Our research found a fatalistic attitude towards privacy and security. We heard everything from "No one wants my identity anyway. There's no money in my bank account." to "If a hacker wanted to get in, I'm sure they could. I wouldn't even know where to begin to defend myself." Note: that's not how identity theft works.
The kind of privacy they care about is from the people closest to them that could physically pick up their phone or computer. This is why people clear browser history and explicitly log out of sites. It's not the hacker they're worried about, it's their visiting mother-in-law or kid sister getting a look at their email or being able to vandalize their Facebook wall. Unlike the big "P" privacy, this consequences of this threat are immediate and visceral. The potential costs to their reputation are perceived to be higher than anything a hacker could or would do.
Further, we found that the existing password manager is under serving the majority of our users. Many people aren't having the browser save their passwords because it leaves their account wide open to anyone who has physical access to their device. It doesn't defend against the primary threat they're worried about. They are left with no tools to help.
It's little wonder we see such bad statistics on password reuse. We've told people not reuse passwords, but it's a cognitive impossibility to comply. It's like saying you could avoid drowning by walking on water. Worse, even, is that everyone I've interviewed apologies for not having a good enough memory. We've done no service to our users by making them feel stupid or inadequate.
The Persona team has been busy prototyping better tools that address this set of user needs. Follow us on twitter at @mozillapersona to hear about these experiments and more.
Check out the research that underpins the Persona team:
Photo credit: Creative Commons license by Valeria Melissia Rosalez