💭 Educating security

Slowly spreading good security practices from a tender age
March 18, 2019 · 3 min · 461 words | source

A real story of how following good security practices is both easier to do than ad-hoc methods, and it spreads quickly to others.

Father pointing to a slate board with a lock drawn in chalk and his 2 twin sons looking at it, in black and white crayons

“Father pointing to a slate board with a lock drawn in chalk and his 2 twin sons looking at it, in black and white crayons” (DALL·E)

For a bit of context…

In 2018, the company I’m working in decided to rollout 1Password Business to all employees, which includes ​free family accounts​ for personal usage.

I had heard about 1Password before but thought of it as just one more password manager amongst many. For my needs, the default solutions bundled in browsers and operating systems were more than enough.

Last year I got the chance of using 1Password with a Team Vault for work (in a project for a client). It gave me the hands-on experience of how powerful the software is and the wide range of possibilities it gives, but I paid no more attention to it.

Fast forward to February 2019, when my two 10 year old twins brought home their new school assigned tablets. With them, along came the usual myriad of access credentials for school email accounts, digital books and resources, online classroom forums, etc.

Both their devices and access credentials came predefined with default rules for passwords, like ​[school process number][first name]​ (e.g. ​12345hugo​) — quite convenient for those setting up the devices, right?

Students’ full names and process numbers are posted in the school lobby for all to see at the beginning of the school year. It shows who was placed in that school and in which class.

This means that, if not changed, everyone knows everyone else’s passwords! 😱

Security wise, an appalling default practice.

As the twig is bent, so is the tree inclined

I’m a firm beliver that security cannot be an afterthought and it needs to be ​designed and built-in right from the start​.

“No way”, I thought as a parent. “They are going learn good security practices from the start…”

“So, what was this ‘1Password Family plan’ thing again? 🤔”

A few hours spent on a weekend exploring it and not very long after I had each one of them setup with:

  1. Their own vault on their tablets with auto-generated credentials for all the school services
  2. Another shared vault with the family stuff (e.g. home wifi password)
  3. A chosen strong and long master password made up of words of “things they like” (inspired by ​xkcd: Password Strength​)

That same week, arriving from school, one of my kids asked:

— “How can we setup and install this vaults thing?”
— “Why do you want to know?”
— “To tell my friends. They saw me using it and also want it, but their parents don’t know how to do it” 😁

Planting a seed and leading by example, two of the most effective ways of driving change, displayed here in practice in the real world.

(So, anyone know a simple ​“1Password: Getting Started Guide for Kids”​ that I can translate to Portuguese and have them send their friends?) 😉