Thoughts about tech, programming, and more.

Browser & OS password managers encourage poor password habits

On the surface, built-in password managers like Chrome's password management or Apple's Keychain provide a useful service. They make things more convenient for users to create different passwords for different services and make it easier to not have to repeat insecure passwords over and over.

Yet, despite any convenience that these password "managers" offer, from my observations with family, team members, etc., these built-in password managers do not improve password behaviour of average users.

It would appear that this is mainly because password managers are not really intended to "manage" passwords, they're actually intended to reduce friction for average users – they're attempting to negate the need of users to have to type in passwords at all.

It is much less about password hygiene and much more about convenience.

Convenience is core to any solution – if there are too many steps or sticking points, the behaviour will be abandoned for a more convenient solution. There have been countless systems I've created over the years for myself that simply do not stick because the convenience factor is too low. It is a vital part of any system - the reward must supersede the work.

Convenience is what these two services do very well.

Google Passwords and Apple Keychain are also very similar in that, to the average user, they appear to magically retain a password and then supply it when it is needed. The storing of the password, the ability to view what it is, and the ability to edit and update the passwords, are all out of sight and out of mind. This is part of the design, but it is also a part of the problem.

There's a line between magical convenience and the understanding of what is happening that needs to be straddled, particularly for things like this.

Part of the problem is that both Google and Apple have very little incentive for users to understand what is happening with their passwords because as long as users continue to use their services, they shouldn't need the ability to "manage" passwords. Just continue to use your Chrome browser or Apple device and you'll be able to magically log in to every account you've used in the past.

Convenient, but terrible for password management and security.

When it comes to password management, it cannot and should not be up to the user to have to educate themselves – it simply is not a realistic expectation. The password products themselves need to do a better job of making it clear what is happening.

Password managers like 1Password, which I personally use, do a very good job at this. But the difficulty for these applications is that they are competing against Google Passwords and Apple Keychain and users have become conditioned to an unhealthy amount of magic and convenience. Google and Apple's lack of concern for good password hygiene make it easy for bad habits to continue, so why would (not should, of course, they should) the average user switch to 1Password when they can continue with the frictionless login system that they currently use?

This seems to be the bleak reality behind password management. Unless a company requires its employees to use a password manager, the average user is not inclined to go through the added friction of using a proper dedicated password manager. Google and Apple could help by building better UI's, but that is unlikely anytime soon since their primary goal is to make the login process as convenient as possible for their users. It seems that passwordless auth may just be the solution we're waiting for.

Subscribe to Daniel Lemky

Sign up now to get access to the library of members-only issues.
Jamie Larson