Category Archives: academic notes

Academic notes #1: “‘Passwords Keep Me Safe’ – Understanding What Children Think about Passwords “

by

This is the first of what might be a series of posts about academic research I’ve read/watched.

Today’s talk is called “‘Passwords Keep Me Safe’ – Understanding What Children Think about Passwords” from USENIX Security 2021.

This is the first large-scale study of kids and passwords and the results don’t seem too surprising (in a good way; you really want this type of study to be a baseline for future research). Children, like adults, don’t always make the best password choices even when they can parrot back the “right” answers about good password behaviour. The perception of the value of passwords changed between age groups in a way that seems to line up with cognitive changes and life needs.

I thought the sharing stuff was interesting. The researchers commented that password sharing starts around middle school, corresponding to when kids develop the sort of relationship where secret-sharing is how you build connection. And sure, that’s not an unreasonable explanation. But I remember sharing passwords in high school and my big motivation was that the school provided no way for us to communicate or share data, so we had to share passwords if we wanted to leave each other notes, share programs we wrote for each other, etc. And honestly, that’s not too different from the reasons adults share passwords: no way to share permissions or access. Heck, even as a full fledged security professional, I have a bunch of shared accounts with my husband entirely because there’s no way for us both to get logins to certain things like our vacuum cleaner. So… sure, secrets are part of it. I definitely didn’t share passwords/locker combos with folk who I didn’t trust. But I strongly suspect that usability is as big a factor as social secret sharing for many kids, unless school systems have gotten a lot more flexible than I remember.

Also interesting to me: elementary school kids tended to use more all-numeric passwords. My pre-reading child only knows the password for keypad locks, which is numeric. Is he going to use that as a password when he gets older? Probably. Do elementary school kids mostly have phone numbers and birthdays memorized any more?

The conclusion was that there was space to teach kids more about passwords, which is probably true, but I found it interesting how much kids already knew about them at a superficial level.

I’d love to see a study on security questions and younger kids, thanks to a group of kids I know who broke into a lot of their middle-school classmates accounts to see if they could. (They were pretty successful and not particularly malicious) A lot of the common questions are pretty guessable at early ages.

I’d also *really* like to see a study on teaching kids to use password managers, since “using one password for everything” was on the list of bad behaviours. I took part in a usability study on password managers ages ago and it wasn’t so good back then, but they’ve improved a lot. I expect I’ll have to teach my kid how to use one eventually… especially if I want him to use the annoying shared robot vacuum password.

Academic notes series

by

I mentioned in my previous post that I was feeling a bit weird about not really being connected to the academic world any more. I’m still sorting out how I feel about that and whether I have any long term plans, but I thought it might be nice to listen to some talks and write about them. I used to maintain a blog called Web Insecurity where I put public notes about the stuff I was reading but I got out of the habit after I graduated. So this is sort of the continuation of that, updated for “tired mom to a pre-schooler in a pandemic” levels of effort.

Ground rules:

  1. I’m not an academic any more, so I’m going super casual here: I’m going to watch a talk, probably not read the paper, and definitely not do deep due diligence on related work. (I am happy to have people point out interesting related work if you think I’d like it!)
  2. I’m going to prioritize conferences/publications with open access because I’m hoping some of you will read/watch the same things and have thoughts to share in the comments here.
  3. I’m going to do like I do with book reviews and aim for kind. Peer review defaults to constructive criticism but I’m not part of that process in this context so I can just highlight stuff I thought was interesting and largely ignore stuff I didn’t.
  4. I haven’t decided how often I’ll do this or how long I’ll keep it up yet.

It also bears reminding: My opinions and thoughts are not necessarily shared by my employer. This is a personal lifelong learning project and is not part of my day job.

Anyhow, first talk notes coming up in a separate post!