^{I previously shared this article via the Digital Trust (DTC) Community.}

^‍In my presentation at the Digital Trust Community Event, one of the questions I asked was: Why don't we teach our kids how to protect their digital identity? Because these skills are not only important for their youth - they take these habits with them to school and later to work. Learning young is done old; we all need the same phased approach that we take for granted in other things, such as traffic education.

And, as a bonus, what should we do now to change this mislearned behavior?

We teach children to ride a bike, but not be digitally safe

In the physical world, we start early with safety lessons. Preschoolers learn that they are not allowed to just cross the street. At primary school, they take a cycling exam. As young adults, they receive both theory and practical driving lessons. But for their digital life? Few. While an 8-year-old already has their own tablet and creates accounts for games these days.

As a result, as adults, we all grew up without digital safety instincts. Who use the same weak passwords they came up with as teenagers. Those who don't realize that their Minecraft password from the past now also provides access to their work mail.

We treat digital safety as if it were a technical problem that adults will solve on their own. But no one is born with password knowledge. Just like no one automatically knows how to cross the road safely.

The problem: 70 digital identities, none secure

The big challenge is that while in the physical world we only need a handful of keys, in the digital world, we need an average of 70 to 100 digital keys because our data is roaming online on a large number of accounts. This number has gradually grown since the 90s - from that single Hotmail address to a proliferation of accounts. Sometimes you even need to create an account if you want to stay at a campsite in France. For security, each of those accounts should have a unique password — just like, for example, each bike has its own key.

Our measurements at Dutch municipalities show that we're really bad at passwords: 70% of accounts use recycled passwords and 20% have weak passwords, such as “Welcome2023". Of these passwords, 16.7% have already been stolen. The combination of these numbers is worrying: if you use the same password everywhere and that password is stolen from one website, criminals have immediate access to all your other accounts - from your work mail to your health insurance.

The stronger the password, the more it is reused. This is understandable — our brain isn't designed to come up with and remember a new complex password for each account. But no one has ever taught us how to solve this.

Why technology alone is not a solution

Technical innovation in authentication is advancing at a rapid pace: SSO, MFA, passwordless, Passkeys - new solutions are added every few years that really improve. The challenge, however, remains adoption. For example, out of the 275,000 websites in our database, up to a few hundred support Passkeys.

For each new solution, the digital infrastructure must be adapted. Organizations need to adapt systems, developers need to implement new standards, and users need to get used to new ways of working. That takes time, a lot of time. During that time, a new solution will be created whose adoption also takes a lot of time. And before you know it, a situation arises where many different solutions have to be used interchangeably because they don't work everywhere. Recognisable? This is the complex situation we are living in right now.

The only solution that works everywhere is the password. So we have to accept that passwords will be in use for a while. That shouldn't be a problem if we can hide them from end users as much as possible and use technology for secure passwords. You also don't need to know how a car works to be able to drive safely from A to B. However, this does require a broad change in behavior.

Future vision: how the government should learn good behavior

Just like we give children a phased traffic education - from not just crossing the street as a toddler, to the primary school bike exam, to driving theory and practical lessons - digital safety should receive the same step-by-step approach. Because digital safety is like brushing your teeth: not fun, not sexy, but necessary. And just like brushing your teeth, if you do it wrong, you'll definitely notice it later. But by learning it early and step by step, it becomes an automatism that will benefit you for the rest of your life.

The solution? The government must ensure that digital safety is included in education as naturally as traffic education:

• Elementary school: What is an account, how to create it with a password manager, how do you log in with a password manager?
• High school: What is a digital identity, what is privacy, and how do you manage/protect them both?

The reality: unlearn wrong behavior

Actually, we've all learned the wrong digital habits — using the same weak passwords everywhere, never cleaning accounts, not distinguishing between important and less important accounts.

For organizations, it is very important that employees unlearn wrong behavior and use better passwords because it makes the organization less vulnerable. Many organizations therefore decide to invest in a technical solution such as a password manager.

Unfortunately, purchasing a password manager alone is not effective. The onboarding of such a password manager often goes like this: an email is sent that the tool is available, maybe a short demonstration in a meeting, and then everyone is expected to spontaneously invest time to transfer all their passwords properly. What is then forgotten, and that is the really worrying thing, is that they are not asked to replace passwords with strong, unique alternatives.

The result? Our measurements show that after such a purchase, up to 5% of employees use the password manager. Not because employees are lazy, but because no one has guided them in this underestimated behavioral change. Sending an email that a tool is available is just as effective as giving a child a toothbrush and hoping that they will spontaneously learn to brush properly.

A lot is being done about awareness training, but what is actually necessary is guidance in unlearning unsafe behavior and learning safe habits. Here, the employer plays a crucial role because it can make behavioral change part of working. In addition to a technical solution such as a password manager, employers must therefore also invest in behavioral change: free up time for training, provide personal guidance, and reward safe habits instead of just punishing unsafe behavior. Our measurements show that this is very effective.

Conclusion

If we do teach our children to lock their bikes, why don't we teach them how to secure their digital life? The answer is simple: because we never learned it ourselves.

We treat digital safety as if it comes naturally, while recognizing the need for learning and practice for every other skill in life.

The generation that grows up with tablets and accounts deserves better than our improvisation. They deserve the same phased approach that we take for granted to road safety: start early, build step by step, and impart the habits for life.

Because digital safety is not achieved with technology alone, but also requires digital skills that can be easily learned.

‍