From the mouth of babes, part 12398

A couple of weeks ago I got myself invited to my oldest son's fourth-grade class to talk to the kids about security. The teacher is really into technology and is doing some very cool stuff. Unfortunately, he is not very into security, yet, so that part was, shall we say, lacking. He created this really neat literature blog about books they were reading and the kids were supposed to submit comments to the blog. I sent the teacher a note asking if he accepted anonymous comments. The answer: "No. I told the kids they have to put their names on the comments."

So, this entire discussion launched into a mini-lesson on security, and the next thing I know I have a date to go speak to the class, and I now have to figure out what to talk about. A couple of days before I was out driving with all my kids and decided to talk to them about passwords and how you should come up with long ones, how you can write them down and hide the note somewhere only you know where it is, and how you should never tell anyone, even your brothers and sisters, what they are.

My oldest son, who is very security savvy, immediately echoed all this to his younger siblings. "Yeah, that's right. You should have a long password. Mine is 'expialidocious'." I asked whether he hadn't listened when I told him, about thirty seconds ago, not to tell his brother and sister what the password was. His comment was totally priceless:

"But dad, it's OK. They don't know how to write!"

Way to show me up. I guess it's OK to tell someone that doesn't know how to write what your password is, as long as you change it before they learn how.

Published Tue, Oct 9 2007 12:53 PM by jesper
Filed under:

Comments

# Brant Gurganus said on 09 October, 2007 04:02 PM

But you do know how to write and just told the world the password. I doubt that was the real password though.

# Aaron Margosis said on 10 October, 2007 09:53 PM

Of course, there are very different security issues around kids posting information about themselves online, especially when associating PII (like their names) with it.

# Susan said on 13 October, 2007 06:26 PM

When I was a little girl and Mom and Dad would want to talk about something and not let me know what they were talking about (like Christmas, a birthday, etc), they would spell the word they didn't want me to hear if I happened to walk in the room or be in the room.  This "cryptology" of a sorts was done knowing that at that age, even though I was in school, I couldn't put the letters together in my brain fast enough to understand what they were talking about.  

Well you can see where this is going... a bit later I realized that if I could remember the letters long enough to go run to a piece of paper to write the letters down, they magically turned into a word.  I would then yell out "hey you are talking about ______" ....whatever they were talking about.  

Needless to say their rudimentary form of cryptology and "encryption" of private messages only lasted so long.

# Ruthie Bailey said on 18 October, 2007 11:33 AM

But, what if the site requires a short password, a six, seven, or eight digit one?  No passphrases allowed, of course!

# *** Carlson said on 18 October, 2007 11:37 AM

That's why when I was working in Marketing, I told everyone in the building what my password was...

# Ruthie Bailey said on 18 October, 2007 11:45 AM

If you read long enough and thoroughly, the answers will be found.  The first tip, Microsoft's advice on creating strong passwords answered my question above.  Let this be a lesson to me!

# Phil Somerset said on 18 October, 2007 11:59 AM

Well, actually, it's only part of the word. The full word from Mary Poppins is Supercalifragilisticexpialidocious. And you're right; he will probably have changed it many times before his sibs are old enough to write.

I use a simple program called PWSafe. It's a password protected password database. It's coolest feature is to let you double-click on the account entry to put the password into the paste buffer. You can then paste it into the password field without anyone being able to see it. I've got accounts where I let PWSafe generate a random password. I don't even know what it is! I just cut and paste.

# Jaynewannabe said on 18 October, 2007 01:11 PM

I disagree with the PWSafe feature as being secure if it copies it to the clipboard...I use Roboform at times, which even has a keylogger defeater (pop-up qwerty panel) but even that could be compromised with that proof-of-concept multiple screenshot program.

If I knew anything about programming, I'd write it just to see if it could be done. I love stuff like that.

I like to have fun by telling people "I have the *COOLEST* password EVER!"

# wng_z3r0 said on 23 October, 2007 03:35 PM

If you don't trust the computer you are entering passwords on, then you shouldn't be entering passwords in the first place. Even those so called on-screen keyboards can be logged.

wng