The trust in Password manager adoption intention among young adults

By César Barreto

Username and password have long been used as a form of authentication, and
despite all the known issues with passwords, it's still the primary option.
Cybersecurity experts advise users to create passwords that are difficult to
guess and not be reused across different accounts. Other recommendations
include changing passwords at regular intervals and not writing down or storing
them on users' phones or computers. These tips, when recommended together,
put users in a sticky situation. Passwords that are hard for attackers to guess
can also be hard for users to remember. As the number of accounts grows, as
is the case today, users must create and remember many more passwords than
ever before. The situation is made even more difficult when users are required
to change their passwords at regular intervals of time and not write them down
anywhere. Together, all of this creates a huge cognitive load for users. This can
lead users to create weaker passwords that are easy to remember and reuse
them across different accounts, creating problems in terms of cybersecurity.

Cybersecurity experts recommend password managers as a solution to the

aforementioned problems. A password manager is a tool or software that eases
the cognitive load on users of creating and remembering many unique
credentials, such as usernames and passwords, by automatically creating,
storing, and completing required credentials when needed. Create unique and
strong passwords based on desired rules, such as length, type of characters,
and any other special attributes, for each account. Password managers are
actually one of the most applied measures among cybersecurity experts,
however, password managers have not achieved the same popularity among
regular end users. For example, in 2015, when password managers were one
of the top 5 measures applied by cybersecurity experts, it was found that only
24% of regular users used a password manager. The situation seems even
worse today, as recent studies comparing the security practices of cybersecurity
experts and users show that only 3% of respondents use a password manager.

To understand the reasons for the unpopularity of password managers among

users, studies have been conducted to identify the factors that prevent users
from using a password manager. Among the handful of available studies
focused on regular end users, trust has been found to be one of the main
reasons for non-adoption of password management applications. Cybersecurity
researchers have determined the factors that drive the adoption of password
managers and found that trust has a positive impact on the intention to adopt
password managers. Some other studies found that people did not adopt a
password manager due to a lack of trust. Therefore, trust has been suggested
as the first step to increase the adoption of password managers. While trust has
been found to be an important factor in password manager adoption, how trust
can be established is yet to be researched. For this, it is crucial to understand
the factors that improve trust and favor their relationships with adoption.

Trust is not decreed, it is built, therefore it is a complex phenomenon, and in

order to establish trust between an individual and an artifact, it is crucial to
understand how trust is initiated and how it is built and how it can be improved,
strengthened, strengthened. and consolidate. Cybersecurity experts have
shown that trust is formed in phases. The trust-building process begins when
people come across an unknown artifact. This initial phase is called initial trust,
which is affected by institutional, personal and environmental factors. Once
initial trust is established, people go through a personal experience, try the
artifact, and then decide to accept or reject it. Therefore, the trust that is
established after the use of an artifact is different from the initial trust that is
established before the use of an artifact. That is, initial trust plays a crucial role
in building trust between a user and an artifact, which can be a service, an
application, or a piece of software. Therefore, we argue that initial trust
formation is more relevant to understand in the context of password managers.

The scientific community of cybersecurity has now reconigzed that any

manufacturer of a password manager must consider the following: Initial
Confidence Model; ITM. In their work they described the three forces that affect
initial trust: 1) Personal, 2) Institutional and 3) Environmental. The Personal is
related to the user, among which the personal propensity to trust significantly
affects the initial trust. Regarding the institutional, it refers to the size, capacity,
integrity, role in the market, benevolence, reputation and/or the brand can also
affect the perception of the services or products of an institution by the user.
And in terms of the environment, they highlight structural safety and improve the
reliability of the service. The structural guarantees include the availability of
service guarantees, privacy policies, recognition and endorsement of third
parties. Based on the above, all companies that manufacture a password
manager must base it on the ICM philosophy.

ICM Philosophy

1) Personal propensity to trust reflects an individual's tendency to trust others in

various situations. This tendency is part of a person's personality and develops
during the early stage of a person's life. The propensity to trust takes two forms:
faith in humanity and trust posture. In the first form, a person believes that
people are trustworthy, and the second form describes a person's belief that
they will be better off considering people to be trustworthy, so it is suggested
that the personal propensity to trust managers of passwords will represent the
degree to which people have a trustworthy posture towards password
managers, that is, the personal propensity to trust will affect the initial trust in
the password manager and the structural guarantees, in general, are the
guarantees, for example, promises, contracts, regulations or guarantees,
provided by the institutions to their clients. In a technological context, these
safeguards are encryption, secure processes and procedures, third-party
certifications, and the feedback mechanism. In the case of password managers,
users care about their data and look for guarantees like the ones mentioned
above.

2) As for the structural guarantees, these will affect the initial trust in the
password manager through the quality of service that cannot be determined
without previous experience. In this situation, when an individual has no prior
experience, referrals and word of mouth are the channels that influence an
individual's perceptions. Individual perceptions are also affected by institutional
signals. A good reputation is a guarantee of a company's integrity and goodwill,
increasing the trust of potential customers even when they have no prior
experience with the service provider and reducing uncertainty and risks
associated with the application. The reputation of the company of the password
managers will have a significant influence on the initial trust related to the
password managers, so the reputation of the company will positively affect the
initial trust in the password managers; the initial trust reduces uncertainty and
the risk and establishes a connection that leads to the use of a new application.
Both perceived usefulness and initial trust affect behavioral intention.

In 2021, a prestigious group of cybersecurity experts from Turku University from

Finland conducted a study of initial trust formation in the context of password
managers and how initial trust relates to password manager adoption intention.
Collected data from 289 young adults in Europe (aged 18-35). The analysis was
carried out mainly using structural equation modeling (SEM) in SmartPLS3.2
and with the support of SPSS v25.0. The results showed that the structural
security and the reputation of the company play an important role in the initial
formation of trust, but not so Personal propensity. Also, initial trust affects the
intention to adopt a password manager.

There are still factors that arise from initial trust in password managers to study,
for example, it would be interesting to see the role of social norms in
antecedenting initial password manager adoption and trust. In addition, studies
may also consider other factors that may play an important role in initial trust
formation. One of those factors is the awareness of password managers.
Awareness has been found to be a driving force for learning the skills necessary
to execute a certain type of behavior. So in this area, there is still a lot to study.