Academic notes #1: “‘Passwords Keep Me Safe’ – Understanding What Children Think about Passwords “

This is the first of what might be a series of posts about academic research I’ve read/watched.

Today’s talk is called “‘Passwords Keep Me Safe’ – Understanding What Children Think about Passwords” from USENIX Security 2021.

This is the first large-scale study of kids and passwords and the results don’t seem too surprising (in a good way; you really want this type of study to be a baseline for future research). Children, like adults, don’t always make the best password choices even when they can parrot back the “right” answers about good password behaviour. The perception of the value of passwords changed between age groups in a way that seems to line up with cognitive changes and life needs.

I thought the sharing stuff was interesting. The researchers commented that password sharing starts around middle school, corresponding to when kids develop the sort of relationship where secret-sharing is how you build connection. And sure, that’s not an unreasonable explanation. But I remember sharing passwords in high school and my big motivation was that the school provided no way for us to communicate or share data, so we had to share passwords if we wanted to leave each other notes, share programs we wrote for each other, etc. And honestly, that’s not too different from the reasons adults share passwords: no way to share permissions or access. Heck, even as a full fledged security professional, I have a bunch of shared accounts with my husband entirely because there’s no way for us both to get logins to certain things like our vacuum cleaner. So… sure, secrets are part of it. I definitely didn’t share passwords/locker combos with folk who I didn’t trust. But I strongly suspect that usability is as big a factor as social secret sharing for many kids, unless school systems have gotten a lot more flexible than I remember.

Also interesting to me: elementary school kids tended to use more all-numeric passwords. My pre-reading child only knows the password for keypad locks, which is numeric. Is he going to use that as a password when he gets older? Probably. Do elementary school kids mostly have phone numbers and birthdays memorized any more?

The conclusion was that there was space to teach kids more about passwords, which is probably true, but I found it interesting how much kids already knew about them at a superficial level.

I’d love to see a study on security questions and younger kids, thanks to a group of kids I know who broke into a lot of their middle-school classmates accounts to see if they could. (They were pretty successful and not particularly malicious) A lot of the common questions are pretty guessable at early ages.

I’d also *really* like to see a study on teaching kids to use password managers, since “using one password for everything” was on the list of bad behaviours. I took part in a usability study on password managers ages ago and it wasn’t so good back then, but they’ve improved a lot. I expect I’ll have to teach my kid how to use one eventually… especially if I want him to use the annoying shared robot vacuum password.