Improper Password Manager Use Opens Vulnerabilities to Identity Theft

A password manager can be a useful and effective tool for creating, controlling and applying complex and secure passwords, but if you don’t use it the right way, you can open yourself up to account compromise and even identity theft.

Image: Song_about_summer/Adobe Stock

A recent report from security advice site Security.org looks at the ways people try to handle their passwords and how they use password managers in particular. The “Password Manager Annual Report 2022” is based on an online survey of 1,047 American adults conducted in November of 2022.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Jump to:

How people manage their passwords

Asked how they keep track of their online passwords, 41% of the respondents said they memorize them, 32% write them on a piece of paper and 25% save them in a digital note on their device. Some 25% save them in their web browser, and 22% use the same passwords across all their accounts, leaving 21% who actually use a password manager.

SEE: Password Management Policy (TechRepublic Premium)

With people turning to such a potpourri of often unsafe methods to manage their passwords, it’s no wonder that identity theft has hit a large number of individuals. Among the respondents who experienced identity theft over the past year, half of them said they reuse the same passwords across multiple accounts, 46% save their passwords in digital notes, 43% save them in the browser, 35% try to memorize them and 35% write them down on paper. Among those who use password managers, only 19% were victims of identity theft.

How people use passwords improperly

However, a password manager is no panacea — certainly not if you use it incorrectly. To protect your password manager account, you’re required to set up a master password. That master password must be especially strong and complex and certainly should never be used elsewhere, but almost half of the password manager users hit by identity theft used their master password for other accounts. This practice is especially hazardous, as a cybercriminal who uncovers the master password for one account can try it on other accounts, including the one for the password manager itself, potentially exposing all the victim’s passwords.

Why and where people use password managers

Asked why they use a password manager, 65% of those surveyed said they have more passwords than they can remember, 54% need to log into their accounts across multiple devices, 51% use them to create complex passwords and 46% have to manage multiple logins for different applications. Some 37% said they use password managers to encrypt their passwords, while 19% use them so that they need remember only one password — the master password.

Drilling down further into the use of password managers, the survey found that half of the respondents rely on them for personal accounts, 46% for both work and personal accounts, and only 4% for just work accounts. Some 84% use password managers on a mobile device, 75% on a computer and 44% on a tablet.

How much people pay for password managers

Asked how much they pay annually for their password manager, 67% of the respondents said they pay nothing, 10% pay between $1 and $20, 7% pay between $21 and $40, and 6% pay between $41 and $60.

Among different password managers, Google’s Password Manager was the top product, cited by 23% of those surveyed. Apple’s iCloud Keychain took second place, used by 17%. Other password managers high on the list were Bitwarden, LastPass, 1Password, Norton and Dashlane.

Are password managers safe?

Finally, Security.org asked the respondents whether they thought password managers were safe. Among all respondents, 43% said yes, 23% said no and 35% weren’t sure. Among password manager users, 75% said they were safe, 8% thought they were unsafe and 17% were unsure. Among the non-users, 36% felt they were safe, 16% thought they were unsafe and 38% weren’t sure.

Recommendations for password manager protection

Until passwords go away completely, password managers are still the best way to juggle the passwords for all your accounts. However, you need to use the password manager properly for it to be truly effective and protect yourself from identity theft. Toward that end, here are a few recommendations.

Create a strong master password

As the key to the kingdom, your master password must be especially strong, secure and resistant to cracking. That means it should be a complex one with alphanumeric and special characters. Alternatively, you can turn to a passphrase, which is just as secure as a complex password but often easier to remember.

Limit your master password to the password manager

Keep the master password specific to your password manager account. Don’t use it elsewhere. Hopefully, that password will be strong enough to resist compromise, but even a complex one should be limited just to your password manager. Then let the password manager create the passwords for all your other accounts.

Enable two-factor authentication

Most password managers offer two-factor authentication to verify your access. If you try to set up or use the password manager on a new computer or device, you’ll be prompted to authenticate your action with whatever 2FA method is in effect. Even if your password is compromised, a third party would not be able to access your account without the code.