Jump to content

Password manager

From Wikipedia, the free encyclopedia

Bitwarden is an example of a password manager. Pictured above is its vault interface showing a saved login entry, which keeps a one's usernames and passwords.

A password manager is software used to store usernames and passwords in a collection commonly called a password vault. The vault is intended to be encrypted, with its encryption key commonly derived from a primary password chosen by the user, commonly called a master password. Most modern password managers can generate passwords, save credentials entered on websites, and fill them when the user returns. Some also synchronize records across devices, share credentials with other users, and store payment-card details, secure notes, and documents.

Password managers may run as standalone applications, browser extensions, components built into web browsers, or services integrated with an operating system. Their vaults may remain on a device or be synchronized through a provider's servers or a separate file-storage service. Generated passwords make it practical to use a different password for each account, which reduces the need to memorize or reuse credentials.

Because a vault may contain credentials for many accounts, the password manager and its master password are valuable targets for attack. Security depends on how the vault is encrypted, whether unauthorized changes can be detected, and how autofill, synchronization, sharing, and account recovery are implemented. Some users avoid or stop using password managers due to concerns on trust, loss of control, setup, or compatibility with websites. In a 2023 survey, 32% of adults in the United States reported using one, while an Australian survey gave an adjusted estimate of 26.8% for use in 2024.

Counterpane Systems released Password Safe for Windows 95 in 1997. Password managers later became available as browser components, mobile applications, cloud-based services, and features built into an operating system. Some password managers can also create and store passkeys, public-key credentials that may replace passwords or be used as an additional authentication factor.

Operation and features

[edit]

A password manager stores usernames and passwords in what is commonly called a password vault.[1] The vault is ideally stored in encrypted form, with its encryption key commonly derived from a user-chosen primary password, also called a master password.[1] Some password managers offer multi-factor authentication for access to the password database.[2] In a cloud-based password manager, the client software running on the user's device encrypts the vault before uploading it to a remote server, then retrieves and decrypts it locally when a stored credential is needed.[3]

Most modern password managers include a generator that creates a password from a chosen length, character set, and any additional rules.[1] Because the result is stored in the vault, users can assign separate generated passwords to different accounts without memorizing each one.[1] Some password managers also flag duplicate passwords or credentials that may need to be changed.[4] A password manager may detect a password entered in a login form and offer to save it for later use.[1] When the user returns, it can match the stored record to the site and fill the username and password fields.[1] Filling may occur automatically or only after the user clicks, types, or selects an entry in the password manager, and users with several accounts can choose which record to use.[1]

Cloud-based services can synchronize an encrypted vault so that the same records are available on several devices.[3] They may also allow records to be shared within a family, group, or organization and provide mechanisms for recovering access to an account.[3] In addition to login credentials, a vault may hold information such as payment-card details, secure notes, and personal documents.[3]

Deployment models

[edit]

Password managers may run as standalone applications, browser extensions, or components built into a web browser, and some products provide more than one kind of client.[1] A separate application may connect to a browser extension that handles autofill on its behalf.[1] Apple's iCloud Keychain makes saved passwords and passkeys available on a user's approved Apple devices.[5] Google Password Manager makes saved passwords and passkeys available to sites and applications on devices signed in to the same Google Account.[6]

A locally stored vault is kept on the user's device or another storage medium under the user's control.[2] Some local password managers rely on the user to copy or synchronize the vault between devices instead of providing their own cloud service.[1] A local vault can also be synchronized through a separate file-storage service rather than through the password-manager provider.[7] Locally maintained databases need regular backups on another storage medium so that the passwords remain available if the device is lost or stolen.[2]

A cloud-synchronized manager stores an encrypted vault on a remote server controlled by a service provider and allows clients on several devices to retrieve it.[3] Some providers also allow an organization to operate the server on its own infrastructure instead of using the provider's hosted service.[3] Bitwarden organizations can group shared records into collections and assign access to individual users or groups.[8] 1Password Business provides administrative policies for authentication, sharing and permissions, and single sign-on.[9]

History

[edit]

Counterpane Systems released Password Safe as a free utility for Windows 95 in September 1997.[10] It stored passwords in a local database encrypted with the Blowfish cipher and used one "Safe Combination" to unlock the records.[10] The first version of 1Password, then named 1Passwd, was released on May 19, 2006[11] and LastPass was founded in 2008.[12] Dashlane had been operating since 2012,[13] and the open-source Bitwarden launched in 2016.[14]

Apple announced iCloud Keychain in June 2013 as a password manager built into OS X Mavericks that synchronized passwords between trusted devices through iCloud.[15] By 2014, password managers included browser components, third-party applications, mobile clients, and services that synchronized vaults through remote servers.[16] Google introduced a unified management interface for passwords stored through Chrome and Android in 2022, replacing separate interfaces for the same account data.[17] In 2024, Apple released the standalone Passwords app, built on Keychain, to manage passwords, passcodes, and verification codes in one interface.[18]

Security model

[edit]

Password managers make it practical to assign a different generated password to each account, which reduces the need to remember or reuse passwords.[1] Password managers with generators also make users more likely to choose stronger passwords.[19] Because one vault may contain credentials for many accounts, the password manager and its master password are also targets for attack.[20] One security model assumes that the password-manager server is controlled by an attacker or deliberately departs from the system's rules. Under this model, the password manager is expected to keep vault contents secret, detect changes to vault data and metadata, and restrict sharing and account recovery to the intended users.[3]

Vault protection

[edit]

When a password vault is encrypted, its key is commonly derived from the master password.[1] An attacker who obtains an encrypted vault may test master-password guesses without contacting the password manager's service. Password managers therefore use deliberately slow key-derivation functions, which turn the master password into an encryption key while making each guess more costly.[21] Some password managers leave unencrypted parts of vault metadata, such as website addresses, usernames, account-use information, or security settings.[1] If a vault does not fully check whether its records and metadata have been changed, an attacker may alter or rearrange them without detection.[3] A 2020 evaluation of 13 password managers found that many issues identified in earlier studies had been addressed, but it still identified unencrypted metadata, unsafe defaults, and clickjacking vulnerabilities.[1]

Autofill and phishing

[edit]

Password managers normally associate a stored credential with a website and may withhold it when the current address does not match the saved address.[20] Automatic filling can expose a password to malicious code running in a compromised login page without requiring the user to select the credential.[1] In a 2014 evaluation, 6 of the 10 tested password managers filled credentials into hidden page elements called invisible frames during an attack conducted through a hostile network.[16] The same work found that requiring the user to initiate filling reduced exposure to attacks that depended on silent collection of several credentials.[16]

A password-manager browser extension's unlocking interface can also be imitated by a malicious website.[20] In a 2025 phishing simulation involving 29,809 participants, 31.25% of the detected users of 4 third-party password managers entered their master password into a false extension interface.[20] A stolen master password may give an attacker access to the stored credentials unless the password manager is protected by phishing-resistant multi-factor authentication.[20]

Client security

[edit]

Attacks against a password manager's client may use a malicious website, an application running on the same device, or a hostile network that alters pages or observes traffic.[21] Weaknesses in browser-extension interfaces have enabled autofill attacks and clickjacking,[1] in which a deceptive page causes the user to interact with an interface element that is hidden or disguised. These client-side and network attacks use a different threat model from attacks in which an adversary obtains an encrypted copy of the vault.[21]

Cloud storage, sharing, and recovery

[edit]

Cloud-based password managers often describe their client-side encryption as "zero-knowledge encryption". In this usage, the provider is not intended to learn the plaintext contents of a stored vault.[3] The term has no fixed technical definition and does not by itself state how the service behaves if its server is taken over or acts maliciously.[3] A 2026 analysis identified 25 attacks against Bitwarden, LastPass, and Dashlane under that threat model, with additional findings for 1Password.[3] The attacks exploited weaknesses in account recovery and shared vaults, keys that had not been authenticated, incomplete checks for changes across an entire vault, and continued support for older encryption formats.[3]

A 2024 evaluation found that records supplied by an attacker could affect password-health reports, requests for website icons, the size of compressed vault data, or the handling of duplicate attachments. Across the 10 password managers tested, these effects could reveal passwords, usernames, website addresses, or attachments.[21] Many of the affected vendors deployed changes after disclosure, although the fixes addressed the specific attack paths rather than providing one general defense against all such injection attacks.[21]

Password generation

[edit]

The security of a generated password depends on the generator's randomness and on the number of possible outputs allowed by the selected length and character set.[1] A 2020 evaluation generated 147 million passwords and found that some short outputs from the password managers tested were more vulnerable to guessing than their apparent length suggested.[1]

A flaw reported in Kaspersky Password Manager used the system time to seed a pseudorandom-number generator that was not intended for cryptographic use.[22] Affected instances of Kaspersky Password Manager running during the same second could therefore produce the same password, and knowing the approximate creation time reduced the number of candidates that an attacker had to test.[23] Kaspersky began issuing fixes in 2019 and later warned users to replace passwords that might have been generated by affected versions.[22]

Usability and human factors

[edit]

Password managers reduce the need to memorize separate credentials, but users must still decide whether to entrust the program with their passwords, how to manage the master password, and whether to use features such as password generation and synchronization.[24] When the tools did not work as intended, some users resorted to less secure methods, including reusing old weak passwords or recording passwords outside the password manager.[24]

Adoption and trust

[edit]

A 2019 interview study of 30 password-manager users and non-users found that those who relied on tools built into browsers or operating systems were often drawn to them by convenience, while users who had installed a separate password manager more often named security as a reason for doing so.[24] Reasons for not adopting a separate password manager included limited awareness, doubts about its security, a belief that too few important passwords needed protection, and reluctance to depend on passwords that the user could not remember.[24] Some participants did not know whether password-saving prompts came from the browser, the website, or the operating system, and were unsure where saved passwords were kept or whether the provider could read them.[24]

A 2021 interview study examined 26 adults over the age of 60, whose average age was 70.4 years.[25] Participants expressed concern about cloud storage, cross-device synchronization, loss of control over private information, and the consequences of keeping many passwords behind one point of access.[25] Recommendations and practical help from family members or close friends played an important part in adoption among the older participants.[25]

Setup and routine use

[edit]

In a one-month longitudinal study, with a follow-up at the end of a commercial password manager's three-month license period, 37 first-time users completed setup, but 42% stopped using the password manager between the first and fourth weeks.[26] Those who stopped had given it lower usability ratings during their first week than those who continued.[26] Trust in the password manager increased during the trial, but participants' ratings of its usability did not improve with time.[26]

Participants often found repeated master-password entry frustrating.[26] When asked how they had created their master password, 44% of the responses described total or partial reuse of an existing password or personal information.[26] Many also left previously stored weak or reused passwords unchanged, even though almost 80% had credentials flagged by the password manager's audit feature and saw the audit screen each week.[26] In interviews conducted in 2019, users commonly moved existing passwords into a password manager without replacing all of them at once, then changed them gradually as accounts were used.[24]

Compatibility problems can interrupt registration or login when a password manager fails to offer password generation, saves or fills a credential incorrectly, or generates a password that the website rejects.[27]

Effects on password practices

[edit]

Using a password manager does not by itself ensure that stored passwords are strong or unique; the result depends on whether the user employs generation, storage, and entry as one process.[28] A 2018 study combining a survey of 476 participants with browser measurements from 170 of them found stronger and less frequently reused passwords when technical support began at password creation rather than merely storing credentials that users had already chosen.[28] In that sample, manually entered passwords and those filled by Chrome were unique in 20 to 25% of cases, compared with 53 to 78% for passwords entered through LastPass or by copying and pasting.[28]

How a password manager presents password generation can affect whether users accept its suggestion.[29] In an experiment with 558 participants, Safari's prompt led to significantly more use of generated passwords than the prompts tested in Chrome and Firefox.[29] Acceptance was also associated with whether participants noticed the prompt and whether they had previously used a password manager or generated password.[29]

Adoption

[edit]

In a nationwide, representative survey conducted in 2023, 32% of adults in the United States said they used a password manager, an increase from 20% in 2019.[30] Use was more common among younger adults: 49% of those aged 18 to 29 used one, compared with 37% of those aged 30 to 49 and no more than one quarter of adults aged 50 or older.[30] Use also varied by education, ranging from 26% among adults with no education beyond high school to 38% among those with at least a bachelor's degree.[30]

The 2024 Australian Cybercrime Survey gave adjusted estimates of 26.8% for use of a secure password manager in 2024 and 25% in 2023.[31] The survey used proportional quota sampling from opt-in online panels and was not nationally representative.[31] Quotas were based on age, gender, and usual place of residence, while the data were weighted by age and place of residence, education, internet use, and social-media use.[31]

An October 2024 online poll of 1,000 adults in the United States found that Google Password Manager was the primary password manager used by 32% of password-manager users, followed by Apple's iCloud Keychain or Passwords app at 23%, LastPass at 11%, and Bitwarden at 10%.[32] In the same poll, 79% of password-manager users said that they paid nothing for the service.[32]

Interaction with websites and applications

[edit]

Web forms

[edit]

On a website, a password manager must distinguish fields for usernames, existing passwords, and newly created passwords before it can save or fill the correct credentials.[33] The HTML autocomplete attribute provides the values username, current-password, and new-password to identify the intended use of each field.[34] Using standard HTML forms, appropriate input types, and these field names helps password managers recognize when to generate, save, update, or fill credentials.[33]

Password managers may still fail when a website uses nonstandard forms, labels fields incorrectly, or imposes password rules that do not match the password manager's generated passwords.[27] Tests conducted from June to December 2022 found registration or login problems with Chrome, Safari, Bitwarden, and Keeper on more than one quarter of the 61 websites for which the researchers completed testing.[27] Of the 60 websites on which passwords were generated, 19 rejected a password from at least one of the 4 password managers because of requirements on length, symbols, or character combinations.[27]

Restrictions and compatibility

[edit]

Some websites have attempted to prevent password-manager use by disabling paste operations or instructing browsers not to save or fill login fields.[35] In 2015, British Gas placed onpaste="return false" on a password field and stated that it had chosen not to support password managers; it later said that it would review the policy after criticism.[35] Checks also found paste restrictions on registration or password forms operated by T-Mobile, Barclaycard, and Western Union, although T-Mobile said that its restriction was unintended and subsequently removed it.[36]

A website can set autocomplete="off" on a form or field to request that entered data not be retained, but many modern browsers disregard that value for username and password fields.[37] The value remains useful for fields whose contents should not be retained, while new-password can identify a field intended for a newly assigned password rather than the user's current one.[37]

Current National Institute of Standards and Technology (NIST) guidance requires services that verify passwords to permit password managers and autofill and recommends allowing passwords to be pasted when an autofill interface is unavailable.[19] OWASP, the Open Worldwide Application Security Project, likewise recommends standard HTML username and password fields, support for printable characters and sufficiently long passwords, and the ability to paste into password and multifactor-authentication fields.[38]

Native applications

[edit]

On Android 8 and later include an autofill framework that lets applications request saved credentials and other data from services such as password managers.[39] Applications can mark their username and password fields so that installed credential providers can offer matching saved credentials.[40]

Apple's Password AutoFill uses a verified association between an application and a website. Developers configure the association through the application's associated-domains entitlement and corresponding data published by the website.[41] Credentials suggested within an application are limited to its associated domains, while other saved records remain available through the system's credential interface.[42] Application developers can label text fields according to their intended content so that the system offers the appropriate username or password records.[43]

Relationship to passkeys

[edit]

A passkey is a login credential based on public-key cryptography. It uses a pair of related cryptographic keys to authenticate to a website or application.[44] When a passkey is registered, the device or password manager holding it creates the key pair. The public key is sent to the service, while the private key is retained and later used to sign authentication challenges.[45] The user authorizes use of the private key by unlocking the device or credential provider with a PIN, password, pattern, or biometric check.[44]

A password manager can act as a passkey provider that creates, stores, and manages passkeys for the user.[44] Passkeys are designed without a shared secret that the user sends to the website.[44] During authentication, the credential provider signs a challenge after the user approves the request, and the website verifies the signed response with its stored public key.[45] Credential managers may store passwords, passkeys, and other credential types.[46]

Passkeys may be bound to one device or synchronized through a passkey provider so that they are available on several devices.[44] Synchronization allows a passkey to be restored when a device is replaced or lost and reduces the need to register a separate credential for each device.[47] Device-bound passkeys may instead be held by an authenticator built into the device or by an external security key, and are not copied through a cloud synchronization service.[44]

A properly configured syncable passkey is constrained to the website for which it was created, so a counterfeit site cannot capture an authentication response and reuse it at the legitimate site.[19] Synced passkeys rely on a passkey-management service to back up private signing keys, and a breach of that cloud storage can expose the keys.[48] NIST permits synced passkeys at Authentication Assurance Level 2 (AAL2), but not at Level 3 (AAL3), its highest assurance level. AAL3 requires the private authentication key to remain non-exportable, whereas synchronization requires the key to be copied between devices.[19]

Among 208 websites examined in 2025, passkeys were used for passwordless sign-in and as an additional factor after a password; 61 accepted passkeys only as a second factor and still required a password.[49] The FIDO Alliance has also published credential-exchange specifications that define a common format for transferring passwords, passkeys, and other records between credential managers.[46]

See also

[edit]

References

[edit]
  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Oesch, Sean; Ruoti, Scott (2020). That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. 29th USENIX Security Symposium. USENIX Association. pp. 2165–2182. ISBN 978-1-939133-17-5. Archived (PDF) from the original on October 22, 2020. Retrieved July 14, 2026.
  2. 1 2 3 "Cyb3R_Sm@rT!: Use a Password Manager to Create and "Remember" Strong Passwords". Cybersecurity and Infrastructure Security Agency. Retrieved July 14, 2026.
  3. 1 2 3 4 5 6 7 8 9 10 11 12 Scarlata, Matteo; Torrisi, Giovanni; Backendal, Matilda; Paterson, Kenneth G. (2026). Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers. USENIX Security '26. USENIX Association. Archived (PDF) from the original on July 15, 2026. Retrieved April 3, 2026.
  4. Waschke, Marvin (2017). Personal Cybersecurity: How to Avoid and Recover from Cybercrime. Bellingham, Washington: Apress. p. 198. doi:10.1007/978-1-4842-2430-4. ISBN 978-1-4842-2430-4.
  5. "Use the Passwords app to create, manage, and share passwords and passkeys across Apple devices". Apple Support. Apple Inc. Retrieved July 14, 2026.
  6. "Use passwords and passkeys across your devices". Google Account Help. Google. Retrieved July 14, 2026.
  7. Cheng, Haibo; Li, Wenting; Wang, Ping; Chu, Chao-Hsien; Liang, Kaitai (2021). Incrementally Updateable Honey Password Vaults. 30th USENIX Security Symposium. USENIX Association. pp. 857–874. ISBN 978-1-939133-24-3. Archived (PDF) from the original on July 6, 2022. Retrieved July 14, 2026.
  8. "About collections". Bitwarden Help Center. Bitwarden. Retrieved July 14, 2026.
  9. "Manage team policies in 1Password Business". 1Password Support. 1Password. June 30, 2026. Retrieved July 14, 2026.
  10. 1 2 "Counterpane Systems Brings the Security of Blowfish to a Password Database". Counterpane Systems. September 5, 1997. Archived from the original on January 19, 1998. Retrieved June 24, 2023.
  11. Teare, Dave (November 14, 2019). "1Password partners with Accel for continued growth". 1Password. Retrieved July 14, 2026.
  12. "About Us". LastPass. Retrieved July 14, 2026.
  13. Barrett, Brian (February 2, 2020). "Dashlane's Super Bowl Ad Proves Password Managers Have Arrived". Wired. Archived from the original on July 7, 2020. Retrieved July 14, 2026.
  14. Bitwarden (September 15, 2022). "Q&A with Bitwarden Founder and CTO". Bitwarden. Retrieved July 15, 2026.
  15. Honan, Mat (June 10, 2013). "Apple's New iCloud Keychain Stores Sensitive Data Across Devices". Wired. Archived from the original on November 12, 2019. Retrieved July 14, 2026.
  16. 1 2 3 Silver, David; Jana, Suman; Boneh, Dan; Chen, Eric; Jackson, Collin (2014). Password Managers: Attacks and Defenses. 23rd USENIX Security Symposium. USENIX Association. pp. 449–464. ISBN 978-1-931971-15-7. Archived (PDF) from the original on March 8, 2021. Retrieved July 26, 2015.
  17. Sarraf, Ali (June 30, 2022). "Staying safe online with our updated Google Password Manager". The Keyword. Google. Retrieved July 14, 2026.
  18. "iOS 18 is available today, making iPhone more personal and capable than ever". Apple Newsroom. Apple Inc. September 16, 2024. Retrieved July 14, 2026.
  19. 1 2 3 4 "NIST Special Publication 800-63B: Digital Identity Guidelines: Authentication and Authenticator Management". National Institute of Standards and Technology. 2025. Retrieved July 14, 2026.
  20. 1 2 3 4 5 Anliker, Claudio; Lain, Daniele; Čapkun, Srdjan (2025). Phishing Attacks against Password Manager Browser Extensions. 34th USENIX Security Symposium. USENIX Association. pp. 7857–7876. ISBN 978-1-939133-52-6. Archived (PDF) from the original on August 22, 2025. Retrieved July 14, 2026.
  21. 1 2 3 4 5 Fábrega, Andrés; Namavari, Armin; Agarwal, Rachit; Nassi, Ben; Ristenpart, Thomas (2024). Exploiting Leakage in Password Managers via Injection Attacks. 33rd USENIX Security Symposium. USENIX Association. pp. 4337–4354. ISBN 978-1-939133-44-1. Archived (PDF) from the original on September 20, 2024. Retrieved July 14, 2026.
  22. 1 2 Claburn, Thomas (July 6, 2021). "Kaspersky Password Manager's random password generator was about as random as your wall clock". The Register. Archived from the original on July 7, 2021. Retrieved July 14, 2026.
  23. Arghire, Ionut (July 7, 2021). "Kaspersky Password Manager Generated Passwords That Could Quickly Be Brute-Forced". SecurityWeek. Archived from the original on July 7, 2021. Retrieved July 14, 2026.
  24. 1 2 3 4 5 6 Pearman, Sarah; Zhang, Shikun Aerin; Bauer, Lujo; Christin, Nicolas; Cranor, Lorrie Faith (2019). Why people (don't) use password managers effectively. Fifteenth Symposium on Usable Privacy and Security. USENIX Association. pp. 319–338. ISBN 978-1-939133-05-2. Archived (PDF) from the original on May 12, 2022. Retrieved July 14, 2026.
  25. 1 2 3 Ray, Hirak; Wolf, Flynn; Kuber, Ravi; Aviv, Adam J. (2021). Why Older Adults Don't Use Password Managers. 30th USENIX Security Symposium. USENIX Association. pp. 73–90. ISBN 978-1-939133-24-3. Archived (PDF) from the original on October 20, 2022. Retrieved July 14, 2026.
  26. 1 2 3 4 5 6 Arias Cabarcos, Patricia; Mayer, Peter (2025). The more accounts I use, the less I have to think: A Longitudinal Study on the Usability of Password Managers for Novice Users. Twenty-First Symposium on Usable Privacy and Security. USENIX Association. pp. 351–369. ISBN 978-1-939133-51-9. Archived (PDF) from the original on August 13, 2025. Retrieved July 14, 2026.
  27. 1 2 3 4 Hutchinson, Adryana; Tang, Jinwei; Aviv, Adam J.; Story, Peter (February 26, 2024). Measuring the Prevalence of Password Manager Issues Using In-Situ Experiments (PDF). Symposium on Usable Security and Privacy. Internet Society. doi:10.14722/usec.2024.23094. Retrieved July 14, 2026.
  28. 1 2 3 Ghorbani Lyastani, Sanam; Schilling, Michael; Fahl, Sascha; Backes, Michael; Bugiel, Sven (2018). Better Managed than Memorized? Studying the Impact of Managers on Password Strength and Reuse. 27th USENIX Security Symposium. USENIX Association. pp. 203–220. ISBN 978-1-939133-04-5. Archived (PDF) from the original on May 18, 2022. Retrieved July 14, 2026.
  29. 1 2 3 Zibaei, Samira; Malapaya, Dinah Rinoa; Mercier, Benjamin; Salehi-Abari, Amirali; Thorpe, Julie (2022). Do Password Managers Nudge Secure (Random) Passwords?. Eighteenth Symposium on Usable Privacy and Security. USENIX Association. pp. 581–597. ISBN 978-1-939133-30-4. Archived (PDF) from the original on November 17, 2022. Retrieved July 14, 2026.
  30. 1 2 3 McClain, Colleen; Faverio, Michelle; Anderson, Monica; Park, Eugenie (October 18, 2023). "How Americans protect their online data". Pew Research Center. Archived (PDF) from the original on December 6, 2024. Retrieved July 14, 2026.
  31. 1 2 3 Voce, Isabella; Morgan, Anthony (2025). Cybercrime in Australia 2024 (PDF) (Report). Statistical Report. Australian Institute of Criminology. doi:10.52922/sr77918. ISBN 978-1-922877-91-8. Retrieved July 14, 2026.
  32. 1 2 Frew, Paul; Petrino, Gene (March 17, 2026). "2024 Password Manager Industry Report and Statistics". Security.org. Retrieved July 14, 2026.
  33. 1 2 "Passwords". MDN Web Docs. January 27, 2026. Retrieved July 14, 2026.
  34. "Autofilling form controls: the autocomplete attribute". HTML Standard. WHATWG. Retrieved July 14, 2026.
  35. 1 2 Reeve, Tom (July 15, 2015). "British Gas bows to criticism over blocking password managers". SC Magazine UK. Archived from the original on July 24, 2015. Retrieved July 14, 2026.
  36. Cox, Joseph (July 26, 2015). "Websites, Please Stop Blocking Password Managers. It's 2015". Wired. Archived from the original on August 17, 2015. Retrieved July 14, 2026.
  37. 1 2 "How to turn off form autocompletion". MDN Web Docs. June 24, 2025. Retrieved July 14, 2026.
  38. "Authentication Cheat Sheet". OWASP Cheat Sheet Series. Retrieved July 14, 2026.
  39. "Autofill framework". Android Developers. Google. June 18, 2026. Retrieved July 14, 2026.
  40. "Integrate Credential Manager with autofill". Android Developers. Google. June 18, 2026. Retrieved July 14, 2026.
  41. "Supporting associated domains". Apple Developer Documentation. Apple Inc. Retrieved July 14, 2026.
  42. "About the Password AutoFill workflow". Apple Developer Documentation. Apple Inc. Retrieved July 14, 2026.
  43. "Enabling Password AutoFill on a text input view". Apple Developer Documentation. Apple Inc. Retrieved July 14, 2026.
  44. 1 2 3 4 5 6 "FIDO Passkeys: Passwordless Authentication". FIDO Alliance. Retrieved July 14, 2026.
  45. 1 2 "Web Authentication: An API for Accessing Public Key Credentials – Level 3". World Wide Web Consortium. May 26, 2026. Retrieved July 14, 2026.
  46. 1 2 "Credential Exchange Specifications". FIDO Alliance. Retrieved July 14, 2026.
  47. Zaky, Khaled, ed. (August 29, 2024). "Replacing Password-Only Authentication with Passkeys in the Enterprise". FIDO Alliance. Retrieved July 14, 2026.
  48. Islam, Mazharul; Arora, Sunpreet S.; Chatterjee, Rahul; Wang, Ke Coby (2025). Detecting Compromise of Passkey Storage on the Cloud. 34th USENIX Security Symposium. USENIX Association. pp. 7743–7762. ISBN 978-1-939133-52-6. Archived (PDF) from the original on September 16, 2025. Retrieved July 14, 2026.
  49. Jannett, Louis; Mayer, Andreas; Westers, Maximilian; Mladenov, Vladislav; Mainka, Christian; Schwenk, Jörg (2026). The State of Passkeys: Studying the Adoption and Security of Passkeys on the Web. 35th USENIX Security Symposium. USENIX Association. Archived (PDF) from the original on July 15, 2026. Retrieved July 14, 2026.
[edit]