NIST Study on Kids’ Passwords Shows Gap Between Knowledge of Password Best Practices and Behavior

From the National Institute of Standards and Technology:

When it comes to passwords, the challenges are endless. We must create multiple passwords to manage our many online accounts, from email to shopping sites and social media profiles. We have to safely keep track of these many passwords and ensure they’re strong enough to reduce the risk of cyberattacks. All of these reasons emphasize why education and training are so important for strengthening passwords and protecting personal accounts.

The problem isn’t limited to just adults. Children may seem more technologically savvy because they’ve grown up in the digital space, but they still face the same cybersecurity threats. So, to shed light on what kids understand about passwords and their behavior in creating and using them, researchers at the National Institute of Standards and Technology (NIST) conducted a study that surveyed kids from third to 12th grade.

The study found that children are learning best practices, such as memorizing passwords, but are demonstrating a gap between their knowledge of good password practices and their behavior. The NIST researchers present their findings today at a virtual cybersecurity conference called USENIX Security Symposium 2021

[Clip]

“Younger children rely on parents a lot. Their first passwords were either given to them at school or by a parent to open their phone or tablet. So, what kind of guidance can we provide?” said NIST researcher Yee-Yin Choong.

The researchers surveyed more than 1,500 kids from ages 8 to 18 who attended schools across the South, Midwest and Eastern regions of the U.S. Teachers administered two versions of the survey, one for third to fifth graders and the other for sixth to 12th graders. Each survey featured the same questions but had different age-appropriate language.

On the plus side, results from the study showed that kids are learning best practices on passwords, such as limiting their writing of passwords on paper, keeping their passwords private, and logging out after online sessions. They’re also not burdened with a lot of passwords as adults are, with kids on average reporting they have two passwords for school and two to four for home.

[Clip]

Password strength increased from elementary to high school students. Examples of stronger passwords among middle and high school students included “dancingdinosaursavrwhoop164” and “Aiken_bacon@28.”

But despite the evidence that kids are learning best practices, they also demonstrated bad password habits. They tended to reuse passwords, a habit that increased in frequency from elementary to high school students, and shared their passwords with their friends. “For adolescents, an important part of building friendships is building trust, which is shown with sharing secrets. Their perspective is that sharing passwords is not risky behavior,” said Choong.

Read the Complete Summary Article

Note: The full text conference paper and presentations slides are also available.

M. Theofanos, Y-Y. Choong and O. Murphy. ‘Passwords Keep Me Safe’ — Understanding What Children Think About Passwords. 30th USENIX Security Symposium 2021. Aug. 11, 2021.

Filed under: Journal Articles, News, Profiles