Password management for kids - what's a good way to start?

Question

Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords?

An example to make things clearer: My daughter might want to log on to http://scratch.mit.edu from several locations/devices to show her projects to the family. She also has a couple of email addresses, one of which she's likely to be using herself soon (under supervision). While her own device will be logged in, she may need access from others.

So far I take care of it for her: I know her password and (pseudonymous) user ID, and store them in my KeePass. That's appropriate at this stage, but it's not much help if she needs them without me (short of sending login details in plaintext to her grandparents, for example). There should also be a solution that doesn't require me to possess these details, from the point of view of sticking to the general rule of keeping your login details secret. Memorising a really strong master password is probably a bit much to ask, and she's likely to mislay any physical storage.

I like to plan ahead, so moving forwards: What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?

Answer 1

Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?

Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management

Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.

It is awesome that you are thinking about this early. Good luck!

Answer 2

Memorising a really strong master password is probably a bit much to ask

I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method works by picking several random words from a dictionary typically composed of 7,776 words. This is also, by no coincidence, the number of possible results of five independent rolls of a 6-sided dice. As such, you can use real dice to generate your passwords (and although you can buy casino-grade die if you wish, the bias is so small that it doesn't really matter). A mere 9 words (45 dice rolls assuming you have just one dice) provides log₂(7776⁹) ≈ 116 bits of security which is more than adequate for a password.

If you use a password manager that supports password-strengthening with a slow KDF algorithm like PBKDF2, bcrypt, or Argon2, you can reduce the length of the password even further. Using 262,144 (2¹⁸) hash iterations, you'll increase the security of a 6 word password to log₂(7776⁶) + 18 ≈ 96 bits. An example password generated using this method is:

octopus handrail chasing hull shy ambition

That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. And unlike remembering a traditional password where you're out of luck if you forget what special symbol you used or where a character went, a diceware password can be trivially recovered even if some words are spelled wrong (just look in a dictionary).

You can use either the original diceware list or one of the three lists created by the EFF. The benefit of using an EFF wordlist instead of the original is that you can avoid picking obscure words like "ibex" or potentially inappropriate words like "anus", but at the expense of picking words that are longer on average. Simply rolling again when you want a different word is not acceptable because it reduces the keyspace and effectively weakens the password.

---

Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.

and she's likely to mislay any physical storage.

If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:

1. You can't change a site's password without changing the identifier or master password.

2. If your master password is ever compromised, so are all your site passwords.

3. The master password must be strong enough to resist attacks on its own.

If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.

Answer 3

"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.

Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.

If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.

Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.

You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.

I'm a fan of the "password reset" process, myself.

Answer 4

Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.

EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.

Answer 5

Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).

Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py

Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.

I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:

A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF

Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101

Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:

shaft mistake rent bird eye very wisdom return kit culture improve ritual

An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.

P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.