Passwords remain the most common tool for digital authentication, yet they often serve as the weakest link in online security. A new study by CISPA researcher Alexander Ponticello, presented at the CCS 2025 IT Security Conference in Taipei, shines light on how blind and low-vision users manage their passwords—and the accessibility hurdles they still face. With the rise of password managers and accessibility legislation, the findings suggest both progress and persistent gaps in secure authentication for everyone.
For most users, passwords are already a hassle—too many to remember, too short to be safe, and often reused. But for those who are blind or have low vision, technical and usability barriers compound the issue. The study, which involved 33 U.S. participants, revealed that this group often depends heavily on screen readers, voice commands, and system-integrated tools for managing their digital credentials. However, when these systems fail to work together—such as when a password manager is incompatible with a screen reader—the entire security chain collapses.
Interestingly, all 33 participants in Ponticello’s research reported using some form of password manager, whether knowingly or not. Many relied on built-in systems such as Apple Passwords, Google Chrome’s password manager, or third-party options like 1Password and LastPass. Those who chose their own managers often did so based on word-of-mouth recommendations or online accessibility forums. For this community, ease of use and accessibility were just as important as encryption strength or data protection.
One surprising finding was that screen readers reading passwords aloud in public settings were not a major concern. Nearly all participants used headphones, and most screen reader speech runs too fast for others to understand. Instead, the bigger issue was inconsistency—programs or websites that suddenly stop working after updates or ignore accessibility in design. These failures make users feel that the systems themselves are unreliable, forcing many to adopt backup solutions like Braille password lists or simpler, less secure passwords they can remember without assistance.
Ponticello emphasized that while handwritten or Braille-based backups may seem outdated, they reflect a rational adaptation to unreliable technology. But these compromises come at a cost to cybersecurity best practices. True security, he argues, requires that password systems be accessible by design, meaning that screen readers, browsers, apps, and authentication layers all interact smoothly.
Another major challenge lies in password generation. Randomized passwords filled with special characters are hard for blind users to locate and type. Passphrases—longer strings of ordinary words—could be a better alternative, but many screen readers still process these incorrectly, reading them letter by letter instead of word by word. Ponticello suggests that app stores and developers should prioritize accessibility labeling and create dedicated accessibility review sections for affected users.
Looking ahead, the European Accessibility Act (EAA) and Germany’s Accessibility Strengthening Act, effective from June 2025, are expected to bring new standards for digital accessibility across the EU. Ponticello hopes similar research with European participants will reveal how these laws impact real-world user experiences.
In conclusion, this study reinforces that accessibility is not optional—it’s essential for digital security. From unlabeled buttons to fragmented integrations, blind and low-vision users encounter challenges that could easily be fixed with inclusive design. As Ponticello succinctly puts it: “We need to adapt the systems, not the people.” Only then can everyone, regardless of ability, use passwords safely and confidently.
