Many of us currently operate in the conditions of quarantine, which means limited opportunity to leave the house. In many countries around the globe, children are forced to stay at home as many nurseries and kindergartens are closed and school classes are suspended until further notice. Just to give you some idea about how important this problem is - consider the following. In the US alone, 33.6 million families include children under age 18 - about two-fifths of all families. In the UK, 4.6 million households have dependent children under the age of 16, where all parents in the household are working, of which 3.7 million are couple households and 842,000 are single-parent households. Furthermore, 50% of these households have at least one child, who is 5 years of age or younger. If all these families were to make special provisions for home schooling or home care for their children, 1 in 7 workers in the UK would be affected by this change. This problem is even more severe in many other countries, where number of children per household is significantly higher.
On the one hand, quarantine might be a good for families, as, presumably, parents spend more time with their children. Yet, on the other hand, the reality of the situation is that parents have to work from home, leaving children to supervise their own interactions with gadgets and computers. Under these circumstances, making sure that children are familiar with at least some cybersecurity basics is very important.
While there are many aspects associated with security of children online, in this post we will talk about the basics - passwords. How do children set up passwords? What does behavioural research say about the way in which children authenticate and interact with their passwords?
Children and Screen Time: Main Patterns
Up to 2019, limited research was published on children and cybersecurity. There are many reasons for this, but probably one of the most important reasons is the difficulty in engaging young children into studies and obtaining all necessary ethical as well as parental approvals for researchers to be able to investigate these issues. Yet, in 2019, the Journal of Cybersecurity published a study by an international group of scientists, who conducted in-depth research on this topic. Yee-Yin Choong, Mary Theofanos, Karen Renaud, and Suzanne Prior conducted a survey involving 189 children from 3rd to 8th grade in two Midwestern schools in the US. For those of you, who are not familiar with the American education system, 3rd graders in the US are usually aged 7 or 8 and 8th graders are typically aged 12-13. This group of researchers is currently working to expand this study to cover the entire geography of the United States.
The study reported very interesting patterns with the children's screen time. The overwhelming majority of children (from 7 to 13 years of age) were allowed screen time after school and had exposure to computers on both weekend days.
Source: Yee-Yin Choong, Mary F Theofanos, Karen Renaud, Suzanne Prior. “Passwords protect my stuff” — a study of children’s password practices.Journal of Cybersecurity, Volume 5, Issue 1, 2019, Figure 1.
Furthermore, the majority of children (from 7 to 13 years of age) were allowed at least 1 hours of screen time on weekdays and over 3 hours on weekend days.
Source: Yee-Yin Choong, Mary F Theofanos, Karen Renaud, Suzanne Prior. “Passwords protect my stuff” — a study of children’s password practices.Journal of Cybersecurity, Volume 5, Issue 1, 2019, Figure 2.
How Do Children Interact with Passwords?
An average 7 to 13-year-old in the study has 6 passwords, two of which they use at school and 4 at home. The study reveals that the children understand well, that passwords are needed to protect their personal information. Over 97% of 3-5 graders and over 97% of 6-8 graders memorise their passwords. Yet, at the same time, in addition to memorising, over 1/3 of children also write down their passwords. Furthermore, almost 65% of 3-5 graders let computer auto-fill their passwords and over 35% share their passwords with family members. Older children (6-8 graders) are a lot more cautious, as less than 37% of them let computer remember their passwords and close to 10% ask family members to memorise their passwords.
Perhaps, the most surprising result of the study is that some children trust their friends with passwords, although the relative proportion of such cases is low. Specifically, almost 2% of 6-8 graders and over 10% (!!!) of 3-5 graders admit that they let their friend have their passwords.
Source: Yee-Yin Choong, Mary F Theofanos, Karen Renaud, Suzanne Prior. “Passwords protect my stuff” — a study of children’s password practices.Journal of Cybersecurity, Volume 5, Issue 1, 2019, Figure 3.
Do Children Set Up Strong Passwords?
On average, 3-5 graders set up 7-character passwords, while 6-8 graders have 10-character passwords, which in itself is not bad. However, the main problem is that children often set up weak passwords. The Choong et al (2019) study argues that all passwords could be assigned a sophistication score on a scale from 1 (weak) to 5 (strong). For example, weak passwords with a score of 1 may include: "12345", "Yellow", "Game 1234", "happydays", etc.; while strong passwords could be “Puppy uppy gamer 15.” and “dancingdinosaursavrwh00p164” (see Choong et al., p.8). If we adopt this classification, then only 13% of children (in both age groups) set up level-5 passwords.
Source: Yee-Yin Choong, Mary F Theofanos, Karen Renaud, Suzanne Prior. “Passwords protect my stuff” — a study of children’s password practices.Journal of Cybersecurity, Volume 5, Issue 1, 2019, Figure 7.
Why does it happen? Unsurprisingly, children set up weak passwords for exactly the same reason adults do. Our brains were not wired to remember word-digit-special-character combinations, which modern security systems require. Hence, children set up weak passwords or share their passwords with others not because they are irrational, but because they simply cannot recall sophisticated passwords every once in a while (especially if they have to memorise 6 passwords, on average).
The current COVID19 outbreak may have increased children's access to computers, gadgets and screen time, forcing parents to think about cyber security of their kids online. What can be done? What is the solution to the problem? As a first step, a good idea is to update our own knowledge of what constitutes a strong password. There are many online guides for this. I prefer this one from GCHQ, but you can use the one you like. As a second step, we need to have a chat about password strength with our kids, explaining to them how passwords are usually discovered or stolen by cybercriminals and other adversaries as well as discussing the potential consequences of password theft. If you have not talked about this with your child - you do need to prioritise it, because if we, as parents, will not engage with the cyber security education of our kids, no one will.