How to Increase Adoption and Use of Password Managers
by Omar Ganai and Steven M. Ledbetter
On March 19, 2016, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
The email, however, wasn’t from Google. The message came from a group of hackers that security researchers — as well as the US government — believe were spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account. — Vice
Massive phishing scams, data breaches, and identify theft are in the news and people are understandably worried. It’s not just government employees who are vulnerable, but all of us. 64% of Americans have personally experienced a major data breach (Olmstead & Smith, 2017a). Yet this is a global problem. In 2015, there were 2 billion Internet users, and cybercrime cost the world 3 trillion dollars. By 2021, there will be 6 billion Internet users, and the cost of cybercrime is expected to rise to 6 trillion dollars per year (Cybersecurity Ventures, 2017).
A Behavior Problem
And information security researchers agree: any attempts to secure ourselves will necessarily center on designing for human motivation and decision-making. Security experts have even started a field called “Behavioral Information Security,” in response to the observation that too many proposed solutions rely on technical fixes instead of supporting behavior change (Crossler, Johnston, Lowry, Hu, Warkentin, & Baskerville, 2013). In short, people, places, and things are becoming connected to the Internet much faster than our ability to secure them.
And these security problems plaguing the Internet are not a Computer Science problem. They’re a Behavioral Science problem.
Take password managers for example. Password managers are an elegant, technical, free solution to one of the most prevalent problems in security: shitty passwords. In America, 41% of online adults share their passwords, 39% say they use the same passwords for many of their online accounts, and 25% admit they use simpler passwords because they are easier to remember (Olmstead & Smith, 2017b). Password managers solve all these problems, but people still have to 1) learn what they are 2) get them 3) use them. These are behavioral barriers to applying a technical solution. And only 12% of Americans use a password manager (Olmstead & Smith, 2017b).
For the 88% of reading this who don’t use one, a password manager is a magical elf who generates and remembers all your passwords so you only have to remember one — the password for the password manager/magical elf. The benefit of this from a security perspective is that password managers can create brand new, really long, completely random passwords for every login, which make breaking into your accounts via password cracking nearly impossible. And you don’t have to ever remember them or even type them in. The magical elf copy and pastes the passwords into apps and websites for you.
Scare Tactics Don’t Work
The default approach that most people use to persuade others into changing their behavior is appealing to fear. But scaring people into change doesn’t work in most situations. Let’s take an example from health psychology. Many people assume that shocking smokers with horrible images of disease on cigarette packaging will persuade smokers to stop buy cigarettes. Yet scaring people into change only works in those rare situations where people feel like their behavior is under their control, and when they have the skills needed to change that behavior (Kok, Peters, Kessels, ten Hoor, Ruiter, 2018). For the rest of us mortals to feel motivated to change our behavior, we need meaningful positive feedback that supports our sense of competence (Finkelstein & Fishbach, 2011).
Most people still don’t know basic information on how to secure themselves online, so the fear approach won’t work in the security domain either (Olmstead & Smith, 2017a). What’s needed instead are products that educate and motivate people with simple rules of thumb that they can do easily and freely.
Designing a Motivational Behavior Change Journey
For this exercise, Habitry looked at the research on the adoption of password managers, interviewed people who had either recently decided to start using a password manager, or had heard of a password manager but had yet to get one.
At Habitry, we think of designing for behavior change in 3 steps:
Identify target behaviors the people you want to help, want to do.
Identify barriers in the way of these people doing those behaviors.
Identify behavior change techniques that help them get past those barriers.
As Dustin DiTommaso likes to say, “there is almost never a situation when motivation is not a driver of behavior change”. So let’s talk about that.
Motivation is not something you can “add” to people, like a software update. Motivation is internal and comes out when we sense we are in the right conditions for it. So instead of trying to “add” motivation, it’s easier to think of yourself as a great host. People will assent to your recommendations after they feel they can trust you. To gain their trust, you have to relate to their experience from the lens of their personal goals and values. To make data breaches personally relevant to them, you have to stop scaring and start relating.
Relating well with people requires the satisfaction of three Basic Psychological Needs (Deci & Ryan, 2014):
Competence, the feeling you get after attaining a difficult goal. You feel effective; that you can do things well. The opposite of competence is feeling ineffective and impotent.
Autonomy, the feeling you get when you act with a sense of choice, initiative, volition, and meaning. It’s the need to experience our actions as our own. The opposite of autonomy is feeling coerced and manipulated.
Relatedness, the feeling you get when you feel understood and liked by people you care about. The opposite of relatedness is feeling misunderstood or disconnected.
Below, we share some tactics for how you can support adoption of password managers throughout the entire behavior change journey, by supporting the satisfaction of autonomy, competence, and relatedness.
The Mantra: Don’t make them feel stupid, manipulated, or misunderstood. Satisfy competence, autonomy, and relatedness.
Phase 1: Build Trust
Their situation: A person starts searching for a password manager.
Their desired outcome: They want to fix their password problem.
Your desired outcome: You want them to use your password manager.
Your challenge: They don’t trust you.
What would get someone to start searching for a password manager? Given that only 12% of Americans use a password manager, you might think people decide to not use a password manager. But it’s more accurate to say that for most people, the thought of downloading a password manager doesn’t ever cross their mind. About 60% of our behavior is habitual; we have daily routines that we rarely stray from. And when we do decide to act, often it’s based on a gut feeling that something is urgent to do, rather than a cost-benefit calculation.
Imagine what kind of situation would motivate a person to start searching for a password manager. Most of our interviewees found themselves in a situation where one of their online accounts was compromised, and the service sent them an email about it. Others started searching because their InfoSec expert friends told them to.
Now imagine you’ve landed on a website for one of the popular password managers. This was a critical point in the journey of our interviewees to find a solution. It’s a moment tinged with anxiety — “I need to fix my password problem.” There are also traces of hope — “and I really hope this thing can fix my password problem.” In the next few milliseconds, with little conscious reflection, they’ll feel trust or the lack of it. A gut feeling based on some simple cues rather than a cost-benefit analysis. Your job is to facilitate their trust by displaying cues that communicate you understand their situation.
Tactic: Communicate you like them.
Build rapport by relating to their situation. We trust people that understand us. One way you can convey this is through images and text that show there are other people just like them using your solution. Convey you understand their experiences, problems, values, desires, geographic location, and interests. Really, communicating about any attribute they have will foster perceptions of connection and relatedness. You’ll know you’ve been successful at building trust if your users can say, “They like me and like to help people just like me.”
Motivation & Behavior Change Techniques: Demonstrate interest in the person and provide credible role models.
Tactic: Provide a meaningful rationale.
Now that you’ve built rapport, the next challenge is to make your request without accidentally making them feel stupid, manipulated, or misunderstood. How can you do that? Here’s an example we stole directly from Menard, Bott, & Crossley (2017):
Your passwords are the keys to your digital life, and your online accounts are a proverbial gold mine for someone looking to steal your identity. Hackers often accomplish identity theft by figuring out online passwords.
That is a relatedness satisfying statement because it connects to something the user cares about: protecting their digital life and identity.
Regardless of how confident you are in your computer skills, you can learn how to create strong passwords and manage them using a password manager.
That is a competence satisfying statement because it tells the user they can succeed no matter their current skills.
A password manager is software that aids in keeping track of multiple passwords. We recommend using Dashlane, 1Password, KeePass, or LastPass. Each of these is an adequate solution, so feel free to choose the software you like the best as your password manager.
That is an autonomy satisfying statement because it provides choices and tells the user how they can make a good decision.
Motivation & Behavior Change Techniques: Take interest in the person, provide optimal challenge, and provide meaningful choice.
Phase 2: Onboarding
Their situation: A person has downloaded your password manager.
Their desired outcome: They want to know if they can fix their password issues with little to no effort as possible.
Your desired outcome: You need them to start using the password manager.
Your challenge: Making their first steps as effortless as possible.
You’ve gained their trust and they actually downloaded your app. Great! Now is the time to support their transition from outsiders to insiders in your community. You want to help them feel like they can use your password manager successfully, that they’re in the right place, and that they’ve made the right choice.
Tactic: Use scaffolding to foster competence.
Onboarding is the point when people will have the highest motivation they’ll ever have to learn anything from you. It’s like New Year’s Day. Still, even though their motivation is high, their skills and knowledge are quite low. How would you design a journey if you thought of them as baby power users? If you demand too much of them, you can accidentally make them feel stupid. You need to support the hell out of their competence. Way more than you think they need. As experts in our products, we often suffer from The Curse of Knowledge. We’ve forgotten how hard it was for us to learn all this password management stuff the first time we came across it.
You could start by showing them a brief video of someone like them using your app. Merely watching others perform an action can foster our perception of competence (Kardas & O’Brien, 2018). This is great because everyone is capable of watch a short video. It makes them feel like they are learning. This can actually be more successful than guiding them with tool tips, because you’ve taken away any possibility of them making a mistake. Success!
The next step up in the scaffold could be to provide a mock walkthrough with tool tips. Walk them through how to use the app on a made up account, so there’s no way they can make a real mistake. You also want to start giving them precise hints on how to take specific actions in your app, along with meaningful positive feedback when they do take those actions.
Finally, you can walk them through with their real accounts. For example, LastPass have a Security Challenge, where they audit a user’s passwords and then provide simple suggestions on how a user can increase their “security score”. Alternatively, you can do what 1Password does and walk them through the installation of a browser extension. Then demonstrate how any time they log into a website, the extension will automatically add their login information to their account. This shows people the “path forward” in a way that is easier to understand and less overwhelming than, “OMG I HAVE TO LOAD ALL MY PASSWORDS AT ONCE”
Motivation & Behavior Change Techniques: Provide optimal challenge, demonstration of the behavior, instruction on how to perform the behavior, goal-setting, and feedback on behavior.
Phase 3: Support long-term commitment
Their situation: A person has downloaded your password manager and completed your onboarding process.
Their desired outcome: They want to know if they can, and want to, keep using your password manager.
Your desired outcome: You need them to support new habits and break old ones. And maybe you want to create some raving fans.
Your challenge: Promote unlearning and prevent boredom.
Tactic: Co-opt old habit cues to teach them new habits.
A habit is a repeated behavior that is triggered by cues in our environment. It’s automatic, meaning it happens without our conscious control. This is awesome, because it means we can outsource decisions about starting a behavior to our environments. This is not awesome if a habit stops being useful for our goals.
For example, password managers go against the grain of how people expect passwords to work. That’s uncomfortable for people. Understanding what a password manager does requires a subtle shift in a person’s mental model of how to use a password. After tens of thousands of repetitions, we’ve all trained ourselves to memorize passwords, and to be the ones in control of them. Using a password manager requires you to unlearn what it means to keep yourself secure. You have to stop thinking of a password manager as a spreadsheet with your passwords, and more like your personal security concierge. You have to trust technology. You have to trust that you won’t lose access to your accounts despite not knowing what the passwords are to get into your accounts.
The first step to breaking a habit is to change your environment so that you don’t come across cues that trigger it. The second step is to do the new habit you want in the presence of that cue. The third step is to make the new habit as easy as possible.
Most modern password managers do this well by co-opting existing cues in service of new habits. For example, they’ll use a browser extension to ask you if you want to add a password to your vault after you enter it in the course of your regular web browsing. Next, they’ll start suggesting the new habit: use the password manager to enter your password on this site from now on. Finally, they make it as easy as possible by offering one click logins to all online accounts.
Tactic: Help them build their community
By now you’ve built their trust, supported their onboarding, and helped them build new more secure habits. Your users are feeling successful, and some of them might want to spread the love. This could be as simple as showing them how they can help their friends and family live more secure lives, too. And it could be as involved as creating a community of behavior change with them.
1Password does this by offering “Family”, “Team”, and “Business” offerings. Our interviewees who took advantage of these offerings did so specifically because 1Password had made them feel so smart, that they wanted to help their friends and family with their new knowledge of the tool.
The Internet is ubiquitous, it seems so are poor security practices. If we want to secure our future, it makes sense to design for motivation and behavior change. That doesn’t mean scaring people into changing. Rather, it means relating to people so that they feel motivated to use simple rules of thumb consistently. Use our design tactics to make that happen.