used a
password manager, which means 66% of people who had heard of password managers
before, have never actually used one. However, of the remaining 26 that had heard of
password managers but had never used one, 10 were still interested in actually using a
password manager in the future. Of course no technology will be universally praised, the
fact that 1/3 of people that are aware are using, and that almost another 1/3 are also
possibly interested in a promising statistic.
As mentioned, the final question in this section dealt with future interest in using
password managers. Of the 100 participants, 57 indicated that they are interested in using
a password manager, which is a very good statistic, see Figure 8. Most promising,
however, is ratio of people made aware to people interested in using. As previously
mentioned, 39 people had heard of password managers, meaning 61 had never heard of
them before. Of these 61 who had never been made aware of the technology, 40 had
indicated that they were now interested in using the technology. More than 66% of all
people that hear about password managers, are interested in using the technology in the
future, that number is staggeringly high for a technology that has been around for so long,
and that until now, has had fairly low adoption rates.
We then looked to see if there were differences between technology and non-
technology majors, specifically whether major matters in terms of exposure and adoption
of password managers, see Figure 8. Awareness refers to question 19 of the survey which
24. 24
asks if they’ve heard of password managers, adoption refers to question 20 of the survey
which asks if they use password managers, and interest refers to question 21 which asks
if they’re interested in using password managers, see Appendix A for the questionnaire.
Of the technology students, 59% had heard of password managers before watching the
video, compared with only 31% of non-tech students. As one might expect, technology
majors were generally more aware and knowledgeable of Password Managers before the
study. Additionally, 25% of tech students are actually using password managers, a much
higher number than the 8% of non-technology students, which can be explained by
looking at the awareness of the technology. However, what was most interesting was that
only 41% of technology students were interested in using password managers after the
study concluded, as opposed to 63% of non-technology students. Although awareness for
the technology was low for non-tech students, their interest in using the product is much
higher than technology students.
Figure 8: Exposure to Password Managers: Tech Majors vs. Non-Tech Majors
25. 25
4.2. General Password Management
As part of our survey, we also included sections towards general password
management, essentially how users are currently managing their passwords. When asked
if they reuse passwords, 62% of users said yes. We anticipated this number to be higher,
as previous research regarding this questions yielded numbers of upwards of 80% [1].
However, there is still a possibility that we are not far off, because 20% of participants
left this questions blank; a good portion answered every single other question, but
consistently left this one question unanswered. We believe there’s some factor of
embarrassment or guilt involved with admitting that they reuse passwords. They likely
understand the seriousness of such a practice, yet there’s no other way for them to cope
with the increasing demands of password management. It’s also possible that they didn’t
feel safe disclosing that information in this anonymous survey, they might have felt that
the survey taker was going to go after them, after the study to try and hack into their
accounts.
We asked participants to figure out how many internet accounts they currently
have. According to a Microsoft study done in 2007, users had on average 25 internet
accounts. We assumed this number would have only gone up higher with 9 added years
of account creations, however, our data shows otherwise. Of the participants, 36%
answered that they have 6-10 internet accounts, with 26% answering 11-15 internet
accounts. Only 18% of the participants combined to answer either 21-25 or 25 and up.
We attempted to give suggestions to the type of accounts that one may hold, however, it’s
possible that the participants were trying to answer this question as quickly as possible,
and likely did not give it as much thought as someone in the Microsoft study.
26. 26
Additionally, we also asked participants to describe their most common password
by selecting from the list of 4 criteria: 8+ characters, 1+ special character, 1+ number,
and 1+ uppercase character. This also gave some interesting results. Of the participants,
41% had a special character [!@#$%&*] in their most common password. That statistic
is great indication that users are understanding the importance of added security for their
passwords. Additionally, of the participants, 77% had 8+ characters in their most
common password. Another good sign that users are increasing their complexity and
length of passwords.
4.3. Underlying Attitudes
After watching the video, the users were asked likert-scale style questions based
on the constructs that we had predetermined, see Table 2. The questions were then
converted to a 1-5 score; strongly disagree being 1, neutral being 3, and strongly agree
being 5. As we had hypothesized, perceived ease of use and perceived usefulness were
both rated high on average, with average perceived ease of use rating at 4.09, and average
perceived usefulness rating at 4.035. This shows that users perceive the technology to be
easy to use and useful enough that they would consider using it in the future. Perceived
Severity was also rated very high, with an average of 4.07 on the likert scale. The trust in
functionality construct was rated above neutral with an average of 3.6. Finally, the
average trust of technology came in at 3.28, meaning our users were generally neutral
about initially trusting technology, with a slight leaning towards trusting it.
5. Discussion
After analyzing our data, specifically cross referencing the constructs with other
criteria, we came across some interesting findings. One of the questions asked users if
27. 27
they are interested in using password managers after watching the video, 57% of users
said Yes. However, if this is cross referenced with the constructs, quite a large number of
statistically significant results show up. In every construct, users have a higher average if
they also indicate that they have interest in using password managers after participating
in the study, see Figure 9. The more that a user perceives the technology to be useful,
easy to use, necessary, and functionally trustworthy, the greater chance that they will
have an interest in using the technology in the future. Additionally, average trust in
technology was rated at 3.28 for the overall group, however, when looking at specifically
users who indicated interest in using password managers, that number increases to 3.47,
although not a big jump, it’s still an increase from the average. Users that typically trust
technology, are more likely to use password managers.
Figure 8: Interest in Using and Average of Construct
Our 3 three hypotheses were correct. Perceived Ease of Use and Perceived
Usefulness were both rated highly. Awareness of password management software was
28. 28
low, 39%. Additionally, the actual usage, or adoption, of password management software
was even lower, with 13% of participants indicating that they had used the software. This
shows the obvious disconnect between users and producers of the technology. The
software works, it’s perceived to be useful and easy to use, however, people do not
actually know that it exists until someone shows them a video like this. And as an
obvious result, people are not actually using this technology.
6. Conclusion
Based on our research, we think that users fully agree that the technology will be
easy to use, and be useful in helping them manage their passwords. We conclude that a
good majority are reusing their passwords, or perhaps feel guilty about admitting to
reusing their passwords. A good majority of users had never heard of password managers
before the study, 61%, and yet of these 61, 40 said they would be interested in using
password managers after the study was over. If we combine all of these facts together, we
come to one conclusion: password management software companies are not doing
enough to expose the technology to users. If 66% of users who heard of password
managers had interest in using the technology, then the number of people who had
actually used the software before should have been much higher.
Password Management companies need to run advertisements and market their
software better. Currently the only way to actually see the video advertisement used in
our study is to go to the 1Password website. However, if a user already knows to go to
their website, they’ve been exposed to it before, or have heard about 1Password from
word of mouth, either way, there’s some underlying interest in using. Unfortunately, a
good majority of users do not actually know of and have not been exposed to password
29. 29
managers, therefore, although the video might do a great job of converting and arousing
interest in password managers, there’s no current way to view it without knowing about
it. It’s almost like a Catch-22, you won’t have watched the video unless you already
know it exists, and the point of the video is to create exposure and increase demand. The
video is not doing much for the company if it lays hidden in their website, they need to
market it better, ideally through television. If they can create more exposure for the
advertisement, I think there’s a real chance for a boom for password managers.
Another idea might be for companies like AgileBits, maker of 1Password, to
partner up with universities, like UMass Boston, to offer its product to students. They
might discount it even further, although might seem like taking a loss for right now, once
users are dependent and have experience in using 1Password, they are likely to be hooked
for life. This model is what companies like Spotify rely on, 3 month trial for 99 cents, or
half price for students, because they understand that if students can be hooked onto the
service, they’re very likely to continue using the service after the trial period has ended.
Password managers are no different, in fact this model might be even more beneficial for
them because they would be relying on the password manager for all of their passwords
and accounts. 1Passwords needs to begin partnerships with universities to create more
exposure for their brand. Through this, and only this, will this software really catch on,
and maybe then, we can no longer live in fear of password breaches.
30. 30
References
1. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., ... &
Cranor, L. F. (2010, July). Encountering stronger password requirements: user
attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy
and Security (p. 2). ACM.
2. Herley, C. (2009, September). So long, and no thanks for the externalities: the
rational rejection of security advice by users. In Proceedings of the 2009 workshop on
New security paradigms workshop (pp. 133-144). ACM.
3. Huth, A., Orlando, M., & Pesante, L. (2012). Password security, protection, and
management. United States Computer Emergency Readiness Team.
4. Florencio, D., & Herley, C. (2007, May). A large-scale study of web password habits.
In Proceedings of the 16th international conference on World Wide Web (pp. 657-
666). ACM.
5. Schaffer, K. (2011). Are Password Requirements too Difficult? Computer, 44(12),
90-92.
6. Password Haystacks: How Well Hidden is Your Needle? (2012, March 28). Retrieved
December 1, 2015, from https://www.grc.com/haystack.htm
7. Devillers, M. M. (2010). Analyzing password strength. Radboud University
Nijmegen, Tech. Rep.
8. LastPass Password Manager. (2016, May 17). Retrieved May 17, 2016, from
https://play.google.com/store/apps/details?id=com.lastpass.lpandroid&hl=en
9. Chiasson, S., van Oorschot, P. C., & Biddle, R. (2006, August). A Usability Study
and Critique of Two Password Managers. In Usenix Security (Vol. 6).
31. 31
10. Karole, A., Saxena, N., & Christin, N. (2011). A Comparative Usability Evaluation of
Traditional Password Managers. In Information Security and Cryptology-ICISC 2010
(pp. 233-251). Springer Berlin Heidelberg.
11. Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance
of information technology. MIS Quarterly, 13(3), 319-340.
12. McKnight, D. H., Carter, M., Thatcher, J. B., & Clay, P. F. (2011). Trust in a specific
technology: An investigation of its components and measures. ACM Transactions on
Management Information Systems, 2(2), 1-15.
13. Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., Polak, P. (2015). What do
system users have to fear? Using fear appeals to engender threats and fear that
motivate protective security behaviors. MIS Quarterly, 39(4), 837-864.
14. McKnight, D. H. (2005). Trust in Information Technology. In The Blackwell
Encyclopedia of Management, Management Information Systems, G. B. Davis, Ed.,
Blackwell, Malden, MA, Vol. 7, 329–331.
15. Milne, S., Orbell, S., & Sheeran, P. (2002). Combining motivational and volitional
interventions to promote exercise participation: Protection motivation theory and
implementation intentions. British journal of health psychology, 7(2), 163-184.
32. 32
Appendixes
Appendix A. Questionnaire
Please respond to the following statements by marking a circle next to the statement.
Note: The information you provide is confidential and we are not collecting any identifying information.
There is no right or wrong answer – we just need your opinion.
Strongly
Disagree
Disagree Neutral Agree
Strongly
Agree
1. Learning to operate a password manager would be easy for me. ¡ ¡ ¡ ¡ ¡
2. I would find it easy to get a password manager to do what I want it to do. ¡ ¡ ¡ ¡ ¡
3. My interaction with a password manager would be clear and understandable. ¡ ¡ ¡ ¡ ¡
4. I would find a password manager easy to use. ¡ ¡ ¡ ¡ ¡
5. Using a password manager would enable me to manage my passwords more
quickly.
¡ ¡ ¡ ¡ ¡
6. Using a password manager would enable me to manage my passwords more
efficiently.
¡ ¡ ¡ ¡ ¡
7. Using a password manager would enable me to manage my passwords more
easily.
¡ ¡ ¡ ¡ ¡
8. I would find a password manager useful in managing my passwords. ¡ ¡ ¡ ¡ ¡
9. I need to use a password manager to protect my passwords. ¡ ¡ ¡ ¡ ¡
10. My passwords are safe even without using a password manager. ¡ ¡ ¡ ¡ ¡
11. If I were to have my password compromised, I would suffer a lot of pain. ¡ ¡ ¡ ¡ ¡
12. Having my password hacked would be likely to cause me major problems. ¡ ¡ ¡ ¡ ¡
13. 1Password has the functionality I need. ¡ ¡ ¡ ¡ ¡
14. 1Password has the features required for my tasks. ¡ ¡ ¡ ¡ ¡
15. 1Password has the ability to do what I want it to do. ¡ ¡ ¡ ¡ ¡
16. My typical approach is to trust new technologies until they prove to me that I
shouldn’t trust them.
¡ ¡ ¡ ¡ ¡
17. I usually trust a technology until it gives me a reason not to trust it. ¡ ¡ ¡ ¡ ¡
18. I generally give technology the benefit of the doubt when I first use it. ¡ ¡ ¡ ¡ ¡
19. Had you heard of password managers before watching the video? Yes No
20. Have you ever used a password manager? Yes No
Which one? ________________________
21. After watching the video are you interested in using a password manager? Yes No
22. Which of the following applies to your most common password?
c 8+ Characters c 1+ Numbers
c 1+ Special Characters c 1+ Uppercase Characters
23. Do you reuse passwords? Yes No
24. How many internet accounts do you have? (Consider social networks, banking, email, shopping, etc.)
c 0-5 c 11-15 c 21-25
c 6 -10 c 16-20 c 26+
25. Age: ______________
26. Gender: ______________
27. Field of Study: __________________________