DEV Community

loading...

Password Managers Are Too Difficult

Justin O'Boyle
Student, software developer and infosec enthusiast.
Originally published at blog.justinoboyle.com on ・2 min read

Password Managers Are Too Difficult

Password managers have done wonders for users by creating a single password to secure all of their passwords, preventing a data breach from unlocking every one of their accounts.

The original problem

People re-use passwords, and the passwords they reuse are generally awful. According to Sophos, 55% of users re-use passwords!

The solution to the original problem

With something like 1Password or LastPass, a master password is created and the user simply has to remember one password (get it?) to access all of their passwords. And then, the password manager can generate random passwords for you, so you don't have to think about it.

Password Managers Are Too Difficult

Simple, right?

The problem with password managers as they stand

They're still too difficult. Think about how it works right now:

  1. The user has to know about password managers and how to use them.
  2. The user has to buy a password manager and install it on all of their devices

After they have it installed, and want to sign up for a site, the user must,

  1. Click Register
  2. Fill in the personal information not filled in by AutoFill, pretty hit or miss
  3. Remember to not just fill in their usual password
  4. Remember to click on the password manager
  5. Enter their password / authenticate (biometric)
  6. Fill out the rest of the web form
  7. Answer the confusing "save your password?" dialog boxes from both the browser and the password manager

Why is this so complicated? Why don't we have a workflow like this?:

  1. Click Register/Login
  2. Authenticate with fingerprint or password
  3. Check the boxes with what they wish to share with the site

Congrats, you never have to login again. Oh, and a little bit of work with Authy and it could automatically setup 2FA as well.

This is so do-able. A push from Google through Chrome or the like would most likely get websites up-to-speed on this. Also, then we don't have to worry about clickjacking the password box or other weird stuff like that. Also, users will be more tempted to use their password manager because it's just so much easier.

Mockup

What tech blog post would be complete without a mockup?

Password Managers Are Too Difficult

I hope we can get to something like this soon. Until password managers are easier to use than typical passwords, password and hunter2 will still be extremely common and reused.

Discussion (5)

Collapse
galdin profile image
Galdin Raphael

The first time setup sure is a pain because you need to add every single site to it, but after that it's pretty smooth.

Think: How often does one register on a service vs How often does one login?

I think the only reason people don't use password managers is the initial setup. But once you manage to convince someone to do it, they never want to go back.

Collapse
moopet profile image
Ben Sinclair

You're stretching the difficulty by adding things like "has to buy a password manager" to make it seem like a bigger hurdle.

Collapse
justinoboyle profile image
Justin O'Boyle Author

But most users don't care about a password manager, much less paying for one.

Collapse
jefffrey profile image
Thomas Pigarelli

You are describing OAuth and the likes.

Collapse
courier10pt profile image
Bob van Hoove

Well that shows it's a pretty good observation ;)

How nice would it be if you could just use identity providers for the majority of sites (eg. register / login with twitter or facebook).

My mayor annoyance is sites asking for your data in return for access via the provider, eg. access to your list of contacts.

Just like some people don't mind paying for a password manager, I wouldn't mind paying for an identity provider that has no data to sell.