Credit:
NIST
Today’s blog is the second one in our 2023 Cybersecurity Awareness Month series and examines different factors associated with using strong passwords and a password manager. We interviewed NIST’s Yee-Yin Choong and Meghan Anderson to get their unique thoughts and insights.
This week’s Cybersecurity Awareness Month theme is ‘using strong passwords and a password manager.’ How does your work/specialty area at NIST tie into this behavior?
Yee-Yin: At NIST, I’ve been conducting research on human factors and the usability aspects of human-technology interactions. One research area is human-centered cybersecurity with a focus on youth and parents. Technology use by youths has increased at younger ages—putting more information online and creating new concerns for their safety and implications for their privacy. Most children’s earliest exposure to technology occurs under the supervision of their parents. Thus, parents are often the first external point of contact in a child’s password learning journey.
Over the past few years, I’ve conducted studies to understand children’s practices, perceptions, and knowledge regarding passwords, online security, online privacy, and online risks—as well as studies to examine what parents know and how they are involved in their children’s passwords and understandings of online security and privacy. From our survey study with over 1,500 kids (ranging from 3rd to 12th graders), we found that children don’t create complicated passwords—which often consist of concepts reflecting the current state of their lives such as sports, video games, names, animals, movies, titles (princess, queen, etc.), numbers, and colors. Another notable finding was that younger kids rely on family support for creating their passwords at home, which shows family plays a central role in establishing best practices and that parents impact perception and behavior towards creating passwords.
Meghan: As a privacy risk strategist, I support the Privacy Engineering Program (PEP) and other teams at NIST to develop privacy risk management best practices, guidance, and communications. PEP often considers how cybersecurity and privacy overlap—and that cybersecurity-related events can create privacy risks for individuals and organizations. For example, breaching an individual’s account would create access to their personal information, which may create potential problems for that individual. When it comes to using strong passwords and a password manager, both cybersecurity and privacy play a role in keeping your accounts and personal information secure.
How does using strong passwords and a password manager help people and/or businesses when it comes to cybersecurity? Why is it so important?
Yee-Yin: Passwords are still the most widely used authentication mechanism for gaining access to resources of interest. Passwords are the frontline defense to protect data confidentiality and integrity against cybercriminals and data breaches. Good, strong passwords help people to stay secure and private online.
Young people and children are “Digital Natives” who are raised in a digital, media-saturated world…and many have grown up with technology in their lives since birth. As children are doing more activities online, they are creating user accounts and passwords as required by those online systems. Youth are particularly vulnerable and active online users, but also arguably hold the most growth and learning potential as they are going through various developmental stages.
It is important to understand youth’s password practices and behavior, as well as their perceptions and knowledge of online security and privacy, in order to support their development for building lifelong positive online habits. Furthermore, on May 23, 2023, the Biden-Harris Administration announced actions to protect youth mental health, safety, and privacy online as stated in a White House Fact Sheet. An interagency Task Force on Kids Online Health & Safety was formed with the objective of advancing the health, safety, and privacy of children online. This Task Force effort underlines the importance of providing guidance and best practices to youth as well as their parents and legal guardians in protecting children’s privacy, health, and safety online—and, in the meantime, enjoying the benefits of using online platforms.
Meghan: How often have you used your pet’s name as a password? More often than not, when we think of strong passwords, we think of the security side of it. However, privacy plays a large part in strong passwords, as well. Privacy is not only what we share about ourselves online that others could see, but also our control over how our personal information is collected and who has access to it or how it is used. Strong passwords act as barriers against unauthorized access, making it more difficult for malicious actors to compromise personal accounts, sensitive information, and valuable data. Robust passwords not only prevent identity theft but also provide a foundational layer of security for verifying and managing digital identities.
What is NIST currently doing in this area (or planning for the future)?
Yee-Yin: NIST is actively participating in the interagency Task Force on Kids Online Health & Safety, which was formed with the objectives to advance the health, safety, and privacy of children online.
Meghan: NIST recently released the initial public draft of Special Publication 800-63 Revision 4, Digital Identity Guidelines. This publication offers requirements for meeting digital identity management assurance levels, as specified in each of its volumes, including requirements for privacy. NIST Special Publication 800-63B specifically discusses the management, use, and controls for memorized secrets, such as passwords or PINs, used to access online accounts and services.
Why is cybersecurity important to you personally?
Yee-Yin: To me personally, the cybersecurity space has great potential and benefits… as well as risks and negative consequences. There is never going to be a risk-free digital world. Keeping up good cybersecurity practices, such as using strong passwords and a password manager, will be key to enjoying the benefits of online technologies while staying secure, private, and safe online.
Meghan: Cybersecurity and privacy are important to me because it helps to protect vulnerable individuals online. Cybersecurity and privacy work in tandem to provide people and organizations with the tools they need to be safer online. Without this, individuals could experience negative impacts that could harm their lives as a result of a breach in their privacy.
What is your favorite thing (or best memory) about working at NIST?
Yee-Yin: As a human-factors scientist, I’m very passionate about advocating for people’s interactions with technology to be easy, comfortable, and safe. My favorite part about working at NIST is that I get to apply my expertise on human-centered research, while also knowing my research has the potential to make positive impacts. In addition, I get to know so many brilliant researchers doing amazing projects at NIST. I never get bored with my job. I get to attend research seminars, meet and collaborate with other researchers, germinate research ideas, and learn new research methodologies.
Meghan: At NIST, I have the opportunity to work in collaboration with incredible people from across academia, government, and the private sector. In PEP, we get to conduct research on cutting-edge emerging technologies and discussions around privacy. One of my favorite memories while working at NIST was presenting on National Star Wars Day (May the 4th be with you!) and getting to have fun with my presentation by giving it a Star Wars theme. The PEP team loves finding fun, creative, and effective ways to communicate the importance of privacy risk management so that it has a lasting impact!
Please continue to check out our Cybersecurity Awareness Month 2023 blog series throughout the month of October! For more information on passwords, visit our Cybersecurity Awareness Month Resources page…and don’t forget to engage with us NIST on Facebook and X (@NIST and @NISTcyber). You can also join in on the social conversations using the #CybersecurityAwarenessMonth hashtag.