Increased cybersecurity risks may have sharpened some Americans’ attention to password management – but most still rely on memorization or handwritten notes, a practice criticized by many cybersecurity experts.
One in three (34%) Americans use password managers nowadays. That’s up from one in five (21%) in 2022, a poll by Security.org revealed. That would represent an estimated 79 million people using password managers.
“Google and Apple password managers, built into their devices and browsers, now account for one half of the American market and are more popular than any other password management tools,” said Security.org researchers.
What they found surprising is that the introduction of physical security keys and next-generation passkeys has already garnered attention, securing 10% usage among adults.
Yet, around four in ten (41%) users still rely on memorization to keep tabs on their internet passwords, while a quarter save them on handwritten notes or unencrypted digital files on their devices.
Some users jeopardize even the safety that a password manager provides, as one in four reused master passwords elsewhere.
“People who engage in this unsafe practice are more likely to have experienced recent identity theft,” the report said.
In total, six in ten Americans still rely on unsecure methods to keep track of their credentials.
The FBI reported a record $10.2 billion in cybercrime last year, up from $6.9 billion, with more than 800,000 complaints filed with its Internet Crime Complaint Center. Moreover, in 2022, the FTC IdentityTheft.gov website received over 1.1 million reports of identity theft.
The bumpy road to securing online identities
Unsecured logins and recycled passwords make digital accounts vulnerable to hackers. The use of password managers increases due to higher awareness of dangers online, remote work, and other aspects of Americans’ lives moving online.
Password managers or vaults, often free and integrated within devices or browsers, are one of the most advanced and straightforward solutions for protecting online accounts across the web on multiple devices.
Google Password Manager and iCloud Keychain by Apple were the two most popular brands, primarily used by 30% and 19% of responders respectively. LastPass seems to be falling out of fashion and only commands a tenth of users, less than half the proportion (21%) it enjoyed in 2021.
“Two widely publicized security breaches specifically contributed to LastPass’ downfall. However, all competitors have struggled to compete with the free, convenient, seamless services now offered by Google and Apple,” researchers explain.
Researchers warned that the practice of reusing the password manager’s master password, practiced by more than a quarter of US citizens, is particularly hazardous. Hackers may obtain one password in a third-party leak and then breach password manager accounts to steal all the account holder’s credentials.
“We strongly advise choosing different complex passwords for every individual account and a unique login to unlock the password manager instead of cycling through pet names or sibling birthdays that can be deciphered with public information,” Security.org researchers said.
National Institute of Standards and Technology guidelines suggest that all online passwords should be lengthy (12 characters or more), unique, meaningless, and updated whenever a breach is suspected.
Password managers help juggle account credentials conveniently, with 68% of users saying they have too many passwords to easily remember, 53% using logins across multiple devices, and 45% wanting to generate complex passwords.
Most password manager users have chosen free services and are also satisfied with their choice. Only a quarter of customers changed their provider last year, as many ditched LastPass.
Around seven in ten of those without password managers are open to signing up for services in the future. The main reasons preventing users from embracing the technology are not being convinced of the necessity, security concerns, cost, and complexity.
Further advances on the way
Biometric passkeys are already arriving, promising quantum encryption further ahead. Passkeys act as personalized two-factor authenticators that can be installed on a user’s phone without needing a separate gadget.
Employing public-key cryptography to embed digital credentials on a client’s physical device eliminates the need for hackable or stealable passwords.
“Online accounts that accept passkeys can be accessed the same way one opens a phone: biometrics, PINs, or swipe patterns when the user has physical possession of the designated device,” researchers said.
While Apple, Google, and Microsoft are still working to roll out this new protocol, it will be some time before universal adoption, and users are left to trust password managers to handle complex logins during the transition.
“Until these methods become standard, we’re stuck using complex strings of characters,” the report concluded.
Security.org reached its findings after conducting an online poll of 1,051 US adults in August 2023.
More from Cybernews:
Subscribe to our newsletter