/ security

Password Managers Are Too Difficult

Password managers have done wonders for users by creating a single password to secure all of their passwords, preventing a data breach from unlocking every one of their accounts.

The original problem

People re-use passwords, and the passwords they reuse are generally awful. According to Sophos, 55% of users re-use passwords!

The solution to the original problem

With something like 1Password or LastPass, a master password is created and the user simply has to remember one password (get it?) to access all of their passwords. And then, the password manager can generate random passwords for you, so you don't have to think about it.

Image: 1Password generating a secure password

Simple, right?

The problem with password managers as they stand

They're still too difficult.
Think about how it works right now:

  1. The user has to know about password managers and how to use them.
  2. The user has to buy a password manager and install it on all of their devices

After they have it installed, and want to sign up for a site, the user must,

  1. Click Register
  2. Fill in the personal information not filled in by AutoFill, pretty hit or miss
  3. Remember to not just fill in their usual password
  4. Remember to click on the password manager
  5. Enter their password / authenticate (biometric)
  6. Fill out the rest of the web form
  7. Answer the confusing "save your password?" dialog boxes from both the browser and the password manager

Why is this so complicated? Why don't we have a workflow like this?:

  1. Click Register/Login
  2. Authenticate with fingerprint or password
  3. Check the boxes with what they wish to share with the site

Congrats, you never have to login again. Oh, and a little bit of work with Authy and it could automatically setup 2FA as well.

This is so do-able. A push from Google through Chrome or the like would most likely get websites up-to-speed on this. Also, then we don't have to worry about clickjacking the password box or other weird stuff like that. Also, users will be more tempted to use their password manager because it's just so much easier.

Mockup

What tech blog post would be complete without a mockup?
Image: mockup password manager asking user for permissions

I hope we can get to something like this soon. Until password managers are easier to use than typical passwords, password and hunter2 will still be extremely common and reused.