August 11, 2021
Study on kids' passwords shows gap between knowledge of password best practices and behavior
When it comes to passwords, the challenges are endless. We must create multiple passwords to manage our many online accounts, from email to shopping sites and social media profiles. We have to safely keep track of these many passwords and ensure they're strong enough to reduce the risk of cyberattacks. All of these reasons emphasize why education and training are so important for strengthening passwords and protecting personal accounts.
The problem isn't limited to just adults. Children may seem more technologically savvy because they've grown up in the digital space, but they still face the same cybersecurity threats. So, to shed light on what kids understand about passwords and their behavior in creating and using them, researchers at the National Institute of Standards and Technology (NIST) conducted a study that surveyed kids from third to 12th grade.
The study found that children are learning best practices, such as memorizing passwords, but are demonstrating a gap between their knowledge of good password practices and their behavior. The NIST researchers present their findings today at a virtual cybersecurity conference called USENIX Security Symposium 2021.
According to recent data from the Pew Research Center, more than one-third of parents with a child younger than 12 say their child began interacting with a smartphone before the age of 5, and 67% of parents say their child uses or interacts with a tablet computer.
"Younger children rely on parents a lot. Their first passwords were either given to them at school or by a parent to open their phone or tablet. So, what kind of guidance can we provide?" said NIST researcher Yee-Yin Choong.
The researchers surveyed more than 1,500 kids from ages 8 to 18 who attended schools across the South, Midwest and Eastern regions of the U.S. Teachers administered two versions of the survey, one for third to fifth graders and the other for sixth to 12th graders. Each survey featured the same questions but had different age-appropriate language.
On the plus side, results from the study showed that kids are learning best practices on passwords, such as limiting their writing of passwords on paper, keeping their passwords private, and logging out after online sessions. They're also not burdened with a lot of passwords as adults are, with kids on average reporting they have two passwords for school and two to four for home.
The passwords that kids created often consisted of concepts reflecting the current state of their lives. Passwords referenced sports, video games, names, animals, movies, titles (such as "princess"), numbers and colors. Examples included "yellow," "doggysafesecure" and "PrincessFrog248."
Password strength increased from elementary to high school students. Examples of stronger passwords among middle and high school students included "dancingdinosaursavrwhoop164" and "Aiken_bacon@28."
But despite the evidence that kids are learning best practices, they also demonstrated bad password habits. They tended to reuse passwords, a habit that increased in frequency from elementary to high school students, and shared their passwords with their friends. "For adolescents, an important part of building friendships is building trust, which is shown with sharing secrets. Their perspective is that sharing passwords is not risky behavior," said Choong.
The study also shed light onto what kids thought about passwords. The survey asked, "Why do people need passwords?" The answers were different for younger and older kids. Elementary students said safety was the primary reason, while for middle and high school students, privacy became more a more dominant answer.
Another notable finding was that younger kids relied on family support for creating and maintaining their passwords at home. This suggests that families play a central role in establishing best practices and that parents affect kids' behavior with passwords.
Not many studies have been performed on kids and cybersecurity, said Choong, which is why this work could be significant in helping researchers understand more about kids' password use.
"This was a very carefully designed study. We had to think carefully about the methodology," said Choong. Researchers contacted the principal of each school first to gain school support for the research, she said. They also worked with the teachers in getting parental consent and administering the surveys.
In future work, the NIST researchers will move outside the scope of passwords to investigate children's and parents' perceptions of online security, privacy and risky behaviors.
"The end goal of this research is to better support children and provide recommendations that can be used to provide guidance to them, parents and educators. Overall, the focus is on providing guidelines and best practices so that they can stay safe and secure online while enjoying the benefits of the internet," said Choong.