166

Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords?

An example to make things clearer: My daughter might want to log on to http://scratch.mit.edu from several locations/devices to show her projects to the family. She also has a couple of email addresses, one of which she's likely to be using herself soon (under supervision). While her own device will be logged in, she may need access from others.

So far I take care of it for her: I know her password and (pseudonymous) user ID, and store them in my KeePass. That's appropriate at this stage, but it's not much help if she needs them without me (short of sending login details in plaintext to her grandparents, for example). There should also be a solution that doesn't require me to possess these details, from the point of view of sticking to the general rule of keeping your login details secret. Memorising a really strong master password is probably a bit much to ask, and she's likely to mislay any physical storage.

I like to plan ahead, so moving forwards: What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?

Chris H
  • 4,185
  • 1
  • 16
  • 22
  • 42
    We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids. – Chris H Aug 01 '19 at 15:02
  • 1
    Great question! What sort of age range are you thinking of? – Anders Aug 01 '19 at 15:03
  • 7
    @Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it – Chris H Aug 01 '19 at 15:06
  • 3
    @ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years. – Chris Hayes Aug 02 '19 at 06:53
  • 4
    @ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be – Chris H Aug 02 '19 at 07:37
  • I have my 6 year old use the names of his two favourite superheroes written down in his favourite notebook. Young children do not necessarily need to know the explicit detail as to why, just that it's necessary. – ggdx Aug 02 '19 at 12:33
  • @ggdx One thing I really want to push is unique passwords - if the password for Scratch (continuing with the example above) leaks, I don't want that to give access to her email account, or (later on) social media - how does your approach help there? Am I missing something? She came up with a username that says nothing about her and a random part of the password, to which I added a bit to make it long enough, so she's doing pretty well. On the other hand I'm wary of notebooks because she has dozens that appear and disappear all the time – Chris H Aug 02 '19 at 13:50
  • 1
    @ChrisH I can only answer this with reference to the capabilities of my 6yo. He is still learning to read and write. All of his online accounts are registered to me, I do not allow him to have an email address so forgotten passwords are no problem. Random does not have any true meaning to him yet. I teach him that they need to be hard, and what constitutes hard with reference to my percption of his capability, and they are pretty difficult, long passwords. The entropy probably is a little low but for a 6yo, it's more about building a habit of behaivour than explaining what entropy means. – ggdx Aug 02 '19 at 14:17
  • @ggdx my point was about supporting different passwords for different accounts. Your method appears to produce exactly one password – Chris H Aug 02 '19 at 14:18
  • In the U.S., under age 13 cannot have accounts. For example, any SE site will immediately close an under 13 account. I have seen that happen when the OP admitted to being 12, then even edited to remove the admission. There are severe legal implications to U.S. sites for such accounts. Laws vary by the site jurisdiction. – Ron Maupin Aug 04 '19 at 03:41
  • @Ron some sites use a system involving the parent's email address, so the account is for the use of the child but under the control of the parent. My example is one such site. Email accounts are another important case (I don't care what the US says about those - my mail server is an ocean away). – Chris H Aug 04 '19 at 06:55
  • 1
    @RonMaupin Actually, sites just aren't allowed to collect personal information from people younger than 13. Many sites extend that to banning registrations from people that young because they don't want to be bothered asking for age and implementing complex legal regulations for those specific people's accounts. – forest Aug 05 '19 at 07:28
  • 1
    One thing *not* to do (from experience): do *not* get a small box for holding index cards and have them write down the passwords on index cards. You'll end up with loose password cards all over the desk and/or their room and "mommy/daddy what's my password for YYYY, I lost my card" every week or so. – Ben Aug 06 '19 at 16:38

5 Answers5

98

Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?

Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management

Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.

It is awesome that you are thinking about this early. Good luck!

Machavity
  • 3,766
  • 1
  • 14
  • 29
not_very_nice
  • 823
  • 6
  • 5
  • 45
    I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the _worst_ advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) ) – Ghedipunk Aug 01 '19 at 15:52
  • 5
    @Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact) – Chris H Aug 01 '19 at 16:32
  • 4
    Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles". – mckenzm Aug 02 '19 at 00:14
  • 6
    @mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances). – Nobody Aug 02 '19 at 10:47
  • 1
    @ChrisH I saw that suggestion and thought "decoder ring", but the obfuscation could be as simple as incrementing every digit in the passwords by 1. –  Aug 02 '19 at 11:13
  • 11
    [Relevant XKCD](https://xkcd.com/2176/) regarding writing down passwords. – Draco18s no longer trusts SE Aug 02 '19 at 16:56
  • Rather than writing down passwords (since that is a bad idea), perhaps combining it with memorization and visualization techniques for improved memory? Also - if several passwords are required - perhaps relate them to each other to ease memorization? (yes passwords shouldn't be related, but...) – Baard Kopperud Aug 03 '19 at 17:55
30

Memorising a really strong master password is probably a bit much to ask

I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method works by picking several random words from a dictionary typically composed of 7,776 words. This is also, by no coincidence, the number of possible results of five independent rolls of a 6-sided dice. As such, you can use real dice to generate your passwords (and although you can buy casino-grade die if you wish, the bias is so small that it doesn't really matter). A mere 9 words (45 dice rolls assuming you have just one dice) provides log2(77769) ≈ 116 bits of security which is more than adequate for a password.

If you use a password manager that supports password-strengthening with a slow KDF algorithm like PBKDF2, bcrypt, or Argon2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you'll increase the security of a 6 word password to log2(77766) + 18 ≈ 96 bits. An example password generated using this method is:

octopus handrail chasing hull shy ambition

That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. And unlike remembering a traditional password where you're out of luck if you forget what special symbol you used or where a character went, a diceware password can be trivially recovered even if some words are spelled wrong (just look in a dictionary).

You can use either the original diceware list or one of the three lists created by the EFF. The benefit of using an EFF wordlist instead of the original is that you can avoid picking obscure words like "ibex" or potentially inappropriate words like "anus", but at the expense of picking words that are longer on average. Simply rolling again when you want a different word is not acceptable because it reduces the keyspace and effectively weakens the password.

Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.

and she's likely to mislay any physical storage.

If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:

  1. You can't change a site's password without changing the identifier or master password.

  2. If your master password is ever compromised, so are all your site passwords.

  3. The master password must be strong enough to resist attacks on its own.

If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 8
    The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary. – jpaugh Aug 02 '19 at 19:04
  • 3
    Still, teaching the concepts is probably *waay* more important than getting it secure --- similar to the strategy taken by dentists when dealing with children. – jpaugh Aug 02 '19 at 19:07
  • 1
    @jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in. – forest Aug 03 '19 at 07:23
  • 2
    This is the correct answer. [Horses, batteries and staples](https://xkcd.com/936/) agree – Machavity Aug 03 '19 at 14:52
  • 1
    You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult. – Ben Aug 06 '19 at 16:33
15

"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.

Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.

If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.

Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.

You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.

I'm a fan of the "password reset" process, myself.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 2
    Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone. – Chris H Aug 01 '19 at 16:26
  • "forgot password" is a nice idea, though for some services it still takes ages and I'm looking at ways of restricting her email so I review mystery senders. It doesn't (and neither does an online service) deal with the boot password for my desktop, on which she has her own account – Chris H Aug 01 '19 at 16:29
  • 1
    You might need to edit your question to include the scope of the types of accounts you need to account for. Your example was for online services. If you include physical devices, then you are left with either simple memory, or alternate login options, which is beyond the scope of your desire for "password management". – schroeder Aug 01 '19 at 16:49
  • 4
    I actually have a *big* problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe. – schroeder Aug 01 '19 at 16:51
  • I have mixed feelings. Without going into too much detail, some I trust as I would my own, but others - let's just say I haven't had to fix them for a while. The physical devices came in mainly as an illustration of comparable issues, and aren't meant to be part of the real question. The boot password was maybe a red herring - after all, her access to that machine is supervised and under my control. – Chris H Aug 01 '19 at 17:23
  • 18
    @schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost). – Zach Lipton Aug 02 '19 at 02:44
  • @ZachLipton yes, that's part of it, but as the OP said, one of the requirements is to "train good practice in advance". Making it a habit to log into personal accounts on devices you don't own is a habit that needs to be stopped. Risks assessments always need to be made, as per normal. As for "bringing a device for her" does not appear to be a big barrier as most kids able to start using something like Scratch already travel with a variety of devices. – schroeder Aug 02 '19 at 06:46
  • 5
    Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass. – Neil_UK Aug 02 '19 at 07:12
  • 3
    @schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware – Chris H Aug 02 '19 at 07:41
  • BTW (also @ZachLipton) Scratch was just the example that got me thinking - but a useful example because of the age range it's aimed at and the (almost) lack of social features – Chris H Aug 02 '19 at 07:42
  • I used KeePass when on Windows, because I could carry the program and it’s data file on a USB stick, but I haven’t used Windows since I retired. Do they _still_ not have something built in? But since KeePass was a Windows executable, I couldn’t use it on Linux, Apple, BSD, etc. Apple devices have had a similar feature for ages, and quite some time ago, they added the capability to generate a strong password (which unfortunately is sometimes not accepted by sites with really stupid rules). – WGroleau Aug 02 '19 at 14:08
  • @WGroleau Any sufficiently strong password will be rejected by a bank! – jpaugh Aug 02 '19 at 19:18
  • Some banks. Many banks and other entities have rules that guarantee strong passwords, but which nevertheless do not accept those generated by Apple’s algorithm, which tends to look a lot like a GUID. – WGroleau Aug 02 '19 at 19:50
0

Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.

EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
yeah_well
  • 3,699
  • 1
  • 13
  • 30
  • 4
    It's a nice idea, and works for a few passwords, but *I* can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire. – Chris H Aug 01 '19 at 16:34
  • 1
    "Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible. – yeah_well Aug 01 '19 at 16:36
  • 2
    I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method. – RedBorg Aug 02 '19 at 16:03
  • 1
    @forest's answer is a lot more sensible/age appropriate – George M Reinstate Monica Aug 02 '19 at 16:59
  • @RedBorg the diceware method is used for creating passphrase with sufficient entropy it has nothing to do with remembering passwords – yeah_well Aug 02 '19 at 17:01
  • @GeorgeM yes.I never said otherwise – yeah_well Aug 02 '19 at 17:01
  • 1
    That gibberish password reminds me of https://www.xkcd.com/936/ – multithr3at3d Aug 03 '19 at 16:43
-2

Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).

Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py

Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.

I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:

A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF

Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101

Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:

shaft mistake rent bird eye very wisdom return kit culture improve ritual

An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.

P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.

Steven Hatzakis
  • 135
  • 3
  • 2
    -1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?! – Luc Aug 06 '19 at 13:25
  • Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do. – Steven Hatzakis Aug 06 '19 at 13:49
  • Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy. – Steven Hatzakis Aug 06 '19 at 13:54
  • _"why make another variant of base64"_ - opened [hatgit/hatnotation#9](https://github.com/hatgit/hatnotation/issues/9) to address this – Eric Aug 19 '19 at 23:40