Does the average user really need a password manager?

Yes.

The average user should use long random passwords for every site. Passwords should not be repeated, passwords should not follow a discernible pattern. The compromise of any one password (e.g. your Adobe or LinkedIn login) must not be allowed to make it any easier for the attacker to guess your other passwords. These requirements make remembering passwords very nearly impossible. But that's not the primary reason why you should use a password manager.

The primary reason is that it reliably protects you against phishing attacks. A browser-integrated password manager will only fill in a site-specific password if you're actually visiting the correct site. So you won't accidentally type in your Paypal.com password into www.paypal.com.us.cgi-bin.webscr.xzy.ru. This is doubly true for average users, who on the average, rely on the general familiarity of a site to determine whether or not its legitimate (a terribly ineffective heuristic). Since you don't know your password, you can't type it in. Instead, it will only auto-fill if you're at the authentic site.

Use a browser-integrated password manager, don't get phished. It literally is that simple. Phishing is far more prevalent and serious a threat than password disclosure, anyway.


There's some interesting thinking going on in Microosft Research labs that supports your approach. http://research.microsoft.com/apps/pubs/default.aspx?id=227130 for example.

They make the point that not all password secured accounts are equal. They categorise them as:

  • don’t-care accounts (unlocked doors).
  • low-consequence accounts (latched garden doors).
  • medium-consequence accounts (locked front door).
  • high-consequence accounts (bank vault doors).
  • ultra-sensitive accounts (those cool blast doors we like to imagine are at NORAD).

and point out that it is a waste of effort to make the passwords on don't care accounts as strong as the ones on the high-consequence accounts. If you don't care about an account, why should't you use "password" as the password?

I agree with them, but I still use a password manager and have unique strong passwords for everything for the simple reason that I don't want to spend the time figuring out what value I put on each account. With my password manager, I just crank everything up to strong and forget about it.

So I'd recommend a password manager to the average user, because it is the easiest way to get them to use strong passwords.


Others have pointed out the benefits for security, I'll just focus on the convenience and inconvenience.

If you use your password manager for everything like I do, save for places where the manager is inaccessible, you become conditioned to use its convenience.

Different sites have different policies, and so it isn't even possible to leave the door unlocked sometimes, you have to capitalize the first letter, or whatever quick derivation of your use-everywhere-password.

There are plenty of times where I couldn't remember if I had used the wrong password or if I needed to capitalize something or if I was using the wrong username or email.

The better password managers remember this stuff for you even if you clear your browser cache. This has the added security benefit of defeating phishing attempts when you use the plugins that register your credentials to a domain, like LastPass does.

It isn't always as convenient as when using a desktop browser however, LastPass for iPhone doesn't integrate with Safari, but is itself a browser and can be used to copy the password to clipboard.

To be fair, on the flip side, if you don't know what your passwords are and you don't have access to your manager, you aren't logging into anything.

Tags:

Password Management

Recent Posts