Children are increasingly being exposed to, and using, technology from a very young age. This has never been more true than in 2020 when the vast majority of children worldwide have used online resources to access educational resources and communicate with family and friends during the COVID-19 pandemic.

Many of the resources and websites used, along with the devices they are accessed on, require the use of a password to authenticate the user. However, young children don’t necessarily have the skills and knowledge required to use and maintain these passwords appropriately. They are likely to use weak, predictable passwords and tell other children their passwords.

Children come from a variety of different backgrounds and their parents will have a wide range of cyber-related skills. They might pick up some password related knowledge but there is no guarantee that they will learn the correct principles.

This situation led us to wonder what principles children should learn, and when they should learn them. To answer this question, we carried out research to:

1. Determine what current best practice is with respect to password management, gathering the information from international standards bodies. We wanted to gather a set of password “best practice” principles.
2. Gauge the best age at which to introduce each “best practice” principle by consulting the child development literature.
3. Develop three sets of age-appropriate password “best practice” principles, to ensure that children learn the correct principles as and when they are ready for them.

Organisations have tended to advise that passwords should be at least eight alphanumeric characters long, contain digits or punctuation characters as well as letters, and both upper and lower case characters.

This essentially imposes complexity requirements on passwords. But in 2017, the National Institute for Standards and Technology, the UK’s National Cyber Security Centre and the Centre for Protection of National Infrastructure published revised password guidelines. One important change is that length, not complexity, characterises strong passwords. Other…