Passwords remain the go-to authentication tool in everyday life, says CISPA researcher Alexander Ponticello. At the same time, passwords are often a security weak spot: too short, too simple, and reused far too often. Blind and low-vision people face an additional hurdle: Systems need to work together sensibly for authentication processes to run smoothly.

A new qualitative study with 33 U.S. participants shows how this group manages passwords—and where improvements are needed. Ponticello presented his paper “How Blind and Low-Vision Users Manage Their Passwords” at the IT security conference CCS 2025 in Taipei.

Passwords are still the default tool for online security—but they’re also a constant source of problems. Many people today have hundreds of accounts and for which they must manage passwords of varying complexity. Password managers can help: They create strong passwords, store them, and autofill login credentials—problem solved, right?

Unfortunately, this isn’t the case, because password managers are far from being used consistently by everyone. Previous studies show that the main reasons are the fear of complicated setup, lack of trust, and lack of knowledge about existing tools. Older user groups also tend to be generally hesitant about digital tools. Ponticello’s new study expands research on password management and password manager use to a group that has received little attention so far: blind and low-vision users.

Widespread use of password managers in the community

Password managers can be an important tool for blind and low-vision people to manage their login credentials. “In fact, all 33 respondents in our study used password managers—sometimes consciously, sometimes unconsciously, simply because their browser or device offered to manage them,” says Ponticello. These included third-party programs such as LastPass or 1Password, as well as browser-integrated password managers like the one built into Google Chrome and system-integrated password managers such as Apple Passwords.

“Those who intentionally chose a password manager usually relied on recommendations from acquaintances or advice in relevant forums. Accessibility played at least as important a role as system security,” Ponticello explains.

Real accessibility only if systems work together

“Depending on the degree of impairment, blind and low-vision users rely primarily on screen readers to use their devices in everyday life. Our first intuition was that it must be a big problem that screen readers read passwords aloud in public. However, this proved to be less of a problem, as almost all study participants told us that they use headphones,” says the researcher.

In addition, the speech output usually runs so fast that bystanders can hardly understand anything. However, for blind and low-vision people to use password managers smoothly, screen readers, password managers, apps, and websites must work together accordingly.

“If one of these parties fails, the whole system breaks down,” says Ponticello.

Unfortunately, there are still programs where accessibility seems to be an afterthought. At the latest when updates need to be installed, some users have experienced that programs no longer work properly. The result: Users feel they cannot reliably depend on the systems.

Security versus everyday life: Compromises are common

Many of the users surveyed therefore combine password managers with backup strategies. Some even keep password lists in Braille—safely stored, but still analog.

“That’s not inherently insecure,” the researcher explains. “But you have to be aware of who might have access to that list.” Other study participants said they intentionally create simpler passwords so they can enter them without a tool if necessary.

“That contradicts security best practices,” he says, “but above all it shows that systems need to become more reliable.”

What (still) needs to be done—and how to do it better

According to Ponticello, one problem is how password managers generate passwords: Random passwords with special characters are often hard for blind people to find on the keyboard. A better alternative would be passphrases that string whole words together.

“Unfortunately, screen readers then read those passwords letter by letter instead of recognizing the words. The integration hasn’t been thought through to the end,” the researcher says. App stores could also help by clearly labeling a tool’s accessibility and introducing special review categories for affected users where blind and low-vision people can get information directly.

“But the most important thing is: We need accessibility by design—correct labels for buttons, a sensible focus order, and consistent screen reader flows.”

Outlook

Conducting a similar study with German users could be Ponticello’s next step. So far, legislation in the U.S. has been stricter than in the EU. Laws such as the Americans with Disabilities Act have long enforced strict accessibility standards for websites and digital services there. The EU is following suit with the European Accessibility Act (EAA).

In Germany, this led to the Accessibility Strengthening Act, which has been required to be applied since June 28, 2025. “I’m curious to see what effects this will have in the future,” says Ponticello.

Ponticello’s study shows: Accessibility is not a luxury but a basic prerequisite for digital security. Many hurdles—from lack of labeling to fragile integrations—can be solved if platforms, developers, and lawmakers take them seriously.

“We need to adapt the systems, not the people,” the researcher says. “Only then can passwords be used securely by everyone.”

Provided by
CISPA Helmholtz Center for Information Security

OpenAI says the medical experts reviewed more than 1,800 model responses involving potential psychosis, suicide, and emotional attachment and compared the answers from the latest version of GPT-5 to those produced by GPT-4o. While the clinicians did not always agree, overall, OpenAI says they found the newer model reduced undesired answers between 39 percent and 52 percent across all of the categories.

“Now, hopefully a lot more people who are struggling with these conditions or who are experiencing these very intense mental health emergencies might be able to be directed to professional help, and be more likely to get this kind of help or get it earlier than they would have otherwise,” Johannes Heidecke, OpenAI’s safety systems lead, tells WIRED.

While OpenAI appears to have succeeded in making ChatGPT safer, the data it shared has significant limitations. The company designed its own benchmarks, and it’s unclear how these metrics translate into real-world outcomes. Even if the model produced better answers in the doctor evaluations, there is no way to know whether users experiencing psychosis, suicidal thoughts, or unhealthy emotional attachment will actually seek help faster or change their behavior.

OpenAI hasn’t disclosed precisely how it identifies when users may be in mental distress, but the company says that it has the ability to take into account the person’s overall chat history. For example, if a user who has never discussed science with ChatGPT suddenly claims to have made a discovery worthy of a Nobel Prize, that could be a sign of possible delusional thinking.

There are also a number of factors that reported cases of AI psychosis appear to share. Many people who say ChatGPT reinforced their delusional thoughts describe spending hours at a time talking to the chatbot, often late at night. That posed a challenge for OpenAI because large language models generally have been shown to degrade in performance as conversations get longer. But the company says it has now made significant progress addressing the issue.

“We 1761584905 see much less of this gradual decline in reliability as conversations go on longer,” says Heidecke. He adds that there is still room for improvement.