Passwords, Passcode and Passphrase – Unit 4 #Primary

There is so much written about passwords, what makes a strong ones, how to go about maintaining them. For example, the Twinkl team recommends six rules:

  • include numbers, letters and symbols
  • use at least one capital letter
  • make it something you will remember but others won’t think of
  • make sure it has eight characters or more
  • never use obvious names or dates
  • never write down or share your password

While Charlotte Empey’s provides the following tips:

  • Stay away from the obvious
  • Make it long
  • Use a mix of characters
  • Avoid common substitutions
  • Don’t use memorable keyboard paths
  • Avoid using single words

Associated with these tips, she puts forward some particular strategies:

  • Revised passphrase method where you compose a phrase using bizarre and uncommon words a phrase that gives you a mental image.
  • The sentence method combines a random sentence with a rule that makes it gobbledegook.
  • Muscle memory method where a random group of characters is memorised as a pattern.

Micah Lee elaborates on the discussion of passphrases, discussing the Diceware method:

Grab a copy of the Diceware word list, which contains 7,776 English words — 37 pages for those of you printing at home. You’ll notice that next to each word is a five-digit number, with each digit between 1 and 6. Here’s a small excerpt from the word list:

24456 eo
24461 ep
24462 epa
24463 epic
24464 epoch

Now grab some six-sided dice (yes, actual real physical dice) and roll them several times, writing down the numbers that you get. You’ll need a total of five dice rolls to come up with the first word in your passphrase. What you’re doing here is generating entropy, extracting true randomness from nature and turning it into numbers.

If you roll the number two, then four, then four again, then six, then three, and then look up in the Diceware word list 24463, you’ll see the word “epic.” That will be the first word in your passphrase. Now repeat. You want to come up with a seven-word passphrase if you’re worried about the NSA or Chinese spies someday trying to guess it (more on the logic behind this number below).

Using Diceware, you end up with passphrases that look like “cap liz donna demon self,” “bang vivo thread duct knob train,” and “brig alert rope welsh foss rang orb.” If you want a stronger passphrase you can use more words; if a weaker passphrase is OK for your purpose you can use less words.

In Richard Barnes’ guide to safer logins, he suggests

  • Use random passwords, and use a different password for every site
  • Use a password manager to make creating and remembering passwords easier
  • Make your answers to security questions just as strong as your passwords
  • Use “two-factor authentication” wherever you can
  • Pay attention to the browser’s security signals, and be suspicious

Elaborating on two factor authentication,  Chris Betcher explains it as ‘something you have and something you know‘:

The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember.  But it’s not enough. It’s just one factor.

The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password.  Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.

All this advice is helpful, but not necessarily practical for young learners. Although a passphrase made using the Diceware method used in association with two-factor authentication may be considered an ideal outcome, the question remains how young learners are supported with building up their confidence and constructive capacity to manage such workflows?

In regards to learning activities, there are various resources available, however too often they come across as one-off lessons, a passing of the knowledge akin to the Matrix, rather than a gradual release over time.

The risk with this approach is that if a student was not there for this one-off experience, then they can miss the transer of knowledge.

One person to approach the problem differently is Audrey Nay, she has put together a continuum of learning starting at Prep and going to Year 6. The journey starts with a basic passwords letters and ending with a 6 character mnenomic with a mixture of numbers, upper and lower cases, and punctuation. Although I like how she has broken down the sequence of steps across the years, I wonder about the outcome of a 6 character mnenomic, as opposed to a passphrase. As Micah Lee explains,

Not too bad for a passphrase like “bolt vat frisky fob land hazy rigid,” which is entirely possible for most people to memorize. Compare that to “d07;oj7MgLz’%v,” a random password that contains slightly less entropy than the seven-word Diceware passphrase but is significantly more difficult to memorize.

In regards to passphrases, Ian Addison talks about getting younger students to combine two unrelated words that they can spell, while the eSafety team suggest providing multiple columns, where students choose one option from each. I wonder if a useful approach is to start with one word chosen from a simple list and progressively build up to something like four words taken from a more complicated list of words.

Supporting the process of reflection, passwords resource developed in conjunction with and Common Sense Media flips the various requirements into a series of statements. An approach could be used where each stage is defined by a different set of questions built up across time.

One of the other challenges to passwords being a ‘once-off’ activity is that such activities are often done to students, rather than with students. This often stems from the ramifications of poor passwords. For example, sometimes platforms have built-in feedback mechanisms that force users to enter a number, character and symbol. Also, based on logistics passwords are often managed for students using generators like Dinopass or Google Sheet tempaltesDigital Technologies Hub’s answer to this is to go beyond a mere list of rules, suggesting that students create an artefact (i.e. a poster) explaining their understanding. Alternatively, sites like How Secure is My Password can be useful to support students for testing processes.

This all has me thinking about alternatives for logging in, such as the use of biometric information, patterns and images. I wonder what ‘passwords’ might look like for students in ten years time?


+ There are no comments

Add yours