Hard-to-guess but easy-to-remember: understanding children's password security issues

Authors: Lamprini Chartofylaka, Pinelopi Troullinou, Antoine Delcroix

Please cite as: Chartofylaka, L., Troullinou, P. & Delcroix, A. (2022): Hard-to-guess but easy-to-remember: understanding children's password security issues. In S. Kotilainen (Ed.), Methods in practice: Studying children and youth online (chapter 4). Retrieved DD Month YYYY, from https://core-evidence.eu/methods-toolkit/handbook-part1/handbook-password-security, doi: https://doi.org/10.21241/ssoar.83031.

In recent years, children experience new educational settings through digital devices from a very young age. They also encounter an increased reliance on such devices to stay in touch and play with peers. This new reality brought afresh into public debate children’s data and online privacy (Livingston et al., 2019). There is a growing body of research on children’s knowledge and understanding of authentication practices and privacy issues (Ratakonda et al., 2019). Regarding password generator practices, children tend to include personal information (Maqsood et al., 2018). Yet, they show difficulties forming strong passwords that they can memorize (Choong et al., 2019).

This paper presents key methodological steps employed at the TiNum project which focuses on password security issues for primary school students aged 10-11 years old. The research took place in 6 classes (114 pupils in total, 19 in average per class) in the archipelago of Guadeloupe (French West Indies) between November 2020 and May 2021. Storytelling was adopted as a pedagogical approach on teaching children strong password techniques. The ultimate goal was to develop a toolkit for teachers and parents devoted to raising awareness on data protection online and cultivating digital literacy skills.

The research activities were conducted in a real-world school setting for two subsequent days for the same class. Each activity was divided into two phases (first day: phase A, second day: phase B) lasting for an average duration of two hours. Prior to the implementation of the project, written consents were obtained from both parents and local school districts. The study was carried out by a researcher (first author) in the presence of the teacher of the respective class. 

During phase A, children’s prior knowledge on the concept of “password” was assessed. They were invited to write down or draw their ideas on a sticky note responding to the question “What is the first word that comes to your mind when I tell you ‘password’?”. Based on their responses, several topics were discussed such as the purpose of a password, the different forms of unlocking digital devices (unlock patterns, voice recognition, etc.), the utility of unique and different passwords for every use. Following, their privacy, online identity and security were discussed, especially when using social media. Examples from the list of the most common French passwords (123456, password, AZERTY, soleil¹…) were then used to explore password generator patterns. This activity introduced the discussion on the use of personal information (e.g., date of birth), dictionary or common words when creating passwords. Here, the idea of “password cracking” either by people close to us who can predict our behavior or by brute force attacks was explained and discussed. The final task entailed the development of a strong password construction strategy using a given random name (written in lowercase) and date of birth (number). Children gave different ideas: mixing letters and numbers, using uppercase and lowercase, omitting some numbers. This hands-on activity allowed researchers to teach them official “best practices” on password principles (ANSSI, 2012) using their propositions.  

The activity of phase B was based on the technique of storytelling, inviting children to generate their own imaginative stories. A storyboard template, including six empty boxes, was given to them. Following the researcher's instructions, they filled in step by step their story elements: hero(s), goal(s), friend(s), enemy(ies), triggering event, end of story. Children could write or/and draw according to their preferences. Once they had filled their template, they were asked to pick two distinct words from their story and create a strong password applying the rules they had learned in the previous phase (Figure). Stories produced in this context assist them in creating a unique and memorable password, serving as a “mnemonic device” (Chartofylaka & Delcroix, 2018). 

This approach allows the teacher/educator to explore and identify students’ knowledge and beliefs on a wide range of online security topics (phase A). Storytelling technique also fosters children’s knowledge and digital media skills in a playful and engaging way: Phase B allows children to implement new knowledge acquired while encouraging their creativity.

Lessons learned

• The study showed that introducing playful techniques to raise awareness and cultivate skills in rather complicated issues such as online security and behavior can be very effective. 

• During research activities children, parents, and educators expressed ethical concerns over internet use such as anonymity. Therefore, dedicated sessions to discuss ethical issues related to cybersecurity could be planned accordingly.

• Wrap up sessions during which participants can discuss their own examples with their peers and their teacher could be useful. A password strength checker³ could be used for verification.

¹ See the Richelieu project on github.com/tarraschk/richelieu

² “azerty” refers to the French-language keyboards, which follow an azerty layout; “soleil” means “sun” in French.

³ An example of a password strength checker can be found here: https://scratch.mit.edu/projects/530311216/

Acknowledegments

This project is funded by the Scientific Interest Group (GIS) “Jeu et Sociétés” (AAP 2019-2020).


Download the full handbook here: PDF.