As more aspects of our lives migrate to the cloud, securing personal accounts has become increasingly important and exponentially more challenging. Phishing scams, hackers, breaches, and malware present grave threats to critical data.
Online passwords are a formidable safeguard when used correctly, but best password practices are too rarely employed. Such reckless behavior contributed to a doubling of identity theft between 2019 and 2020.
Experts recommend using passwords managers (also known as “password vaults”) to coordinate logins and improve personal digital security. These applications can generate complex codes, encrypt them for safe storage, autofill them online, and send alerts when credentials are corrupted. Unfortunately, they have not completely caught on with the public. According to this year’s research, 4 out of 5 American adults are not using these protective platforms, while millions are open to adoption.
Key findings from our research:
- One in five Americans currently use a password manager. This equates to an estimated 45 million people.
- Nearly one-third of Americans had their identity or online credentials stolen in the past year, with another 13 percent unsure whether they’d been hacked. Among those who suffered a password or identity theft, only 10 percent were using a password manager at the time.
- Those who rely on their memory to manage their passwords are twice as likely to have their credentials or identity stolen as those who use password storage tools.
- More than two-thirds of those who don’t currently use password managers, or approximately 128 million people, would consider getting one in the future.
Password Managers Are Secure but Underutilized
Our annual cybercrime report documented a rise in internet offenses corresponding to the pandemic’s increased online activity. Our password manager research demonstrates that impact at a personal level: at least 29 percent of Americans had their identity or online credentials stolen in the past twelve months alone.
Ninety percent of these violations occurred among victims without password manager software. Overall, standard memorization remains the most popular way to keep track of online passwords, followed by an assortment of other low-tech approaches.
| How do you manage or store your online account passwords? | |
|---|---|
| Memorization | 41% |
| Written on paper | 30% |
| Saved in my browser | 24% |
| Saved in a digital note file | 23% |
| Reuse the same few passwords | 20% |
| Password manager | 20% |
| * Multiple responses permitted | |
Password managers may not be popular, but proved effective: around 1 in 6 vault users suffered a theft or a breach, less than half the rate of most other methods.
| Password storage method | Percentage who experienced identity theft in past year | |
|---|---|---|
| Saved in a digital note file | 35% | |
| Reuse the same few passwords | 35% | |
| Memorization | 31% | |
| Saved in my browser | 30% | |
| Written on paper | 28% | |
| Password manager | 16% | |
| * Multiple methods permitted | ||
To reconcile the infrequent use of password managers in an environment requiring added security, we dug deeper into public attitudes about them.
Password Manager Clients Embrace Convenience, Skeptics Question Security
Nearly all password manager users employ the applications to manage their personal logins, and almost half also enlist them for work. Additionally, people are using them on a variety of devices, not just on their computers.
| On which devices do you use password managers? | |
|---|---|
| Mobile phone | 77% |
| Laptop or desktop computer | 75% |
| Tablet | 46% |
| Other | 2% |
LastPass was the most popular service among respondents, with nearly double the nearest competitor's users, but an assortment of providers were named.
| Which password manager do you mainly use? | |
|---|---|
| LastPass | 21% |
| Keeper | 10% |
| McAfee True Key | 8% |
| Bitwarden | 8% |
| Google Chrome password manager | 8% |
| Apple Keychain password manager | 7% |
| 1Password | 7% |
| Dashlane | 7% |
| Norton | 3% |
| NordPass | 3% |
| Password Boss | 2% |
| Sticky Password | 1% |
| RoboForm | 1% |
| Other brands | 15% |
The most cited reasons for turning to password managers emphasized their most notable strengths: generating, storing, organizing, and encrypting numerous complex codes across multiple platforms.
| Main reasons people use password managers | |
|---|---|
| Can’t remember all my passwords | 71% |
| Apply logins across different devices | 51% |
| Generate/save complex passwords | 45% |
| Manage apps with multiple logins | 38% |
| Password encryption | 34% |
| Ease of one master password | 24% |
| * Multiple responses permitted | |
The primary reasons for not using a password manager were rooted more in unfamiliarity than fact.
| Main reasons people don’t use password managers | |
|---|---|
| Don’t believe they’re secure | 71% |
| Not sure I need one | 51% |
| Don’t know how they work | 45% |
| Cost too much | 38% |
| Difficult to set up | 34% |
| * Multiple responses permitted | |
Respondents without password managers were most worried about vault security, presumably unaware that data encryption keeps passwords protected even in the rare case of a breach. Other concerns included difficulty of use (though most offer user-friendly apps and browser extensions) and cost (although 61 percent of users said they used a free service).
If these issues are addressed, password manager use is likely to expand – most of those who don’t currently use a password vault are willing to try them.
| Would you consider using a password manager in the future? | |
|---|---|
| Yes | 69% |
| No | 31% |
Ultimately, personal exposure may be required to drive broader adoption. Nearly half (46 percent) of those willing to consider a password vault had a credential potentially stolen in the past 12 months, compared to only 32 percent of those stating they'll never use one. Additionally, 13 percent of current password manager users signed up after suffering a recent theft.
As victimization unfortunately rises, so may the motivation to take appropriate precautions.
Password Managers Alone Can’t Guarantee Safety
Password managers are effective tools that provide convenience along with security, but they are not a cure-all against hackers.
Vaults promote good password hygiene, yet users must diligently follow the guidelines: stick to randomly generated complex codes, don’t store logins outside the vault, don’t share passwords or save them on shared machines, enable two-factor authentication, change credentials promptly when notified of corruption, and never reuse or recycle the same passwords – especially for your master password.
Password managers encrypt credentials online and require an offline master password for access. It’s important to keep this password safe and different from any code you’ve used before. We found that nearly 1 in 5 password manager users had recycled their master password, undermining the strength of the vault.
| How did you create your master password? | |
|---|---|
| Unique login | 81% |
| Reused previous login | 19% |
Even with perfect password practices and a secure vault, credentials can be stolen via third-party data breaches (like a hack against a retailer, service, or credit agency). These corporate attacks have also escalated this year, but a password manager that empowers unique codes minimizes the danger when one login is taken.
Conclusion
In a world where sophisticated cybercriminals deploy algorithms and other advanced hacking tools, it’s reckless to rely upon old-fashioned security, especially with so much at stake.
Our personal, professional, and financial information reside behind passwords that 60 percent of Americans track with their memory or paper notes. These imperfect practices encourage dangerously simple and repetitive logins – it’s little wonder that one in three people suffered a digital theft or breach in the past year.
Password managers are a simple, affordable, encrypted method to generate and monitor secure keys, but only one in five Americans currently use them; many after learning hard lessons. Most holdouts would consider signing up for a vault but have reservations concerning need, cost, security, and complexity.
With a better understanding of these applications, perhaps more citizens will sign up as users before being numbered as victims.
Methodology
In November 2021, we conducted an online survey to ask 1,077 American adults about their personal experience with cybercrime, their methods of password tracking, and their opinions of password manager applications. The respondents were representative of the American population based on gender, age, and race.
