Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Yes, Passwords...but...

by CrossEyedMonk (Initiate)
on Jan 10, 2002 at 09:45 UTC ( #137679=perlquestion: print w/replies, xml ) Need Help??

CrossEyedMonk has asked for the wisdom of the Perl Monks concerning the following question:

g'evening and g'day,

OK, I know passwords have been covered here before but I've got an interesting scenerio and I've come to the Monks for input. (If you would be so kind)

The scene: Online testing site for kids 8 - 17 years of age.
Client: possible public school computers, or home computer.
Can't email password. (kind of good).
Kids may forget very cryptic password.
If they forget the password, can't email reminder.

Must sleep...

If this is too, uh,.. too something then tell me I'm stupid, I can live with that.

g'nigh... zzzzzzzz

Replies are listed 'Best First'.
(cLive ;-) Re: Yes, Passwords...but...
by cLive ;-) (Prior) on Jan 10, 2002 at 10:19 UTC
    1. ask Silly question - previously stored ("What is your dog's name?")
    2. if OK, prompt to set new password - move existing to an 'old password' field somewhere
    3. show warning at next logon for X weeks that password has been changed and that if they want to use their old password to enter it instead - Don't allow password change during this period.
    4. if they enter old password, replace new with old, delete stored old and prompt for new security question (which has obviously been compromised)

    Not 100%, but it will do...

    cLive ;-)

Re: Yes, Passwords...but...
by joealba (Hermit) on Jan 10, 2002 at 10:48 UTC
    One thing to keep in mind when you're dealing with any information from kids under 13, in case you aren't already aware:

    Children's Online Privacy Protection Act of 1998

    "The statute and rule apply to commercial Web sites and online services directed to, or that knowingly collect information from, children under 13. To inform parents of their information practices, these sites will be required to provide notice on the site and to parents about their policies with respect to the collection, use and disclosure of children's personal information. With certain statutory exceptions, sites will also have to obtain 'verifiable parental consent' before collecting, using or disclosing personal information from children."

    It's a little unclear if your project is a specific school project or if it is for an Internet Web site. So, depending on your situation, just be careful.

    Updated: ...if you live in the U.S. Thanks, cLive ;-). MS hasn't released 'World Government XP' yet. Resistance is futile. The claw is my master.
      If we have to make assumptions, let's assume that:

      "g'evening and g'day"

      points to Australia and not the US. And being in a time zone 8hrs later than me in LA points to Western Europe, probably UK since they're happy with colloquialisms in English (unless they didn't state their time zone when they set up their account :). So my assumption is a tired Australian in London crawling to bed just after 4am asking a bleary eyed question. But hey, that's just an assumption too.

      You may be eager for the 'World Government' to become a reality, but 'til then, let's not jump the gun :)

      cLive ;-)

      ps - IANAL (I Am Not A Lamellibranch) - most of the time...

        NorCal Developer who GET'S UP at 4:00AM, blearly-eye'd from 4 hours round trip to Monterey, driving in South Bay Traffic from a 6 hour meeting. Asking question before falling into bed.

        You were close though. I didn't realize I was being so cryptic.. just silly. SDS (Silly Daddy Syndrome) way too much Nic.

Schoolkids and passwords
by andye (Curate) on Jan 10, 2002 at 16:47 UTC
    In work I've done on a similar project (younger age range though, 5-12) we assumed that the kids *wouldn't* be able to remember a password (let alone a 'very cryptic' password).

    Nightmare scenario: class of 30 kids, all saying "Miiiiss, I've forgotten my password".

    Our solution was to provide schools and teachers with passwords, then cookie the browser so the kids didn't have to log on at all. Obviously this approach means either that you can't keep seperate records for each kid, or that kids have access to each other's saved data (e.g. if they log in by name without a password).

    I can see that either of these could be a problem in a testing environment, but I'd advise thinking carefully about the ability of an 8-year-old to remember a normal password. Our educationalists reckoned they couldn't, or not reliably enough.

    Perhaps you should consider a simpler scheme? Obviously if it's intended mostly for home use, then you can get round the problem with cookies, to some extent (though siblings could be a problem).

    Sorry not to be more helpful with the stated problem!


Re: Yes, Passwords...but...
by hatter (Pilgrim) on Jan 10, 2002 at 18:55 UTC
    I like the idea of a security question, though in a playground situation 'what is your favourite colour' is sucepible to brute force attacks, and 'who is your favourite band' would have a short expiry time. I've noticed that online banks and the like will often ask you several security questions, and ask you a random one though, which might suit your needs.

    Alternatively, scenario-dependant, you can either produce a teachers control panel where the teacher can log in, and click a name from a list for a new one (if it's for a classroom environment) or issue each parent with a password that will reset their childs password.

    Have you considered 'something you have' as a method rather than 'something you know' (I'm guessing that 'something you are' is a bit out of your budget) give them long, cryptic passwords, printed on a label on a keyring. That way they can get it when they need it, and yet should still take good care of it.

    Though knowing kids today, you could just use SecurID with software on their mobile phone.

    the hatter

Re: Yes, Passwords...but...
by Zaxo (Archbishop) on Jan 10, 2002 at 10:48 UTC

    Your problem is likely to be identification, not authentication. Tough to do in that environment.

    After Compline,

Re: Yes, Passwords...but...
by YuckFoo (Abbot) on Jan 10, 2002 at 21:52 UTC
    How about lists of simple adjectives, nouns, verbs, etc. You could randomly combine them in simple, common ways, adjective-noun, noun-verb, and so on.

    Here's a bunch of random adjective-nouns:



      hmmmm ....


      ... back to work

Append:: Yes, Passwords...but...
by Anonymous Monk on Jan 10, 2002 at 23:11 UTC
    Thank you for your input. All of your comments when taken together make for really good ideas. It is for a Dept of Edu. Sponsored project. I forgot to ask the CTO of the project about the COPPA stuff. I did this morning via email, I'll see the imapct. I like the keychain idea, perhaps a bookmark or something for the backpack. Well Thanks again, that why I like to visit the Monastery.
    Yes it's dark and damp, and the food it's... OK. But when you all start drinkin' and talking code, boy you sure hear some good stuff!

    See ya'

      My two younger sisters use a computer system at school that has a student ID based user/password system. My youngest sister is 8 years old and has memorized her password the last 2 years with little difficulty. She even made the remark that the kindergardeners use the same system. I think that a number system based on a frequently used number (such as student ID) is not a bad idea since it seems as though they have had no problem remembering their passwords, and it provides for maximum security against other students invading their personal files, or in this case tests.

      On a side note, my youngest sister can still manage to bark out last years (and the year before that) codes. She is in no respects any more intelligent than the other students, nor does she have a better memory, but a reptition of numbers as thus (I believe the school uses these numbers as codes to buy school lunches) forces the child to remember. So in my opinion a system of number codes (that corespond to other student ID numbers where applicable) is a potential solution to your password problem.

Re: Yes, Passwords...but...
by little (Curate) on Jan 16, 2002 at 23:51 UTC
    Erm, I'm just thinking about my neph, which is very good at playing "Memory". So here just comes as an idea for an approval of concept:
    • create an array of 16 up to 25 images (more or less, just as you like) and melt them together as an imagemap that gets determined by ther server
    • let the kid choose an order in which it picks a number of images (least 6, most 12), eg. the key now is "car, dog, shoe, key, kid, bicycle"
    • the child may have a plain text as a login, but a password that is specified by cordinates, which can only be written to clear text if you know (see) the imagemap, which can differ every time, e.g. once you have a red greyhound (dog) and the other time a green shephard(dog)
    • when the user (here its a kid) comes back, shuffle your images to a new map
    • when entering the key (clicking on the map in the right order) the user can authorize
    But ok, it's just one more idea cause I've got to much time currently.
    Have a nice day
    All decision is left to your taste

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://137679]
Approved by root
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (3)
As of 2022-05-16 23:04 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (64 votes). Check out past polls.