Written By: Security.org Team | Published: December 6, 2021

As more aspects of our lives migrate to the cloud, securing personal accounts has become increasingly important and exponentially more challenging. Phishing scams, hackers, breaches, and malware present grave threats to critical data. 

Online passwords are a formidable safeguard when used correctly, but best password practices are too rarely employed. Such reckless behavior contributed to a doubling of identity theft between 2019 and 2020.

Experts recommend using passwords managers (also known as “password vaults”) to coordinate logins and improve personal digital security. These applications can generate complex codes, encrypt them for safe storage, autofill them online, and send alerts when credentials are corrupted. Unfortunately, they have not completely caught on with the public. According to this year’s research, 4 out of 5 American adults are not using these protective platforms, while millions are open to adoption.

Key findings from our research:

  • One in five Americans currently use a password manager. This equates to an estimated 45 million people. 
  • Nearly one-third of Americans had their identity or online credentials stolen in the past year, with another 13 percent unsure whether they’d been hacked. Among those who suffered a password or identity theft, only 10 percent were using a password manager at the time.
  • Those who rely on their memory to manage their passwords are twice as likely to have their credentials or identity stolen as those who use password storage tools.
  • More than two-thirds of those who don’t currently use password managers, or approximately 128 million people, would consider getting one in the future.

Password Managers Are Secure but Underutilized 

Our annual cybercrime report documented a rise in internet offenses corresponding to the pandemic’s increased online activity. Our password manager research demonstrates that impact at a personal level: at least 29 percent of Americans had their identity or online credentials stolen in the past twelve months alone.

Ninety percent of these violations occurred among victims without password manager softwares. Overall, standard memorization remains the most popular way to keep track of online passwords, followed by an assortment of other low-tech approaches.

How do you manage or store your online account passwords?

Memorization

41%

Written on paper

30%

Saved in my browser

24%

Saved in a digital note file

23%

Reuse the same few passwords

20%

Password manager

20%

* Multiple responses permitted

Password managers may not be popular, but proved effective: around 1 in 6 vault users suffered a theft or a breach, less than half the rate of most other methods.

Password storage method

Percentage who experienced identity theft in past year

Saved in a digital note file

35%

Reuse the same few passwords

35%

Memorization

31%

Saved in my browser

30%

Written on paper

28%

Password manager

16%

* Multiple methods permitted

To reconcile the infrequent use of password managers in an environment requiring added security, we dug deeper into public attitudes about them.

Password Manager Clients Embrace Convenience, Skeptics Question Security

Nearly all password manager users employ the applications to manage their personal logins, and almost half also enlist them for work. Additionally, people are using them on a variety of devices, not just on their computers. 

On which devices do you use password managers?

Mobile phone

77%

Laptop or desktop computer

75%

Tablet

46%

Other

2%

LastPass was the most popular service among respondents, with nearly double the nearest competitor's users, but an assortment of providers were named. 

Which password manager do you mainly use?

LastPass

21%

Keeper

10%

McAfee True Key

8%

Bitwarden

8%

Google Chrome password manager

8%

Apple Keychain password manager

7%

1Password

7%

Dashlane

7%

Norton

3%

NordPass

3%

Password Boss

2%

Sticky Password

1%

RoboForm

1%

Other brands

15%

The most cited reasons for turning to password managers emphasized their most notable strengths: generating, storing, organizing, and encrypting numerous complex codes across multiple platforms.

Main reasons people use password managers

Can’t remember all my passwords

71%

Apply logins across different devices

51%

Generate/save complex passwords

45%

Manage apps with multiple logins 

38%

Password encryption

34%

Ease of one master password

24%

* Multiple responses permitted

The primary reasons for not using a password manager were rooted more in unfamiliarity than fact.

Main reasons people don’t use password managers

Don’t believe they’re secure

71%

Not sure I need one

51%

Don’t know how they work

45%

Cost too much 

38%

Difficult to set up

34%

* Multiple responses permitted

Respondents without password managers were most worried about vault security, presumably unaware that data encryption keeps passwords protected even in the rare case of a breach. Other concerns included difficulty of use (though most offer user-friendly apps and browser extensions) and cost (although 61 percent of users said they used a free service).

If these issues are addressed, password manager use is likely to expand – most of those who don’t currently use a password vault are willing to try them.

Would you consider using a password manager in the future?

Yes

69%

No

31%

Ultimately, personal exposure may be required to drive broader adoption. Nearly half (46 percent) of those willing to consider a password vault had a credential potentially stolen in the past 12 months, compared to only 32 percent of those stating they'll never use one. Additionally, 13 percent of current password manager users signed up after suffering a recent theft. 

As victimization unfortunately rises, so may the motivation to take appropriate precautions.

Password Managers Alone Can’t Guarantee Safety

Password managers are effective tools that provide convenience along with security, but they are not a cure-all against hackers.

Vaults promote good password hygiene, yet users must diligently follow the guidelines: stick to randomly generated complex codes, don’t store logins outside the vault, don’t share passwords or save them on shared machines, enable two-factor authentication, change credentials promptly when notified of corruption, and never reuse or recycle the same passwords – especially for your master password.

Password managers encrypt credentials online and require an offline master password for access. It’s important to keep this password safe and different from any code you’ve used before. We found that nearly 1 in 5 password manager users had recycled their master password, undermining the strength of the vault.

How did you create your master password?

Unique login

81%

Reused previous login

19%

Even with perfect password practices and a secure vault, credentials can be stolen via third-party data breaches (like a hack against a retailer, service, or credit agency). These corporate attacks have also escalated this year, but a password manager that empowers unique codes minimizes the danger when one login is taken. 

Conclusion

In a world where sophisticated cybercriminals deploy algorithms and other advanced hacking tools, it’s reckless to rely upon old-fashioned security, especially with so much at stake. 

Our personal, professional, and financial information reside behind passwords that 60 percent of Americans track with their memory or paper notes. These imperfect practices encourage dangerously simple and repetitive logins – it’s little wonder that one in three people suffered a digital theft or breach in the past year.

Password managers are a simple, affordable, encrypted method to generate and monitor secure keys, but only one in five Americans currently use them; many after learning hard lessons. Most holdouts would consider signing up for a vault but have reservations concerning need, cost, security, and complexity.

With a better understanding of these applications, perhaps more citizens will sign up as users before being numbered as victims. 

Methodology

In November 2021, we conducted an online survey to ask 1,077 American adults about their personal experience with cybercrime, their methods of password tracking, and their opinions of password manager applications. The respondents were representative of the American population based on gender, age, and race.