This study investigates real-world password management and two-factor authentication (2FA) practices, cognitive biases, and influencing factors among Indian internet users—addressing a critical gap in account security research within non-Western sociocultural and economic contexts. Through a mixed-methods study involving 90 Indian participants (structured surveys and in-depth interviews), we find: widespread reliance on browser- or OS-integrated password managers—despite low tool awareness; relatively high 2FA adoption, yet predominantly limited to default, platform-provided options; persistent avoidance of password managers for high-sensitivity accounts; pervasive password reuse, short passwords, and predictable patterns; and significant distrust toward third-party security tools, severely limiting their adoption. Our key contribution is the first systematic identification and characterization of “default-preference-driven security behavior” in the Indian context—a culturally embedded phenomenon wherein users’ security decisions are overwhelmingly shaped by preconfigured, vendor-supplied options rather than deliberate risk assessment. This finding provides empirical grounding and actionable intervention points for cross-cultural security design.

Passwords have been long used as the primary authentication method for web services. Weak passwords used by the users have prompted the use of password management tools and two-factor authentication to ensure better account security. While prior studies have studied their adoption individually, none of these studies focuses particularly on the Indian setting, which is culturally and economically different from the countries in which these studies have been done in the past. To this end, we conducted a survey with 90 participants residing in India to better understand the mindset of people on using password managers and two-factor authentication (2FA). Our findings suggest that a majority of the participants have used 2FA and password managers in some form, although they are sometimes unaware of their formal names. While many participants used some form of 2FA across all their accounts, browser-integrated and device-default password managers are predominantly utilized for less sensitive platforms such as e-commerce and social media rather than for more critical accounts like banking. The primary motivation for using password managers is the convenience of auto-filling. However, some participants avoid using password managers due to a lack of trust in these tools. Notably, dedicated third-party applications show low adoption for both password manager and 2FA. Despite acknowledging the importance of secure password practices, many participants still reuse passwords across multiple accounts, prefer shorter passwords, and use commonly predictable password patterns. Overall, the study suggests that Indians are more inclined to choose default settings, underscoring the need for tailored strategies to improve user awareness and strengthen password security practices.