Academic notes #1: “‘Passwords Keep Me Safe’ – Understanding What Children Think about Passwords “

This is the first of what might be a series of posts about academic research I’ve read/watched.

Today’s talk is called “‘Passwords Keep Me Safe’ – Understanding What Children Think about Passwords” from USENIX Security 2021.

This is the first large-scale study of kids and passwords and the results don’t seem too surprising (in a good way; you really want this type of study to be a baseline for future research). Children, like adults, don’t always make the best password choices even when they can parrot back the “right” answers about good password behaviour. The perception of the value of passwords changed between age groups in a way that seems to line up with cognitive changes and life needs.

I thought the sharing stuff was interesting. The researchers commented that password sharing starts around middle school, corresponding to when kids develop the sort of relationship where secret-sharing is how you build connection. And sure, that’s not an unreasonable explanation. But I remember sharing passwords in high school and my big motivation was that the school provided no way for us to communicate or share data, so we had to share passwords if we wanted to leave each other notes, share programs we wrote for each other, etc. And honestly, that’s not too different from the reasons adults share passwords: no way to share permissions or access. Heck, even as a full fledged security professional, I have a bunch of shared accounts with my husband entirely because there’s no way for us both to get logins to certain things like our vacuum cleaner. So… sure, secrets are part of it. I definitely didn’t share passwords/locker combos with folk who I didn’t trust. But I strongly suspect that usability is as big a factor as social secret sharing for many kids, unless school systems have gotten a lot more flexible than I remember.

Also interesting to me: elementary school kids tended to use more all-numeric passwords. My pre-reading child only knows the password for keypad locks, which is numeric. Is he going to use that as a password when he gets older? Probably. Do elementary school kids mostly have phone numbers and birthdays memorized any more?

The conclusion was that there was space to teach kids more about passwords, which is probably true, but I found it interesting how much kids already knew about them at a superficial level.

I’d love to see a study on security questions and younger kids, thanks to a group of kids I know who broke into a lot of their middle-school classmates accounts to see if they could. (They were pretty successful and not particularly malicious) A lot of the common questions are pretty guessable at early ages.

I’d also *really* like to see a study on teaching kids to use password managers, since “using one password for everything” was on the list of bad behaviours. I took part in a usability study on password managers ages ago and it wasn’t so good back then, but they’ve improved a lot. I expect I’ll have to teach my kid how to use one eventually… especially if I want him to use the annoying shared robot vacuum password.

Academic notes series

I mentioned in my previous post that I was feeling a bit weird about not really being connected to the academic world any more. I’m still sorting out how I feel about that and whether I have any long term plans, but I thought it might be nice to listen to some talks and write about them. I used to maintain a blog called Web Insecurity where I put public notes about the stuff I was reading but I got out of the habit after I graduated. So this is sort of the continuation of that, updated for “tired mom to a pre-schooler in a pandemic” levels of effort.

Ground rules:

  1. I’m not an academic any more, so I’m going super casual here: I’m going to watch a talk, probably not read the paper, and definitely not do deep due diligence on related work. (I am happy to have people point out interesting related work if you think I’d like it!)
  2. I’m going to prioritize conferences/publications with open access because I’m hoping some of you will read/watch the same things and have thoughts to share in the comments here.
  3. I’m going to do like I do with book reviews and aim for kind. Peer review defaults to constructive criticism but I’m not part of that process in this context so I can just highlight stuff I thought was interesting and largely ignore stuff I didn’t.
  4. I haven’t decided how often I’ll do this or how long I’ll keep it up yet.

It also bears reminding: My opinions and thoughts are not necessarily shared by my employer. This is a personal lifelong learning project and is not part of my day job.

Anyhow, first talk notes coming up in a separate post!

Moving my speaking list from terri.toybox.ca

My website hosting changed on the backend quite a while ago, and I decided to redirect terri.toybox.ca to here rather than continue to maintain it. I have all the data, but the site was written in the age of php when I was a web dev and not a security professional. It was time to let it go. For the most part, I’m ok with letting some old content disappear, but one thing that was useful was my (mildly incomplete) list of presentations, teaching and speaking engagements.  So that’s been moved to the new site now.

It looks like it’ll need some formatting fixes and I haven’t figured out how I’m going to handle storage of old papers and talk recordings so some of the old links won’t work, but it’s a start.

It really strikes me how much I’ve left academia when I can leave my publication list offline for months and it’s no big deal. Okay, not really offline, it’s still on Google Scholar and LinkedIn, but publishing used to be such a huge part of what I did and it’s weird that it’s not? I’d never intended to stay in academia, but I do miss research and publishing even as much as it is a lot of work. I guess I need to spend some time trying to find research and publication opportunities as part of my day job, but honestly I haven’t even had the energy to do more than one talk this year (thank you pandemic, thank you lack of childcare, but also thank you incredibly ridiculous series of hoops I have to jump through at work to talk about security publicly). But I’m listening to industry security talks today and feeding my brain with other ways of doing things, so it’s not like I feel like I’m stagnating, just that I spend more time incrementally improving on best practices and security communication and less time on “novel solutions to novel problems.”

Huh, maybe that’s where I need to go next: research into security communication and practices? There’s so much to do in here but actually getting data that you can track, let alone publish, is an issue. Oh well, things to noodle on for now.

Fiber goals 2021: the rejected ideas

When I did my August check in I’d already achieved all of 2021’s goals. (August goals post.) So let’s talk about the other non-goals I’d talked about first. (2021 goals post.)

1. Spinning Techniques

I did try out core spinning! I only did a little sample but I’ve got plans for more. My real problem is that I’m not sure what to do with the finished fiber. It’s a bit thick for the stuff I usually make. Still fun just to do it, though.

I took part in a plying sample a long via Jillian Moreno’s patreon, which honestly taught me some surprising things about how much I like marled tonals at different ply levels. It turns out I loved the two and three plies a lot, and I even liked my singles more than I expected. I don’t love commercial single ply so I wasn’t expecting to like it at all, but it was ok. I do think I’ll try to go back and do her woolen to worsted one too.

I did get to know (and love) the new magnetic head for my spinning wheel. But mostly I did familiar stuff and that’s ok because it means I’ve got a bunch of handspun I’m ready to actually use.

2. Being intentional about purchases

I definitely did this one. I stopped following a number of larger yarn companies and started curating my Instagram to include more dyers who were part of marginalized communities. I bought more adorable stitch markers and patterns (even patterns I’m not sure I’ll ever get time to make!)

That said, I still have a bit of a stash problem. But I at least don’t feel like I’ve made it worse? And I do feel like I made a few creators who I admire happy!

3. Dyeing

Did some with my toddler. The solar dyeing and the “dye using tree bits” were fun. I’ve got some more ideas here now that it’s cool enough for us to be outside for this again.

4. Craftsy

I wound up using craftsy for quilting stuff while I was on sabbatical, but after that I haven’t made time for it. So I went to cancel my subscription today and… The phone number they tell you to call is a very scammy “you may have already won a gift card…” message and the whole interaction raised all my red flags as a security person when they tried to charge a cancellation fee and couldn’t use my card on file. Not sure if they were hacked or the company that bought them is just a giant scam.

Normally I’d take to social media to figure out what’s up, but Facebook is down today and no one answered on Twitter, so I’m not sure what to do next. I made sure they had an empty gift card for renewal and I’ll try to dig through my email to see if I had a different cancellation method at the beginning. But I anticipate this only ending with a stop payment on my credit card.

I expected cancellation to be a big pain but that is above and beyond. I definitely won’t be doing business with Craftsy again.

5. Embroidery

I did some! Finished my old psyanky egg, made a dent in my xmas trees, and bought a pretty constellation sampler from kiriki.

Haven’t tried to do anything special on the embroidery front, but that’s ok. Glad that I’m still enjoying it enough to do a few kits per year. It’s a very nice break when I need to do something physically different from knitting. I actually started getting sore from socks so I needed some bread time.

6. Design and design tools

I finally made pyKnit, my python knitting math open source/free project. I’ve used it to adjust things, gave a talk about it at Pycon 2021, and had people working with me on it during the pycon sprints. I’m pretty pleased with that!

I’ve got more that I want to do with it, but I’m glad to say that it got to the point of being useful and being in good enough shape documentation-wise that people could help me. Wish I had more time to hack on it, but that’s always the problem with ideas.

Didn’t release any knitting designs, but I did get one put into pyKnit’s examples, so that’s fun.

In summary…

Despite these being not really goals, I feel like I got pretty far on them. My only regret is Craftsy, which I suspect is going to turn into a giant mess because I can’t seem to cancel the auto-renewal properly.