Password management for kids - what's a good way to start?XKCD #936: Short complex password, or long dictionary passphrase?Password management/synchronization?Password Management within an OrganisationSecure password managementBest way to store a password for web appSecurity concept for password management

Would an antimatter bullet fired from a sniper rifle even reach its target?

Linearity assumption of linear regression

How to use composite Tikz pics with rotation

Unexpected Code Coverage Reduction

My boss wants me to recreate everything I have done for my previous employer

Should I report a security vulnerability?

Why was the DC-9-80 so successful despite being obsolete almost from birth?

What does "notoriety" mean here?

Passing a block device to Qemu

Bo Derek in texbook.tex?

How did Krennic locate the Erso's hideout?

When the direction of a movement changes, is the object at rest at some time?

Jazz Chords: How can a Bbmaj9 be explained in the key of A major?

Commutative algebras with modules of small complexity

What are the variables for PID control? How to use M301? How to use this command to switch from PID to bang-bang?

Trying to find a comic strip about "What your clothes say about you"

Font size in pmatrix: Elegant Summation in big Vectors

A short fiction about a stable-hand with rather strange charges

What determines the time factor in a court reaching a decision?

Interview question: If correlation doesn't imply causation, how do you detect causation?

Making sense of possessed dolls: how could they actually kill people?

Equality operator does not get defined for a custom spaceship operator implementation in C++20

What is my volume?

Chess evaluation function



Password management for kids - what's a good way to start?


XKCD #936: Short complex password, or long dictionary passphrase?Password management/synchronization?Password Management within an OrganisationSecure password managementBest way to store a password for web appSecurity concept for password management






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









166

















Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords?



An example to make things clearer: My daughter might want to log on to http://scratch.mit.edu from several locations/devices to show her projects to the family. She also has a couple of email addresses, one of which she's likely to be using herself soon (under supervision). While her own device will be logged in, she may need access from others.



So far I take care of it for her: I know her password and (pseudonymous) user ID, and store them in my KeePass. That's appropriate at this stage, but it's not much help if she needs them without me (short of sending login details in plaintext to her grandparents, for example). There should also be a solution that doesn't require me to possess these details, from the point of view of sticking to the general rule of keeping your login details secret. Memorising a really strong master password is probably a bit much to ask, and she's likely to mislay any physical storage.



I like to plan ahead, so moving forwards: What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?










share|improve this question























  • 42





    We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids.

    – Chris H
    Aug 1 at 15:02






  • 1





    Great question! What sort of age range are you thinking of?

    – Anders
    Aug 1 at 15:03






  • 7





    @Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it

    – Chris H
    Aug 1 at 15:06







  • 3





    @ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years.

    – Chris Hayes
    Aug 2 at 6:53






  • 4





    @ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be

    – Chris H
    Aug 2 at 7:37

















166

















Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords?



An example to make things clearer: My daughter might want to log on to http://scratch.mit.edu from several locations/devices to show her projects to the family. She also has a couple of email addresses, one of which she's likely to be using herself soon (under supervision). While her own device will be logged in, she may need access from others.



So far I take care of it for her: I know her password and (pseudonymous) user ID, and store them in my KeePass. That's appropriate at this stage, but it's not much help if she needs them without me (short of sending login details in plaintext to her grandparents, for example). There should also be a solution that doesn't require me to possess these details, from the point of view of sticking to the general rule of keeping your login details secret. Memorising a really strong master password is probably a bit much to ask, and she's likely to mislay any physical storage.



I like to plan ahead, so moving forwards: What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?










share|improve this question























  • 42





    We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids.

    – Chris H
    Aug 1 at 15:02






  • 1





    Great question! What sort of age range are you thinking of?

    – Anders
    Aug 1 at 15:03






  • 7





    @Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it

    – Chris H
    Aug 1 at 15:06







  • 3





    @ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years.

    – Chris Hayes
    Aug 2 at 6:53






  • 4





    @ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be

    – Chris H
    Aug 2 at 7:37













166












166








166


21






Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords?



An example to make things clearer: My daughter might want to log on to http://scratch.mit.edu from several locations/devices to show her projects to the family. She also has a couple of email addresses, one of which she's likely to be using herself soon (under supervision). While her own device will be logged in, she may need access from others.



So far I take care of it for her: I know her password and (pseudonymous) user ID, and store them in my KeePass. That's appropriate at this stage, but it's not much help if she needs them without me (short of sending login details in plaintext to her grandparents, for example). There should also be a solution that doesn't require me to possess these details, from the point of view of sticking to the general rule of keeping your login details secret. Memorising a really strong master password is probably a bit much to ask, and she's likely to mislay any physical storage.



I like to plan ahead, so moving forwards: What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?










share|improve this question

















Consider a young (primary-school age) child who is starting to collect passwords for online services. How can a parent (or equivalent) help them manage their passwords?



An example to make things clearer: My daughter might want to log on to http://scratch.mit.edu from several locations/devices to show her projects to the family. She also has a couple of email addresses, one of which she's likely to be using herself soon (under supervision). While her own device will be logged in, she may need access from others.



So far I take care of it for her: I know her password and (pseudonymous) user ID, and store them in my KeePass. That's appropriate at this stage, but it's not much help if she needs them without me (short of sending login details in plaintext to her grandparents, for example). There should also be a solution that doesn't require me to possess these details, from the point of view of sticking to the general rule of keeping your login details secret. Memorising a really strong master password is probably a bit much to ask, and she's likely to mislay any physical storage.



I like to plan ahead, so moving forwards: What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?







password-management






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Aug 1 at 15:03







Chris H

















asked Aug 1 at 15:00









Chris HChris H

3,5201 gold badge12 silver badges21 bronze badges




3,5201 gold badge12 silver badges21 bronze badges










  • 42





    We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids.

    – Chris H
    Aug 1 at 15:02






  • 1





    Great question! What sort of age range are you thinking of?

    – Anders
    Aug 1 at 15:03






  • 7





    @Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it

    – Chris H
    Aug 1 at 15:06







  • 3





    @ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years.

    – Chris Hayes
    Aug 2 at 6:53






  • 4





    @ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be

    – Chris H
    Aug 2 at 7:37












  • 42





    We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids.

    – Chris H
    Aug 1 at 15:02






  • 1





    Great question! What sort of age range are you thinking of?

    – Anders
    Aug 1 at 15:03






  • 7





    @Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it

    – Chris H
    Aug 1 at 15:06







  • 3





    @ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years.

    – Chris Hayes
    Aug 2 at 6:53






  • 4





    @ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be

    – Chris H
    Aug 2 at 7:37







42




42





We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids.

– Chris H
Aug 1 at 15:02





We've had a good few questions on password management in general, but I don't believe we've dealt with the aspects specific to kids: training and the fact they're kids.

– Chris H
Aug 1 at 15:02




1




1





Great question! What sort of age range are you thinking of?

– Anders
Aug 1 at 15:03





Great question! What sort of age range are you thinking of?

– Anders
Aug 1 at 15:03




7




7





@Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it

– Chris H
Aug 1 at 15:06






@Anders our edits crossed, but I've added a deliberately vague "primary age". In my case the early half of that - she's a little young for scratch but is starting to enjoy it

– Chris H
Aug 1 at 15:06





3




3





@ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years.

– Chris Hayes
Aug 2 at 6:53





@ChrisH "Primary-school age" is likely to mean different things in different countries. It would be good if you can specify an age range in years.

– Chris Hayes
Aug 2 at 6:53




4




4





@ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be

– Chris H
Aug 2 at 7:37





@ChrisHayes primary education always refers to the first few years after starting school. Definitions vary but the range 5-10 years is representative and as specific as I want to be

– Chris H
Aug 2 at 7:37










5 Answers
5






active

oldest

votes


















95


















Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?



Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management



Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.



It is awesome that you are thinking about this early. Good luck!






share|improve this answer























  • 45





    I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

    – Ghedipunk
    Aug 1 at 15:52







  • 5





    @Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

    – Chris H
    Aug 1 at 16:32






  • 4





    Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

    – mckenzm
    Aug 2 at 0:14






  • 6





    @mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

    – Nobody
    Aug 2 at 10:47






  • 11





    Relevant XKCD regarding writing down passwords.

    – Draco18s
    Aug 2 at 16:56


















30



















Memorising a really strong master password is probably a bit much to ask




I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method picks several random words from a dictionary (typically) composed of 7,776 words. A mere 9 words is log2(77769) ≈ 116 bits.



If you use a password manager that supports password-strengthening with an algorithm like PBKDF2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you can increase the security of a 6 character password to log2(77766) + 18 ≈ 96 bits. An example password:



octopus handrail chasing hull shy ambition


That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.




and she's likely to mislay any physical storage.




If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:



  1. You can't change a site's password without changing the identifier or master password.


  2. If your master password is ever compromised, so are all your site passwords.


  3. The master password must be strong enough to resist attacks on its own.


If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.






share|improve this answer























  • 8





    The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

    – jpaugh
    Aug 2 at 19:04






  • 3





    Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

    – jpaugh
    Aug 2 at 19:07







  • 1





    @jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

    – forest
    Aug 3 at 7:23






  • 2





    This is the correct answer. Horses, batteries and staples agree

    – Machavity
    Aug 3 at 14:52






  • 1





    You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

    – Ben
    Aug 6 at 16:33


















15


















"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.



Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.



If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.



Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.



You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.



I'm a fan of the "password reset" process, myself.






share|improve this answer





















  • 2





    Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

    – Chris H
    Aug 1 at 16:26






  • 4





    I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

    – schroeder
    Aug 1 at 16:51






  • 18





    @schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

    – Zach Lipton
    Aug 2 at 2:44






  • 5





    Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

    – Neil_UK
    Aug 2 at 7:12






  • 3





    @schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

    – Chris H
    Aug 2 at 7:41



















0


















Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.



EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.






share|improve this answer























  • 4





    It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

    – Chris H
    Aug 1 at 16:34






  • 1





    "Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

    – Vipul Nair
    Aug 1 at 16:36






  • 2





    I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

    – RedBorg
    Aug 2 at 16:03






  • 1





    @forest's answer is a lot more sensible/age appropriate

    – George M Reinstate Monica
    Aug 2 at 16:59






  • 1





    That gibberish password reminds me of xkcd.com/936

    – multithr3at3d
    Aug 3 at 16:43


















-2


















Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).



Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py



Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.



I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:



A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF



Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101



Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:



shaft mistake rent bird eye very wisdom return kit culture improve ritual



An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.



P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.






share|improve this answer





















  • 2





    -1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

    – Luc
    Aug 6 at 13:25











  • Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

    – Steven Hatzakis
    Aug 6 at 13:49











  • Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

    – Steven Hatzakis
    Aug 6 at 13:54











  • "why make another variant of base64" - opened hatgit/hatnotation#9 to address this

    – Eric
    Aug 19 at 23:40












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);














draft saved

draft discarded
















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214492%2fpassword-management-for-kids-whats-a-good-way-to-start%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown


























5 Answers
5






active

oldest

votes








5 Answers
5






active

oldest

votes









active

oldest

votes






active

oldest

votes









95


















Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?



Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management



Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.



It is awesome that you are thinking about this early. Good luck!






share|improve this answer























  • 45





    I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

    – Ghedipunk
    Aug 1 at 15:52







  • 5





    @Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

    – Chris H
    Aug 1 at 16:32






  • 4





    Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

    – mckenzm
    Aug 2 at 0:14






  • 6





    @mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

    – Nobody
    Aug 2 at 10:47






  • 11





    Relevant XKCD regarding writing down passwords.

    – Draco18s
    Aug 2 at 16:56















95


















Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?



Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management



Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.



It is awesome that you are thinking about this early. Good luck!






share|improve this answer























  • 45





    I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

    – Ghedipunk
    Aug 1 at 15:52







  • 5





    @Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

    – Chris H
    Aug 1 at 16:32






  • 4





    Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

    – mckenzm
    Aug 2 at 0:14






  • 6





    @mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

    – Nobody
    Aug 2 at 10:47






  • 11





    Relevant XKCD regarding writing down passwords.

    – Draco18s
    Aug 2 at 16:56













95














95










95









Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?



Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management



Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.



It is awesome that you are thinking about this early. Good luck!






share|improve this answer
















Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?



Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management



Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.



It is awesome that you are thinking about this early. Good luck!







share|improve this answer















share|improve this answer




share|improve this answer








edited Aug 3 at 14:51









Machavity

3,0381 gold badge8 silver badges25 bronze badges




3,0381 gold badge8 silver badges25 bronze badges










answered Aug 1 at 15:26









not_very_nicenot_very_nice

8013 silver badges5 bronze badges




8013 silver badges5 bronze badges










  • 45





    I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

    – Ghedipunk
    Aug 1 at 15:52







  • 5





    @Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

    – Chris H
    Aug 1 at 16:32






  • 4





    Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

    – mckenzm
    Aug 2 at 0:14






  • 6





    @mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

    – Nobody
    Aug 2 at 10:47






  • 11





    Relevant XKCD regarding writing down passwords.

    – Draco18s
    Aug 2 at 16:56












  • 45





    I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

    – Ghedipunk
    Aug 1 at 15:52







  • 5





    @Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

    – Chris H
    Aug 1 at 16:32






  • 4





    Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

    – mckenzm
    Aug 2 at 0:14






  • 6





    @mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

    – Nobody
    Aug 2 at 10:47






  • 11





    Relevant XKCD regarding writing down passwords.

    – Draco18s
    Aug 2 at 16:56







45




45





I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

– Ghedipunk
Aug 1 at 15:52






I'm not sure why this was downvoted... Possibly because of the advice to write passwords down. While not great advice, it's not the worst advice either, and is orders of magnitude better than reusing passwords. Especially if the passwords are obfuscated. (Hopefully a child isn't the target of a state-level-actor. ;-) )

– Ghedipunk
Aug 1 at 15:52





5




5





@Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

– Chris H
Aug 1 at 16:32





@Ghedipunk obfuscation may be a little optimistic and kids are prone to losing things (and trying to solve the puzzles in their friends' notebooks for ill-advised pranks). But scepticism about one point didn't make a negative for me (+1 in fact)

– Chris H
Aug 1 at 16:32




4




4





Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

– mckenzm
Aug 2 at 0:14





Storing a hard copy is generally a good idea, as long as it is secured. This is real world mitigation. Like backdoors, everybody speaks against it, but realises the necessity of it. No password, no "miles".

– mckenzm
Aug 2 at 0:14




6




6





@mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

– Nobody
Aug 2 at 10:47





@mckenzm Completely unlike backdoors. A backdoor is bad pretty much by definition. You are probably thinking of something like giving the key to your front door to a friend. Also in general it's bad to bring up unrelated topics in comments because then people like me feel the need to disagree (instead of just upvoting your comment that writing down passwords is a good idea in some circumstances).

– Nobody
Aug 2 at 10:47




11




11





Relevant XKCD regarding writing down passwords.

– Draco18s
Aug 2 at 16:56





Relevant XKCD regarding writing down passwords.

– Draco18s
Aug 2 at 16:56













30



















Memorising a really strong master password is probably a bit much to ask




I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method picks several random words from a dictionary (typically) composed of 7,776 words. A mere 9 words is log2(77769) ≈ 116 bits.



If you use a password manager that supports password-strengthening with an algorithm like PBKDF2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you can increase the security of a 6 character password to log2(77766) + 18 ≈ 96 bits. An example password:



octopus handrail chasing hull shy ambition


That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.




and she's likely to mislay any physical storage.




If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:



  1. You can't change a site's password without changing the identifier or master password.


  2. If your master password is ever compromised, so are all your site passwords.


  3. The master password must be strong enough to resist attacks on its own.


If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.






share|improve this answer























  • 8





    The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

    – jpaugh
    Aug 2 at 19:04






  • 3





    Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

    – jpaugh
    Aug 2 at 19:07







  • 1





    @jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

    – forest
    Aug 3 at 7:23






  • 2





    This is the correct answer. Horses, batteries and staples agree

    – Machavity
    Aug 3 at 14:52






  • 1





    You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

    – Ben
    Aug 6 at 16:33















30



















Memorising a really strong master password is probably a bit much to ask




I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method picks several random words from a dictionary (typically) composed of 7,776 words. A mere 9 words is log2(77769) ≈ 116 bits.



If you use a password manager that supports password-strengthening with an algorithm like PBKDF2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you can increase the security of a 6 character password to log2(77766) + 18 ≈ 96 bits. An example password:



octopus handrail chasing hull shy ambition


That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.




and she's likely to mislay any physical storage.




If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:



  1. You can't change a site's password without changing the identifier or master password.


  2. If your master password is ever compromised, so are all your site passwords.


  3. The master password must be strong enough to resist attacks on its own.


If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.






share|improve this answer























  • 8





    The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

    – jpaugh
    Aug 2 at 19:04






  • 3





    Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

    – jpaugh
    Aug 2 at 19:07







  • 1





    @jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

    – forest
    Aug 3 at 7:23






  • 2





    This is the correct answer. Horses, batteries and staples agree

    – Machavity
    Aug 3 at 14:52






  • 1





    You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

    – Ben
    Aug 6 at 16:33













30














30










30










Memorising a really strong master password is probably a bit much to ask




I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method picks several random words from a dictionary (typically) composed of 7,776 words. A mere 9 words is log2(77769) ≈ 116 bits.



If you use a password manager that supports password-strengthening with an algorithm like PBKDF2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you can increase the security of a 6 character password to log2(77766) + 18 ≈ 96 bits. An example password:



octopus handrail chasing hull shy ambition


That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.




and she's likely to mislay any physical storage.




If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:



  1. You can't change a site's password without changing the identifier or master password.


  2. If your master password is ever compromised, so are all your site passwords.


  3. The master password must be strong enough to resist attacks on its own.


If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.






share|improve this answer

















Memorising a really strong master password is probably a bit much to ask




I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method picks several random words from a dictionary (typically) composed of 7,776 words. A mere 9 words is log2(77769) ≈ 116 bits.



If you use a password manager that supports password-strengthening with an algorithm like PBKDF2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you can increase the security of a 6 character password to log2(77766) + 18 ≈ 96 bits. An example password:



octopus handrail chasing hull shy ambition


That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.




and she's likely to mislay any physical storage.




If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:



  1. You can't change a site's password without changing the identifier or master password.


  2. If your master password is ever compromised, so are all your site passwords.


  3. The master password must be strong enough to resist attacks on its own.


If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.







share|improve this answer















share|improve this answer




share|improve this answer








edited Aug 3 at 11:43

























answered Aug 2 at 6:54









forestforest

47.3k19 gold badges151 silver badges171 bronze badges




47.3k19 gold badges151 silver badges171 bronze badges










  • 8





    The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

    – jpaugh
    Aug 2 at 19:04






  • 3





    Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

    – jpaugh
    Aug 2 at 19:07







  • 1





    @jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

    – forest
    Aug 3 at 7:23






  • 2





    This is the correct answer. Horses, batteries and staples agree

    – Machavity
    Aug 3 at 14:52






  • 1





    You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

    – Ben
    Aug 6 at 16:33












  • 8





    The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

    – jpaugh
    Aug 2 at 19:04






  • 3





    Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

    – jpaugh
    Aug 2 at 19:07







  • 1





    @jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

    – forest
    Aug 3 at 7:23






  • 2





    This is the correct answer. Horses, batteries and staples agree

    – Machavity
    Aug 3 at 14:52






  • 1





    You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

    – Ben
    Aug 6 at 16:33







8




8





The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

– jpaugh
Aug 2 at 19:04





The hardest part for a young child is consistently spelling a larger vocabulary than is used by the dictionary.

– jpaugh
Aug 2 at 19:04




3




3





Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

– jpaugh
Aug 2 at 19:07






Still, teaching the concepts is probably waay more important than getting it secure --- similar to the strategy taken by dentists when dealing with children.

– jpaugh
Aug 2 at 19:07





1




1





@jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

– forest
Aug 3 at 7:23





@jpaugh The nice thing about using words as symbols instead of characters is that, if they forget how to spell it, they can always use spell check or a dictionary. Compare this with a "traditional" password where you're out of luck if you forget which special character you used or what position it was in.

– forest
Aug 3 at 7:23




2




2





This is the correct answer. Horses, batteries and staples agree

– Machavity
Aug 3 at 14:52





This is the correct answer. Horses, batteries and staples agree

– Machavity
Aug 3 at 14:52




1




1





You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

– Ben
Aug 6 at 16:33





You probably want to seek out a more child-friendly wordlist than the traditional diceware wordlist, possibly from the EFF or building your own from "basic English" or early education word lists. The good news is kids probably don't have very many high-value accounts; you can teach the proper techniques, etc. with a shorter word list than you'd use for more high-value accounts as an adult.

– Ben
Aug 6 at 16:33











15


















"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.



Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.



If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.



Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.



You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.



I'm a fan of the "password reset" process, myself.






share|improve this answer





















  • 2





    Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

    – Chris H
    Aug 1 at 16:26






  • 4





    I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

    – schroeder
    Aug 1 at 16:51






  • 18





    @schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

    – Zach Lipton
    Aug 2 at 2:44






  • 5





    Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

    – Neil_UK
    Aug 2 at 7:12






  • 3





    @schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

    – Chris H
    Aug 2 at 7:41
















15


















"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.



Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.



If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.



Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.



You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.



I'm a fan of the "password reset" process, myself.






share|improve this answer





















  • 2





    Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

    – Chris H
    Aug 1 at 16:26






  • 4





    I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

    – schroeder
    Aug 1 at 16:51






  • 18





    @schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

    – Zach Lipton
    Aug 2 at 2:44






  • 5





    Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

    – Neil_UK
    Aug 2 at 7:12






  • 3





    @schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

    – Chris H
    Aug 2 at 7:41














15














15










15









"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.



Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.



If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.



Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.



You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.



I'm a fan of the "password reset" process, myself.






share|improve this answer














"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.



Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.



If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.



Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.



You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.



I'm a fan of the "password reset" process, myself.







share|improve this answer













share|improve this answer




share|improve this answer










answered Aug 1 at 15:35









schroederschroeder

88.8k37 gold badges201 silver badges237 bronze badges




88.8k37 gold badges201 silver badges237 bronze badges










  • 2





    Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

    – Chris H
    Aug 1 at 16:26






  • 4





    I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

    – schroeder
    Aug 1 at 16:51






  • 18





    @schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

    – Zach Lipton
    Aug 2 at 2:44






  • 5





    Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

    – Neil_UK
    Aug 2 at 7:12






  • 3





    @schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

    – Chris H
    Aug 2 at 7:41













  • 2





    Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

    – Chris H
    Aug 1 at 16:26






  • 4





    I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

    – schroeder
    Aug 1 at 16:51






  • 18





    @schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

    – Zach Lipton
    Aug 2 at 2:44






  • 5





    Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

    – Neil_UK
    Aug 2 at 7:12






  • 3





    @schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

    – Chris H
    Aug 2 at 7:41








2




2





Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

– Chris H
Aug 1 at 16:26





Multiple devices - still true even if we restrict to immediate family (i.e. those who manage her devices). I will open that up to trusted (by me and her) adults who have complete physical access to her devices (e.g. grandparents). Restricting it beyond that is pointless paranoia and at odds with advice regarding a child's physical safety. Your blanket statement is still an unrealistic ideal - the days of "you must check in on a device capable of printing no more than 24 hours in advance" and similar stupid processes aren't completely gone.

– Chris H
Aug 1 at 16:26




4




4





I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

– schroeder
Aug 1 at 16:51





I actually have a big problem with my child logging into her grandparent's devices. Just because they have full control of the devices my child does, does not make the grandparent's devices trusted, secure, or safe.

– schroeder
Aug 1 at 16:51




18




18





@schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

– Zach Lipton
Aug 2 at 2:44





@schroeder I think this is a "what's your threat model?" issue. Is "grandparents device is compromised -> child's account is compromised -> some form of harm" a pathway you're concerned about? Clearly it's a concern is for you, which is fine, but it isn't for everyone, especially given the low risk of harm that comes from potentially reveling the password to a child's Scratch account. And that threat needs to be measured against the value (the joy of sharing her projects with family) and the risks of alternatives (bringing a device for her to use could mean it gets damaged or lost).

– Zach Lipton
Aug 2 at 2:44




5




5





Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

– Neil_UK
Aug 2 at 7:12





Don't rely on the forgot 'password process'. Before I got my act together, I was always forgetting mine for one particular eCommerce site, and after several password resets, they threatened to ban me as I looked like a security risk. I smartened up and started using keePass.

– Neil_UK
Aug 2 at 7:12




3




3





@schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

– Chris H
Aug 2 at 7:41






@schroeder if mobile devices are banned in school and the child starts the day at home before going to the grandparents' afterwards, they can't take their own tablet. This is common, as is loss/theft/damage of physical hardware in the care of a child. Do you claim never to log in to any personal accounts on an employer-provided machine (a prime example of a "device you don't own")? That's a pretty extreme position, and quite far from where I draw the line about risk. I'd risk a few low-value accounts over a single piece of high-value hardware

– Chris H
Aug 2 at 7:41












0


















Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.



EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.






share|improve this answer























  • 4





    It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

    – Chris H
    Aug 1 at 16:34






  • 1





    "Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

    – Vipul Nair
    Aug 1 at 16:36






  • 2





    I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

    – RedBorg
    Aug 2 at 16:03






  • 1





    @forest's answer is a lot more sensible/age appropriate

    – George M Reinstate Monica
    Aug 2 at 16:59






  • 1





    That gibberish password reminds me of xkcd.com/936

    – multithr3at3d
    Aug 3 at 16:43















0


















Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.



EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.






share|improve this answer























  • 4





    It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

    – Chris H
    Aug 1 at 16:34






  • 1





    "Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

    – Vipul Nair
    Aug 1 at 16:36






  • 2





    I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

    – RedBorg
    Aug 2 at 16:03






  • 1





    @forest's answer is a lot more sensible/age appropriate

    – George M Reinstate Monica
    Aug 2 at 16:59






  • 1





    That gibberish password reminds me of xkcd.com/936

    – multithr3at3d
    Aug 3 at 16:43













0














0










0









Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.



EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.






share|improve this answer
















Now I am not sure if I am right but I think teaching basic mnemonic techniques to kids seems like a wonderful idea to me. It's a skill that will help her lifelong and will also aid in avoiding writing down any passwords and low entropy password. Consider a 10 digit gibberish password such as 1kej@!lej2. This could be easily remembered if you just made up a story by using characters of the password. Schroeder's advice also seems good to be honest. You could also teach her in time "how to generate passwords with sufficient entropy" and use a password manager. Until then mnemonics should do fine for kids. They have a vivid imagination.



EDIT: The answer that I wrote is wrong. The mnemonics part is correct but the password I chose is not sufficiently lengthy or easy to memorize. This question goes into the math and usability issue in detail. A far better method is the one written by forest in his answer.







share|improve this answer















share|improve this answer




share|improve this answer








edited Aug 4 at 17:47









AndrolGenhald

14.3k5 gold badges39 silver badges45 bronze badges




14.3k5 gold badges39 silver badges45 bronze badges










answered Aug 1 at 16:10









Vipul NairVipul Nair

2,4151 gold badge9 silver badges23 bronze badges




2,4151 gold badge9 silver badges23 bronze badges










  • 4





    It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

    – Chris H
    Aug 1 at 16:34






  • 1





    "Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

    – Vipul Nair
    Aug 1 at 16:36






  • 2





    I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

    – RedBorg
    Aug 2 at 16:03






  • 1





    @forest's answer is a lot more sensible/age appropriate

    – George M Reinstate Monica
    Aug 2 at 16:59






  • 1





    That gibberish password reminds me of xkcd.com/936

    – multithr3at3d
    Aug 3 at 16:43












  • 4





    It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

    – Chris H
    Aug 1 at 16:34






  • 1





    "Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

    – Vipul Nair
    Aug 1 at 16:36






  • 2





    I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

    – RedBorg
    Aug 2 at 16:03






  • 1





    @forest's answer is a lot more sensible/age appropriate

    – George M Reinstate Monica
    Aug 2 at 16:59






  • 1





    That gibberish password reminds me of xkcd.com/936

    – multithr3at3d
    Aug 3 at 16:43







4




4





It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

– Chris H
Aug 1 at 16:34





It's a nice idea, and works for a few passwords, but I can't remember more than a handful that way. It seems optimistic to expect this approach to last long given how many passwords people acquire.

– Chris H
Aug 1 at 16:34




1




1





"Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

– Vipul Nair
Aug 1 at 16:36





"Memorising a really strong master password is probably a bit much to ask".I was pretty much commenting on this one actually.But you are right trying to remember 30-35 tough password's even with mnemonics is rather tough/impossible.

– Vipul Nair
Aug 1 at 16:36




2




2





I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

– RedBorg
Aug 2 at 16:03





I would highly recommend not using this weak password that is hard to remember, especially for kids, and instead use the diceware method.

– RedBorg
Aug 2 at 16:03




1




1





@forest's answer is a lot more sensible/age appropriate

– George M Reinstate Monica
Aug 2 at 16:59





@forest's answer is a lot more sensible/age appropriate

– George M Reinstate Monica
Aug 2 at 16:59




1




1





That gibberish password reminds me of xkcd.com/936

– multithr3at3d
Aug 3 at 16:43





That gibberish password reminds me of xkcd.com/936

– multithr3at3d
Aug 3 at 16:43











-2


















Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).



Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py



Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.



I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:



A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF



Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101



Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:



shaft mistake rent bird eye very wisdom return kit culture improve ritual



An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.



P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.






share|improve this answer





















  • 2





    -1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

    – Luc
    Aug 6 at 13:25











  • Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

    – Steven Hatzakis
    Aug 6 at 13:49











  • Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

    – Steven Hatzakis
    Aug 6 at 13:54











  • "why make another variant of base64" - opened hatgit/hatnotation#9 to address this

    – Eric
    Aug 19 at 23:40















-2


















Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).



Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py



Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.



I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:



A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF



Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101



Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:



shaft mistake rent bird eye very wisdom return kit culture improve ritual



An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.



P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.






share|improve this answer





















  • 2





    -1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

    – Luc
    Aug 6 at 13:25











  • Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

    – Steven Hatzakis
    Aug 6 at 13:49











  • Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

    – Steven Hatzakis
    Aug 6 at 13:54











  • "why make another variant of base64" - opened hatgit/hatnotation#9 to address this

    – Eric
    Aug 19 at 23:40













-2














-2










-2









Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).



Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py



Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.



I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:



A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF



Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101



Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:



shaft mistake rent bird eye very wisdom return kit culture improve ritual



An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.



P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.






share|improve this answer














Great question/topic, and if the definition of password "management" here also includes "password generation" I would provide a Python program or similar that generates cryptographically-secure passwords of various lengths with just a few lines of code, and show the child how to easily run the program anytime they need a strong password. (as this would be a better habit in my opinion than thinking of a strong password each time).



Here is a rudimentary example I built that is cryptographically-secure using the secrets module in Python and library of 64 characters: https://github.com/hatgit/hatnotation/blob/master/Hatnotation-Password-Generator.py



Such 'secure' passwords, however, cannot be easily remembered as they look like a string of machine-readable code, unless the underlying binary is converted to mnemonic words so it can be easily written down.



I've also built an encoder/decoder (notation system called Hatnotation) and with the above compatible password generator for educational purpose, the underlying binary could be pasted into a mnemonic code converter, such as follows:



A random 22-character password generated from the range of 64 characters where 64^22 == 2^132 in terms of bits of security/entropy, using the Hatnotation password generator: }FT}:+3'Z;:BB,LY^>EOPF



Underlying 132-bit binary that represents those 22-characters (non-ascii, these are Hatnotation- encoded characters:)010111000100111100011011111011011001000010110100010100010011111001011111111100010101110000010111101011100110101100011100100001011101



Converted 132-bits into a mnemonic based on the BIP39 English wordlist (excluding checksum, and which can be an alternative to the Diceware options that @Forest provided), using a mnemonic converter that can work offline on a standalone basis:



shaft mistake rent bird eye very wisdom return kit culture improve ritual



An alternative is to teach them to how to generate entropy in binary or hex format using the command line or code compiler (which is faster than flipping coins), and how to paste such binary into the mnemonic converter of their choice depending on the wordlist used (even if it is their own custom wordlist). In Python, there are a few secure ways to do so using the built-in secrets, uuid4() and os.urandom modules.



P.S. In terms of storage/password-custody retrieval, if passwords are saved in the browser's native manager, and there is a concern about logging into the browser (i.e. Google Chrome) session from public or other potentially-unsafe locations in order to access passwords for logging-in to services such as the Scratch.Mit.edu website , I think adding a 2FA app such as Google Authenticator (assuming the youngster has a cell phone or compatible device, even if it is offline) could reduce the risks of those passwords being accessed by an adversary, if the login info was otherwise compromised.







share|improve this answer













share|improve this answer




share|improve this answer










answered Aug 6 at 12:11









Steven HatzakisSteven Hatzakis

353 bronze badges




353 bronze badges










  • 2





    -1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

    – Luc
    Aug 6 at 13:25











  • Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

    – Steven Hatzakis
    Aug 6 at 13:49











  • Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

    – Steven Hatzakis
    Aug 6 at 13:54











  • "why make another variant of base64" - opened hatgit/hatnotation#9 to address this

    – Eric
    Aug 19 at 23:40












  • 2





    -1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

    – Luc
    Aug 6 at 13:25











  • Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

    – Steven Hatzakis
    Aug 6 at 13:49











  • Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

    – Steven Hatzakis
    Aug 6 at 13:54











  • "why make another variant of base64" - opened hatgit/hatnotation#9 to address this

    – Eric
    Aug 19 at 23:40







2




2





-1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

– Luc
Aug 6 at 13:25





-1 a question about password management for kids is not the place to promote homebrew password generator scripts. -1 recommending to teach a kid to "generate entropy in binary or hex format using the command line or code compiler" does not seem to make any sense. -1 "Hatzakis Base 64" why make another variant of base64?!

– Luc
Aug 6 at 13:25













Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

– Steven Hatzakis
Aug 6 at 13:49





Where did you see homebrew? All software is trusted at some level, and I mentioned that the secrets module in Python is cryptographically-secure. The notation system I noted was made for educational purposes, and I listed alternatives. We can agree to disagree, I think my answer adds some good ideas and maybe some that aren't good for all cases. It's also a matter of opinion and style. What doesn't make sense to you about teaching a kid to use the command line or a compiler to generate entropy? It's something that adults should even do.

– Steven Hatzakis
Aug 6 at 13:49













Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

– Steven Hatzakis
Aug 6 at 13:54





Again, the end of the question states: "What's the best approach to take for a young, fairly bright child, to keep logins safe and train good practice in advance of more important accounts?" So I don't think what I added was too far off, especially as kids are more becoming even more computer savvy.

– Steven Hatzakis
Aug 6 at 13:54













"why make another variant of base64" - opened hatgit/hatnotation#9 to address this

– Eric
Aug 19 at 23:40





"why make another variant of base64" - opened hatgit/hatnotation#9 to address this

– Eric
Aug 19 at 23:40


















draft saved

draft discarded















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214492%2fpassword-management-for-kids-whats-a-good-way-to-start%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown









Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?