Most people use password managers, but not the way security experts recommend. And even when universities offer powerful password tools for free, students and employees largely ignore them.

A new study from USC’s Viterbi Information Sciences Institute found that while 94% of university users rely on password managers, only 26% use them to generate strong, random passwords. Instead, most people create weak, memorable passwords and reuse them again and again across multiple accounts, leaving themselves vulnerable to hackers.

Most striking: only 15% of USC students, faculty and staff use 1Password, the free password manager the university provides, a subscription that would normally cost $35 per year. About two-thirds didn’t even know it existed.

“We found that users are satisfied with their current password management strategies,” said Jelena Mirkovic, a principal scientist at ISI, research associate professor at USC Thomas Lord Computer Science Department, and co-author of the study. “Even when we offer them something better for free, the perceived effort of switching outweighs the benefits.” [Third-party password managers, like 1Password, are generally more secure than browser-based and OS-based password managers, and they are portable across different devices and operating systems.]

The study was led by USC computer science Ph.D. student Pithayuth Charnsethikul. Co-authors include USC graduate students Anushka Fattepurkar, a master’s student in computer science, and Dipsy Desai, a computer science doctoral student, along with Gale Lucas, a researcher at USC’s Institute for Creative Technologies and research associate professor of civil and environmental engineering, computer science, and psychology at USC Viterbi and the USC School of Advanced Computing. Mirkovic serves as both Charnsethikul’s and Desai’s Ph.D. advisor.

Password Reuse Remains Rampant

The researchers surveyed 437 people at USC and their methodology replicated a password manager use study conducted at George Washington University in 2021. Both studies paint a troubling picture of password habits.

USC users reported having unique passwords for only 40% of their accounts. Students were worst, with unique passwords for just 20% of accounts. Faculty performed better at 70%, but that still left a lot of room for improvement.

“This behavior stems from users prioritizing convenience over security,” Charnsethikul said. “People really want passwords they can remember, in case they lose access to their password manager.”

Password reuse is dangerous because when one account is breached, hackers can use those stolen credentials to access other accounts with the same password. With the average person managing dozens or even hundreds of online accounts, remembering unique passwords for each account has become nearly impossible without tools.

And the problem appears to be worsening. The median number of password-protected accounts per user jumped from 25 in 2006 to 80 in 2018, according to Mirkovic’s previous research. Mirkovic herself has nearly 1,000 password-protected accounts.

Free Doesn’t Mean Adopted

The USC findings contradicted the GWU study’s prediction that users would readily adopt free tools. While 71% of George Washington respondents said they would likely adopt a free university-provided manager, actual behavior at USC told a different story.

Only 35% of USC participants even knew the university offered 1Password for free. Among those aware of the offering, adoption was low across all groups. Just 10% of students, 16% of staff and 18% of faculty actually used the service.

When asked why they didn’t use the free tool, 74% of respondents said they were satisfied with their current approach (usually a different password manager), 67% worried about losing access after leaving USC, and about half felt that switching would be too difficult.

“USC has promoted the free password manager through multiple channels, including emails, Slack messages and required security training for employees,” Mirkovic said. “But awareness and adoption remain low.”

Added Charnsethikul: “It’s a difference between something users say they would do and their actual follow-through. For example, many people join a gym in January but fail to go regularly. Similarly, many GWU users said they would adopt a free password manager, but our USC study shows that in practice users do not readily switch to a new tool for password management.”

Making Security More Appealing

The researchers recommend that universities shift from passive promotion to active intervention, nudging users at moments when they’re already thinking about passwords, like during account creation or after a security alert.

“At those moments, users are more likely to pay attention and recognize the value,” Mirkovic said. “We should emphasize features that aren’t available in browser-based password managers, such as cross-platform functionality and higher security. All password managers could improve their password generation functionalities to generate memorable passwords that are still secure.”

Universities should also address concerns about losing access after graduation or employment ends. Clear communication about how to transfer passwords to a personal account could ease those fears.

For anyone feeling overwhelmed, the advice is simple: Start with whatever password manager is already available, even the one in your browser. Then, gradually replace your existing passwords with generated ones.

“Any password manager is better than none,” Mirkovic said. “And a password manager used to generate passwords is vastly better than one used just to store passwords.”

Despite the sobering findings, both researchers remain optimistic. Password manager awareness has climbed steadily over the past decade, from 50% in 2016 to 96% today. Adoption has similarly increased. As data breaches make headlines and people manage ever more accounts, the tools are shifting from helpful to essential.

“The key is aligning security services with user preferences,” Mirkovic  said. “If we understand what users like and can offer something secure that doesn’t go against those preferences, we have a good chance of widespread adoption.”

Published on

Last updated on