Cyber Security Awareness Month kicked off its nineteenth anniversary this year. One would hope that after nearly two decades, this would be a time to celebrate, however, the outlook is not as bright as one would expect. There are so many aspects of cybersecurity that have been promoted to make the world a safer place, but one that stands out as the largest failure seems to be the use of password managers.
Digital password managers have existed for more than 25 years, starting with Bruce Schneier’s Password Safe program that was originally released in 1997, and updated to an open source project in 2017. While I would not consider myself an early adopter, once I started using one, I became an ardent supporter of the technology. Sadly, the password manager that I preferred has fallen into broad disfavor, forcing me to switch to another product.
By now, we in the cybersecurity community all know the benefits of using a password manager, however, no matter how hard we try, universal acceptance among the general public has been slow, if altogether nonexistent. Most shockingly, from my own informal conversations, the newest generation of computer users, those known as Generation Z, and Generation Alpha, are among the most resistant to the idea of using password managers.
While there are no formal studies for this, one can surmise a couple of possible reasons for the stubbornness towards strong security amongst those who are considered digital natives. The most obvious reason is the locus of control. In most human endeavors, we want to maintain control over our existence, especially in the physical realm. However, in the digital world, the younger generations have counter-intuitively shifted that control to the device manufacturers. For example, facial, and fingerprint recognition technologies, make the process of unlocking a device relatively easy. However, despite the fact that biometrics can be better than passwords, we have seen multiple examples of how this technology has some problems.
The most obvious reason for resistance to using password managers is that they can be somewhat confusing, even to the best of us. This violates one of the most basic theories of security acceptance; ease of use. Along with the confusion of configuring password managers to correctly record password updates, there is also a problem when registering a new site in a password manager. The password manager will record the registration URL, rather than the login page, so the next time the visitor uses the password manager to log into the site, it improperly takes the person to the registration page, rather than the login page. In a recent development, even a copy and paste function will not work on some sites, as they must detect actual keystrokes in the password field, rather than a paste function. The workaround for this is nothing short of maddening.
There is also the strong initiative of the FIDO Alliance to do away with passwords entirely. I am optimistic that this may be the strongest hope for login security. With the coupling of manufacturers trying to build security into devices, as well as web designers trying to make web logins more secure by preventing the copy and paste function, and the added developments of FIDO2, the result is a potent recipe for the failure of password managers. It is almost as if the security community is fighting against itself, and the cost is uncertain at this point. In our collective zeal to make the internet a safer place, we are creating a situation that makes it a greater challenge to promote good security, and the first casualty of this may be the password manager.
It is hard to predict if this will be a positive development. Is the reliance on biometrics as the primary method to unlock a person’s entire digital world better than our efforts to stress the importance of unique passwords for every site? What we believe in theory is not what we are seeing in practice. What is most obvious is that we must find a better way to promote security to the general public. Let’s bring the locus of control back to the person who cares about it the most, that is, each individual.
Here’s hoping for a safe Cyber Security Awareness Month, and a brighter outlook for the twentieth anniversary next year.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.