Determining key factors that lead to the

adoption of password managers

Raymond Maclean
Jacques Ophoff

This is the accepted version of a paper published in 2018

International Conference on Intelligent and Innovative
Computing Applications, ICONIC 2018. The final, published
version is available via
DOI: 10.1109/ICONIC.2018.8601223

© 2019 IEEE. Personal use of this material is permitted.

Permission from IEEE must be obtained for all other uses,
in any current or future media, including
reprinting/republishing this material for advertising or
promotional purposes, creating new collective works, for
resale or redistribution to servers or lists, or reuse of any
copyrighted component of this work in other works.
Determining key factors that lead to the adoption of
password managers
Raymond Maclean and Jacques Ophoff
Department of Information Systems
University of Cape Town
Cape Town, South Africa
[email protected], [email protected]

Abstract— Passwords form part of our daily routine and field. Next, the theoretical framework is discussed, this
even though there are alternative authentication mechanisms, includes the hypotheses and conceptual model. The
such as biometrics, passwords stubbornly persist. Passwords following chapter will address the research methodology that
have been around for the last few decades, but also the various was used. This is followed by a section on data analysis and
problems associated with users trying to create passwords that a discussion of the results. Lastly, the conclusion summarises
are strong and secure. Users are faced with a cognitive burden the research contributions.
in managing passwords which often leads to poor password
practices or users recycling passwords across various accounts.
While there is no anticipated end to the use of passwords, II. BACKGROUND
scholars have identified that passwords need to be better In the following subsections, some context around
supported – one such method is using a password manager. passwords, password problems and an outline of password
There is a wealth of technical research relating to password managers is presented.
managers, which has led to drastic improvements and the
maturing of the technology. However, there is a little research
on why people would choose to adopt password managers. To A. Password paradigm
explore these factors, this research uses an adapted version of Passwords are an integral part of every person’s life; they are
the Unified Theory of Acceptance and Use of Technology used daily to access a plethora of online services, systems,
(UTAUT2) that includes trust as an additional construct. Using devices and computers. As these services have exponentially
empirical data, the results of the study show that performance expanded over the last few decades, the number of login
expectancy, habit, and trust are key factors in the intention to
credentials and passwords that users need to recall has
adopt a password manager.
drastically increased. Although the death of passwords has
Keywords—technology adoption, password manager, been predicted by various key figures, security managers and
information security, trust, UTAUT2, PLS-SEM. corporate companies over the last two decades [1]–[4],
passwords persist and will most likely remain for quite some
I. INTRODUCTION time. The persistence of passwords has been acknowledged
and irrespective of the ongoing attempt to replace passwords
Passwords are used daily by almost every person to with a worldwide longing to have them replaced, they
access a multitude of accounts, systems and websites. remain part of our daily lives [5]. It has been argued that no
Initially, people only had a few passwords to remember, but single solution or “silver bullet” would be the answer to the
with the growth of technology, the sheer volume of accounts
problem, but rather that, a “best-fit” solution would need to
with corresponding passwords has increased to the point
where keeping track of each password is a burden. With be adopted and as passwords would endure for the
cyber-crime on the rise, the requirements for creating a foreseeable future [5]. A recent report from Cybersecurity
secure password for each system further complicates the Ventures envisions that the “total universe of passwords will
problem, especially as people are reusing or recycling likely grow from approximately 90 billion today to 300
passwords. billion by 2020” [6, p. 2]. With an understanding of the
password epitome, the next section will address password
While there have been attempts to replace passwords and security.
alternative authentication methods, passwords stubbornly
persist. While there is no single solution to the problem, one B. Password security
recommendation is to better support the use of passwords. Research into password security related problems dates
One such method is using password managers, while they back to 1979 [7]; this has allowed scholars to contribute a
have been around for quite some time and are recommended wealth of research in the field over the last few decades.
by security experts, there still seems to be little uptake to Researchers conducted a systematic literature review that
using a password manager. While there is research into the found there has not been a paradigm change in password
various types of password managers, proposals, security management for over thirty-five years [8]. The security of
concerns and recommendations, there is very little research passwords remains a significant problem with varying
on why some people adopt password managers. This paper requirements for creating secure passwords, such as
intends to determine the key factors; therefore this paper will password length, alphanumeric characters, special characters
not address any technical security concerns of the tools. and the use of passphrases.
The remainder of this paper is organised as follows. First, Research into the “characteristics of over 6 million
the problem behind passwords will be presented, this section passwords” specifically looked into “password length,
includes password security, defining password managers, password composition, and password selection” [9, p. 130].
outlining the various available types and related work in the

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

Further research into the composition of passwords set out by Password Generator is a considered as a bookmarklet based
authentication designers indicated that passwords should not password manager.
contain any username details, advising that they need to be
several characters long and consist of uppercase, lowercase E. Related work
digits and special characters [10]. Gray, Franqueira and Yu Alkaldi and Renaud [20] researched the adoption and
[11] found four factors that influenced the recollection of rejection of smartphone security tools in 2016; the tools
secure passwords, further adding to the dilemma of password included screen locking functionality, anti-malware
security. The requirements for complex passwords and the applications and password managers, they concluded that
need to recall passwords places an increase in the cognitive smartphone users were not using the available security tools.
demand of users to have secure passwords for each login. The authors wanted to “model security behaviours in order to
The quality of passwords is exceptionally lacking, with users understand adoption or rejection of these tools”, their
often recycling passwords and struggling to recall their adopted model showed “a number of important factors
passwords [12]. More recent research found that people informing smartphone security intentions” but needed further
would re-use both complex and repeated passwords at a rate work to “validate the model with Smartphone owners”[17, p.
of “1.7” to “3.4” passwords across a spectrum of websites 142].
[13, p. 175]. Considering the password paradigm outlined in
the previous section, and the challenges faced with password Later research then focused on the adoption and rejection
security, there is motivation “to better support the use of of smartphone password managers using “reviews from
passwords” [5, p. 8], one method being the use of password application stores representing the opinions of users who
managers. chose to trial password managers” [17, p. 2]. Various factors
that impacted adoption and rejection were found through an
C. Password managers defined online survey with 352 respondents about “password
manager use and exploring factors that encourage or
Password managers are “programs used to generate,
encrypt, and store passwords for a client-side user” [14, p. discourage password manager adoption” [17, p. 3].
18]. Password managers make use of a master password to More recent research in 2017 investigated user’s
unlock a database of more complex passwords, decreasing considerations in the adoption of password managers through
the “cognitive burden” of users [15], [16]. It is accepted that an online survey that encompassed 248 paid participants
“Password managers remove the effort from password [21]. The newer research also focused on the examination of
management” [17, p. 1]. A password manager starts with the forty-five emotions felt by users when using password
user and a master password. The master password unlocks managers “since emotion has been identified by work in
the password manager system, allowing the user to access psychology and communications as influential in other risk-
the secure database and functions of the password manager. laden decision-making” [21, p. 1]. The results of the study
Password managers add the benefit of only needing to recall found that “convenience” and “usefulness” were part of the
a single secure master password, while the more complex or main factors leading to the adoption of password managers
system generated passwords are stored securely. The while security concerns were cited by users that did not use
password manager can then interact with the various login the tool [21, p. 1]. The authors also noted that the “purpose
pages to either auto login or pass the account details to the of such tools is often misunderstood by both “users” and
required system. “non-users” [21, p. 15]. The analysis of the emotions
indicated that users of password managers were “likely to
D. Types of password managers feel secure, admiring and energetic, and less likely to feel
Password managers now encompass a comprehensive suspicious when using their password manager to log into a
range of password manager schemes across a broad platform website” [21, p. 15].
of devices, operating systems and technologies that cover
client-side programs and mobile apps to cloud-based III. THEORETICAL FRAMEWORK
solutions. Password managers are available as open-source There are a broad variety of models and theories that
or closed-source packages. Three categories of password cover individual acceptance of technology. The Unified
managers have been clarified: “desktop manager, online Theory of Acceptance and Use of Technology (UTAUT)
manager and portable manager” [18, p. 234], but there are was created when researchers empirically compared eight
some password managers that were provided by vendors of user acceptance models in early 2003 [22]. “UTAUT has
browsers, third parties and network-based “where passwords served as a baseline model and has been applied to the study
are backed up to the cloud and synced across the user’s of a variety of technologies in both organizational and non-
devices” [19, p. 449]. There is a wide selection of password organizational settings” [23, p. 158]. The model has key
managers, some noteworthy mentions from previous constructs that are linked to use behaviour. The original
research [14] include: Encryptr, Passbolt and LastPass for UTAUT model was further extended in 2012 to a second-
online and cloud-based password managers. For mobile generation model named UTAUT2 to address the consumer
devices, there is a broad selection of mobile apps such as acceptance and use of Information Technology [23].
1Password, Dashlane, KeePassMobile, iCloud Keychain,
LastPass, mSecure, OpenIntents Safe for Android, PadLock A revised UTUAT model based on “trust and acceptance
and Roboform2Go. Client-side password managers include of cloud computing” was used in which the author
HandyPassword, KeePass2, Padlock, Password Safe and determined that “trust establishment was the main barriers to
RoboForm to name a few. There is also the availability of adopt cloud services and applications” [24, p. 133]. It can be
browser-based plugins: Password Maker, Password argued that trust of cloud-based password managers would
Multiplier and PwdHash. For script-based password also influence the adoption of password managers. Trust was
managers, there is the option of Password Composer while a clear underlying theme for participants in research
conducted by Alkaldi and Renaud [17]. Trust is supported by Hedonic Motivation is defined as the “fun or pleasure
Karole, Saxena and Christin [18] who found that users need derived from using a technology, and it has been shown to
a certain level of trust in third-parties when using an online play an important role in determining technology acceptance
password manager, while users were more likely to trust and use” [23, p. 161]. It has a direct effect on behaviour
portable password managers given that they used on their intention.
own local devices which they had control over. In remote
password storage “there is considerable trust in the third • H5: Hedonic motivation has a positive impact on
party since it holds all user passwords” [25, p. 320]. Trust of the intention to adopt password managers.
third-parties has been questioned, with the assumption that 6) Price Value
“the third-party cloud provider can be trusted” [26, p. 314],
while more recent research conducted on the adoption of Price Value can be described as the effect that “cost” and
password managers by experts in computer security, found “pricing structure” influences the “consumers” use of
that trust also seemed to be an issue [27]. technology were they comprehend the advantages against the
cost of the technology [23, p. 161]. Price value affects
The researcher proposes an adapted version of the behavioural intention.
UTAUT2 model with “Trust” as an additional construct with
a direct impact on “Behavioural Intention”. • H6: Price value has a positive impact on the
intention to adopt password managers.
A. Hypotheses development and conceptual model 7) Habit
The research model will use an adapted version of the
“Habit has been defined as the extent to which people
UTAUT2 model with the constructs that are outlined in the
tend to perform behaviors automatically because of learning”
subsections below, for this study the various factors that
[23, p. 162]. Habit affects behavioural intention.
moderate the relationship of each underlying construct will
not be tested. • H7: Habit has a positive impact on the intention to
adopt password managers.
1) Performance Expectancy
8) Trust
Performance expectancy is “the degree to which an
individual believes that using the system will help him or her Trust is defined as “the belief that you can trust someone
to attain gains in job performance” [22, p. 447]. Performance or something” and that there is a perceived level that
expectancy affects behavioural intention. “something is safe and reliable” [28]. Trust was proposed as
an additional construct in an extended UTAUT model where
• H1: Performance expectancy has a positive impact it was observed that it had a direct effect on behaviour
on the intention to adopt password managers. intention and that “trust establishment was the main barriers
2) Effort Expectancy to adopt cloud services and applications” [24, p. 133].
“Effort expectancy is defined as the degree of ease • H8: Trust has a positive impact on the intention to
associated with the use of the system” [22]. Effect adopt password managers.
expectancy affects behavioural intention.
Based on the above discussion the conceptual research
• H2: Effort expectancy has a positive effect on the model predicts several factors which influence the adoption
intention to adopt password managers. of password managers.
3) Social Influence
IV. METHODOLOGY
Social Influence is described as “the degree to which an
Given the limited time constraint for the honours research
individual perceives that important others believe he or she
project and the rate at which technology trends change, the
should use the new system” and the underlying construct has
timeframe of this research project will be cross-sectional, it
the “explicit or implicit notion that the individual's behavior
will review data on password manager adoption factors using
is influenced by the way in which they believe others will
existing literature, along with an online survey to gather data
view them as a result of having used the technology” [22, p.
from respondents on their adoption factors as it currently
451]. Social influence affects behavioural intention.
exists.
• H3: Social influence has a positive effect on the The target audience consisted of random participants in
intention to adopt password managers. various fields in technology or IT companies, the main set of
4) Facilitating Conditions respondents predominantly consisted of a large set of
students, along with a small subset of staff at a large South
“Facilitating conditions is the degree to which an African university. Due to the risk of the possible low usage
individual believes that an organizational and technical of password managers, the questionnaire also targeted non-
infrastructure exists to support use of the system” [22, p. users by gathering information about their perceived option
453]. Facilitating conditions includes “aspects of the on password managers and its anticipated use.
technological and/or organizational environment that are
designed to remove barriers to use” [22, p. 453]. Facilitating The questionnaire consisted of 31 questions that would
conditions affects behavioural intention, take approximately five to ten minutes to complete. To
ensure research validity and reliability, the wording for each
• H4: Facilitating conditions has a positive impact on question was based on the UTAUT/UTAUT2 questions [22],
the intention to adopt password managers. [23] and the work on the extended UTAUT model with the
5) Hedonic Motivation trust construct [24]. The questions were measured using a 7-
point Likert scale. Demographic questions were then asked, Professional / Medical
0.52% 1
followed by questions on account usage and online Degree (JD, MD)
behaviour based on the work of Fagan, Albayram, Khan and Level of Very Low 0.00% 0
Buck [21]. The survey was published online using the computer Low 0.00% 0
Qualtrics platform. The questions were checked, and a dry proficiency Below average 0.52% 1
run was conducted to check for any errors. The survey link Average 9.42% 18
was distributed through official mailing lists within the Above average 23.56% 45
university, while external participants were emailed and High 38.74% 74
asked to distribute the link to the survey. Very high 27.75% 53

V. DATA ANALYSIS AND RESULTS B. Accounts and online behaviour

Most participants spend a considerable amount on time
A total of 265 responses were recorded in Qualtrics over
online. 98.43% are online more than five times a week,
a two-week period, 3 participants were under the age of 18
1.05% went online about four to five times a week, while
and had to be removed from the survey. 71 participants did
only one respondent (0.52%) went online two to three times
not complete the survey, and the incomplete responses were
a week.
removed from the dataset, leaving a total of 191 responses
with data that was used for analysis. The participants were asked if they were ever aware of
having an account hacked or compromised. 29.84% of the
A. Demographic information responses indicated that they were aware of an account being
The demographic information provided by the 191 compromised, while 54.97% were not aware of being
participants that completed the survey included gender, age, compromised or hacked and 15.18% were unsure. There is a
level of education and level of computer proficiency. Most of probability that some participants may not be willing to
the responses (52.88%) were male, closely followed by admit that their accounts were compromised and opted not to
female respondents (43.46%), while 3.65% of participants answer truthfully.
preferred not to answer. Most of the participants (53.40%) The number of accounts for internet website or services
are between the age of 18 to 25 years old, the second highest was grouped into six categories. Most participants either
respondents (26.70%) were between 35 to 54 years old while have ten to twenty or fewer accounts (58.64%) while 12.04%
there was a small group (18.32%) between the age of 26 to had five or fewer accounts. 16.23% of participants have fifty
34. Only 1.57% of participants were between 55 to 65 years, or fewer accounts while only 24 respondents (12.57%) had
and there were no participants over the age of 65. more than fifty accounts. One respondent (0.52%), indicated
Most participants are very well educated with no that they had no accounts, this may be an error in the
participants having less than high school education, 32.46% response, or a misunderstanding of the question, given that
had a 4-year college degree, while 26.53% of the participants the survey was sent out via email to all participants,
had some college diploma. 23.56% of the participants indicating that they should at least have access to one
followed closely with high school / General Educational account.
Development (GED) while the remainder of respondents For the account usage of participants, on an average
(10.99%) had a master’s degree, 7.33% indicated a 2-year week, 41.36% used five or fewer accounts, while 36.65%
college degree, while 3.14% had a doctoral degree, only one used ten and 17.80% of participants used twenty or fewer
respondent (0.52%) held a professional or medical degree. accounts per week. There was an extremely low number of
Most of the participants (38.74%) are highly proficient in respondents (2.62%) who used fifty or fewer accounts per
the use of computers with 27.75% being very highly skilled week. Only one participant (0.52%) used the accounts more
and 23.56% being above average. Only 9.42% of participants than fifty times a week while on the contrast, two
considered themselves as average users, and one respondent participants (1.05%) used none of the accounts.
(0.52%) was recorded as being below average. A summary The survey showed that many of the participants did not
of the demographic information is provided in Table 1. have unique passwords or sometimes re-used the same
Table 1. Demographic data password. 40.84% of the participants had several unique
passwords, but sometimes reused the same password,
Demographic Metric Percentage Count 39.79% had few unique passwords and did not vary them
Gender Male 52.88% 101 across accounts while only 12 respondents (6.28%) had fifty
Female 43.46% 83 or less unique passwords. Only 10.47% had a unique
Prefer not to answer 3.66% 7 password for each account, and 2.62% of participants had
Age 18-25 years old 53.40% 102 one password that they used across each account. Password
26-34 years old 18.32% 35 complexity is not considered, hence even though only 20
35-54 years old 26.70% 51 respondents used a different password for each account; they
55-65 years old 1.57% 3 may still be low entropy passwords and easy to guess.
65 years or older 0.00% 0
Level of Less than High School 0.00% 0
education
C. Data analysis tool
High School / GED 23.56% 45
Some College 21.99% 42 The researcher is using Partial Least Squares Structural
2-year College Degree 7.33% 14 Equation Modelling (PLS-SEM) for the research model.
4-year College Degree 32.46% 62 Partial Least Squares (PLS) is an alternative analysis method
Master’s Degree 10.99% 21 for Structural Equation Modelling (SEM) that is “particularly
Doctoral Degree 3.14% 6 suited to situations in which constructs are measured by a
very large number of indicators and where maximum AVE extracted for the model shows that all constructs are
likelihood covariance-based SEM tools reach their limit” above the 0.50 threshold.
[29, p. 283]. PLS-SEM is an algorithm that is often used in
Information System (IS) research for measuring the Discriminant Validity (DV) is defined as “the degree to
relationship of constructs in model-based research using which the measures of different constructs differ from one
latent variables [30]. The researcher used a tool named another” [30, p. 19]. DV is often measured together with CV
SmartPLS (version 3.2.7) for the data analysis. SmartPLS is if constructs are linked [33]. DV can be measured using
frequently used in model-based research to “estimate the cross-loadings to check the correlation of the indicators outer
path coefficients, which calculates the strength of the loadings or using the Fornell-Larcker criterion that compares
relationships between independent and dependent variables” “the square root of the AVE values with the latent variable
[31, p. 62]. “Model estimation delivers empirical measures of correlations” [32, p. 139]. The performance of both methods
the relationships between the indicators and the constructs was recently studied and found not to be entirely dependable
(measurement models), as well as between the constructs in detecting problems with discriminant validity, as an
(structural model)” [32, p. 131]. alternative, Heterotrait-Monotrait ratio (HTMT) was
nominated as a more accurate technique [32].
D. Model analysis An HTMT report was generated for the model, a
The data was imported into SmartPLS and the latent correlation close to 1 indicates a lack of DV, the acceptable
variables Performance Expectancy (PE), Effort Expectancy threshold values for HTMT are 0.90 or if “constructs in the
(EE) Social Influence (SI), Facilitating Conditions (FC), path model are conceptually more distinct” a more
Hedonic Motivation (HM), Price Value (PV), Habit (H), “conservative threshold value of 0.85” is proposed [32, p.
Trust (T) and Behavioural Intention (BI) were added to the 141]. H and BI loads at 0.877, below the threshold of 0.90,
model. Before proceeding with the analysis of the results, the but very close, this could indicate a possible lack of
algorithm must be checked for convergence. The PLS discriminant validity. To truly assess the loading, the
algorithm was calculated using a maximum of three hundred confidence interval of the HTMT can be obtained through a
iterations, the stop criterion changes were assessed in the procedure known as bootstrapping. A bootstrap calculation
interim results and showed that the algorithm converged in was run on the model, the results of the calculation show the
five iterations, well below the set threshold. path coefficient for H and BI returning a value of 0.608 with
a 97.50% level of confidence, indicating that the two
The calculation of the PLS algorithm for the initial model constructs are empirically distant.
included the path coefficients for the inner model and the
outer weights/loadings for the outer model; the results show E. Hypothesis testing
that most the outer loadings are above the required threshold
of 0.7 [32]. The outer loadings of the three indicators were The p-value is an indicator used by scholars to evaluate
below the 0.7 thresholds and subsequently removed before significance levels; it designates the likelihood of
further analysis. Indicators should only be detached if the “erroneously rejecting a true null hypothesis” [32, p. 206]. If
values of Composite Reliability and Average Variance a researcher is accepting a significance level of 5%, the
Extracted (AVE) are amplified [32]. The indicators were desired p-value must be lower than a value if 0.05 for the
removed, and the PLS algorithm was recalculated, the relationship to be regarded as significant at a 5% level, while
removal of one indicator increased the AVE of FC from for more rigours research scholars adopt a significance level
0.541 to 0.693, while the removal of the other two indicators of 1% which then requires a p-value of less than 0.01 to
increased the AVE of PV from 0.477 to 0.809. The three designate that the relationship is important [32]. The model
indicators were left out of the model for further reliability was tested with a complete bootstrapping calculation using
and validity testing. 5000 samples [32] to test the hypotheses. The results indicate
that there are three hypotheses that are significant at a level
Composite Reliability (CR) is used in SEM-PLS to of 1%, namely H1, H7 and H8, whereas the other hypotheses
measure the internal consistency reliability. Hair Jr et al [32] such as H2, H3, H4, H5 and H6 are not supported. Table 2
indicate that “this measure of reliability takes into account provides an overview of the findings.
the different outer loadings of the indicator variables”, the
Table 2. Overview of findings.
authors further advise that “reliability varies between 0 and
1” and that higher values will show “higher levels of Hypothesis
Path t- p- Significance
Outcome
reliability” [32, p. 136]. Values of 0.60 to 0.70 are tolerable, Coefficient Value Value level
while values below 0.60 show “a lack of internal consistency H1 PE -> BI 0.326 5.430 0.000 p < .001 Supported
reliability” [32, p. 137]. The CR for the model shows that all H2 EE -> BI -0.019 0.354 0.723 - Not supported
constructs pass the composite reliability check with values H3 SI -> BI 0.009 0.202 0.840 - Not supported
well above the 0.7 thresholds. H4 FC -> BI -0.021 0.428 0.668 - Not supported
H5 HM -> BI -0.042 0.883 0.377 - Not supported
Convergent Validity (CV) is defined as “the closeness H6 PV -> BI 0.056 1.271 0.204 - Not supported
with which a measure relates to (or converges on) the H7 H -> BI 0.517 10.409 0.000 p < .001 Supported
construct that it is purported to measure” [33, p. 59]. One H8 T -> BI 0.162 3.736 0.000 p < .001 Supported
method of establishing the closeness of the measurements on
the construct is using the AVE [32]. An AVE value of 0.50 F. Summary of findings
or higher is desirable as it would typically allow the The most substantial result of the significance test was
construct to explain “more than half of the variance of its that “Performance Expectancy”, “Habit” and “Trust” have a
indicator”, while values less than 0.50 would likely indicate positive impact on “Behavioural Intention” and the adoption
that “more variance remains in the error of the items than in of password managers. Trust strongly supports the additional
the variance explained by the construct [32, p. 138]. The construct that was proposed in the revised UTAUT model
[24] in section III. The significance test also indicated that pleasure in using password managers is not a strong factor in
“Effort Expectancy”, “Social Influence”, “Facilitating the adoption of the technology.
Conditions”, “Hedonic Motivation” and “Price Value” were
not regarded as having a positive relationship on F. Price Value
“Behavioural Intention as originally theorised. The use of free password managers was very favourable
amongst the participants; most people did not wish to pay for
VI. DISCUSSION a password manager; if asked whether they were reasonably
Based on the results of this study, three key factors that priced, most respondents were impartial. More participants,
lead to the adoption of password managers were significantly however, felt that password managers were good value for
supported. money and at the current price they offered good value.
Given that there are many free and open source password
A. Performance Expectancy managers, the cost and pricing do not seem to affect the
adoption of password managers.
The participants in this study had a strong link to
performance expectancy; finding password managers useful G. Habit
in their daily life while allowing them to accomplish things
more quickly. Surprisingly, the use of password managers While there was a close correlation of the use of
also increased the productivity amongst the participants. password managers becoming a habit for participants, more
Convenience and usefulness were also identified in a study strongly disagreed. Many felt that they were not addicted to
of user’s consideration of password managers use [21]. password managers and did not have to use them. The habit
Performance expectancy is a positive factor in the adoption of using password managers to generate and store more
of password managers. secure passwords for sensitive accounts was more
predominant with expert users [27]. The results of indicate
B. Effort Expectancy that habit influences the use of password managers and that
with more frequent use, habit will automatically become a
Participants in the study had a clear and understandable part of using password managers.
interaction with password managers. The data indicated that
most of the participants found password managers easy to H. Trust
use or at least, easy to learn how to make use of password
managers and become skillful in its intended use. Ease of Trust is a strong indicator with most of the participants;
use, learning and interaction does not seem to be a factor of they felt that password managers are trustworthy and that
password manager adoption, most likely since most users of they would adopt password managers if good encryption
password managers are very computer literate, well-educated practices were used, especially with regular and secure
and spend a considerable amount of time online. backups of the password database. The option of an auditing
system or environment also had a very positive impact, along
C. Social Influence with the good reputation of the password manager. The
establishment of trust has a positive impact on the adoption
Social influence seems to not play a role in the adoption of password managers [21].
factors; participants did not consider people that are
important to them to influence their behaviour to start using Performance expectancy, habit and trust influence the use
password managers. Only a handful of participants would and adoption of password managers. Most participants
prefer to use password managers based on the value that they indicated their intention to continue using password
placed in the opinion of people that mattered to them; this managers into the future and always try to use the technology
was very closely offset by participants that somewhat to daily on a more frequent basis.
strongly disagreed. This shows that peers affecting the social
influence of people are not a major driver in this study for VII. CONCLUSION
the adoption of password managers.
While there is a wealth of knowledge and prior research
on password managers regarding prior shortcomings, various
D. Facilitating Conditions exploits and vulnerabilities, many of the research outcomes
Participants had the necessary resources and knowledge have provided insight into improvements and techniques to
to use password managers; almost all of the respondents safeguard the underlying encrypted databases and systems.
indicated that password managers are compatible with the Research has shown that irrespective of the drive to replace
other technologies that they use. There is also a strong passwords with other authentication methods, passwords
indication that they can get help from others if difficulties stubbornly remain a part of daily life. The password
arise when using password managers. It seems that users do paradigm shows no signs of slowing down, with the number
not need any organisational or technical infrastructure to of user accounts and passwords growing exponentially.
support the use of password managers. Literature has indicated that users persist in using poor
password practices and that the cognitive load placed on
E. Hedonic Motivation users to create secure passwords for each account led to
Most of the participants were neutral when asked if they recycling passwords across accounts.
found password managers entertaining, fun or enjoyable. A Password managers have evolved since they were first
small number somewhat agreed that password managers conceptualised and matured to a point where they are very
were fun, but more participants disagreed, while a higher well suited to allow users to better support the use of
number disagreed on the entertainment factor. Fun or passwords, yet little research has been conducted in the field
on the adoption of password managers. This study examined
the key factors that lead to the adoption of password password choices : How frequently entered passwords are re-used
managers and used an adapted UTAUT2 model as the across websites,” Proc. Twelfth Symp. Usable Priv. Secur. (SOUPS
2016), no. Soups, pp. 175–188, 2016.
theoretical framework. While suited to predict the factors
[14] C. Luevanos, J. Elizarraras, K. Hirschi, and J. Yeh, “Analysis on the
that lead to the adoption and use of technology, the results of security and use of password managers,” in 2017 18th International
the model seem to indicate that only three key constructs had Conference on Parallel and Distributed Computing, Applications and
a positive effect on the behavioural intention for adopting Technologies (PDCAT), 2017, pp. 17–24.
password managers. [15] Z. Li, W. He, D. Akhawe, and D. Song, “The emperor’s new
password manager: security analysis of web-based password
Performance expectancy was identified as having a managers,” 23rd USENIX Secur. Symp. (USENIX Secur. 14), pp. 465–
positive effect on password manager adoption with data 479, 2014.
showing a perception that password managers were [16] L. Zhang-Kennedy, S. Chiasson, and P. Van Oorschot, “Revisiting
beneficial and improved efficiency. A second factor was password rules: Facilitating human management of passwords,” in
habit and that the continual use of password managers will eCrime Researchers Summit, eCrime, 2016, vol. 2016–June, pp. 81–
90.
lead to enforcing the habit of creating more secure and
[17] N. Alkaldi and K. Renaud, “Why do people adopt, or reject,
unique passwords for each sensitive account. Trust, linked smartphone password managers?,” Eur. Work. Usable Secur., p. 15,
closely to reputation, was the third and major factor that 2016.
influenced the intention to adopt password managers, [18] A. Karole, N. Saxena, and N. Christin, “A comparative usability
especially if the password manager has good encryption with evaluation of traditional password managers,” Int. Conf. Inf. Secur.
regular and secure backup options. Cryptol., vol. ICISC 2010, pp. 233–251, 2010.
[19] D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, “Password
managers: Attacks and defenses,” in Proceedings of the 23rd USENIX
ACKNOWLEDGMENT Security Symposium, 2014, pp. 449--464.
This work is based on the research supported wholly / in [20] N. Alkaldi and K. Renaud, “Why do people adopt, or reject,
part by the National Research Foundation of South Africa smartphone security tools?,” Proc. Tenth Int. Symp. Hum. Asp. Inf.
Secur. Assur. (HAISA 2016), no. Haisa, pp. 135–144, 2016.
(Grant Numbers 114838).
[21] M. Fagan, Y. Albayram, M. M. H. Khan, and R. Buck, “An
investigation into users’ considerations towards using password
REFERENCES managers,” Human-centric Comput. Inf. Sci., vol. 7, no. 1, pp. 1–20,
2017.
[1] M. Kotadia, “Gates predicts death of the password,” Security, 2004.
[Online]. Available: https://www.cnet.com/news/gates-predicts-death- [22] V. Venkatesh, M. G. Morris, G. B. Davis, F. D. Davis, R. H. Smith,
of-the-password/. and S. M. Walton, “User acceptance of information technology:
toward a unified view,” MIS Q., vol. 27, no. 3, pp. 425–478, 2003.
[2] IBM, “IBM News room - 2011-12-19 IBM Reveals five innovations
that will change our lives within five years - United States,” 2011. [23] V. Venkatesh, J. Y. L. Thong, and X. Xu, “Consumer acceptance and
[Online]. Available: https://www- use of information technology: Extending the unified theory of
03.ibm.com/press/us/en/pressrelease/36290.wss. [Accessed: 17-Mar- acceptance and use of technology,” MIS Q., vol. 36, no. 1, pp. 157–
2018]. 178, 2012.
[3] D. Terdiman, “Google security exec: ‘Passwords are dead,’” Security, [24] S. T. Alharbi, “Trust and acceptance of cloud computing: A revised
2013. [Online]. Available: https://www.cnet.com/news/google- UTAUT model,” in Proceedings - 2014 International Conference on
security-exec-passwords-are-dead/. Computational Science and Computational Intelligence, CSCI 2014,
2014, vol. 2, pp. 131–134.
[4] S. St Louis, “From security to cloud to AI and IoT: Visionaries from
Citrix offer predictions for 2018 | Citrix Blogs,” 2017. [Online]. [25] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh, “Kamouflage:
Available: https://www.citrix.com/blogs/2017/11/09/from-security-to- Loss-resistant password management,” in Lecture Notes in Computer
cloud-to-ai-and-iot-visionaries-from-citrix-offer-predictions-for- Science (including subseries Lecture Notes in Artificial Intelligence
2018/. [Accessed: 17-Mar-2018]. and Lecture Notes in Bioinformatics), 2010, vol. 6345 LNCS, pp.
286–302.
[5] C. Herley and P. Van Oorschot, “A research agenda acknowledging
the persistence of passwords,” IEEE Secur. Priv., vol. 10, no. 1, pp. [26] L. Wang, Y. Li, and K. Sun, “Amnesia: A bilateral generative
28–36, 2012. password manager,” in 2016 IEEE 36th International Conference on
Distributed Computing Systems, 2016, vol. 2016–Augus, pp. 313–
[6] S. Morgan and J. Carson, “The world will need to protect 300 billion
322.
passwords by 2020,” 2017.
[27] E. Stobert and R. Biddle, “Expert password management,” in Lecture
[7] R. Morris and K. Thompson, “Password security: a case history,”
Notes in Computer Science, 2016, vol. 9551, pp. 3–20.
Commun. ACM, vol. 22, no. 11, pp. 594–597, Nov. 1979.
[28] Cambridge Dictionary, “Meaning of trust in the Cambridge english
[8] V. Taneski, M. Hericko, and B. Brumen, “Password security - No
dictionary,” 2018. [Online]. Available:
change in 35 years?,” in 2014 37th International Convention on
https://dictionary.cambridge.org/dictionary/english/trust. [Accessed:
Information and Communication Technology, Electronics and
26-Apr-2018].
Microelectronics, MIPRO 2014 - Proceedings, 2014, pp. 1360–1365.
[29] M. Haenlein and A. M. Kaplan, “A beginner’s guide to partial least
[9] C. Shen, T. Yu, H. Xu, G. Yang, and X. Guan, “User practice in
squares analysis,” Underst. Stat., vol. 3, no. 4, pp. 283–297, 2004.
password security: An empirical study of real-life passwords in the
wild,” Comput. Secur., vol. 61, pp. 130–141, 2016. [30] N. Urbach and F. Ahlemann, “Structural equation modeling in
information systems research using partial least square least squares,”
[10] A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The
Inf. Syst. Res., vol. 11, no. 2, pp. 5–40, 2010.
tangled web of password reuse,” in Proceedings of 2014 Network and
Distributed System Security Symposium, 2014. [31] R. Crossler and F. Bélanger, “An extended perspective on individual
security behaviors,” ACM SIGMIS Database, vol. 45, no. 4, pp. 51–
[11] J. Gray, V. N. L. Franqueira, and Y. Yu, “Forensically-sound analysis
71, Nov. 2014.
of security risks of using local password managers,” in 2016 IEEE
24th International Requirements Engineering Conference Workshops [32] J. F. Hair Jr, G. T. M. Hult, C. M. Ringle, and M. Sarstedt, A primer
(REW), 2016, vol. 5, pp. 114–121. on partial least squares structural equation modeling (PLS-SEM).
2017.
[12] D. Florencio and C. Herley, “A large-scale study of web password
habits,” in Proceedings of the 16th international conference on World [33] A. Bhattacherjee, Social science research: Principles, methods, and
Wide Web - WWW ’07, 2007, p. 657. practices. Scholar Commons, 2012.
[13] R. Wash, E. Rader, R. Berman, and Z. Wellmer, “Understanding