Password management for kids - what's a good way to start?

Maybe the lesson for children should be less about how to use tools to manage a password, and more about understanding why managing passwords is important?

Let them write their passwords in a notebook. Have fun with devising a method for obfuscation in case the notebook is lost. Teach them about backups- keeping a copy someplace safe. In my experience, kids and old people are a lot alike when it comes to password (mis)management

Until they were skilled enough to manage their own password database, I also kept the kids logins in a "family KeePass". This is the same one where the aged family members stuff is- because people die and sometimes you need to recover things for otherwise unable people. The trust/risk calculus is different in a family group than in a work or social circle. There is also a difference between sharing access to a password and sharing a password.

It is awesome that you are thinking about this early. Good luck!

Memorising a really strong master password is probably a bit much to ask

I disagree! I have a daughter who, at around 7, was able to quickly memorize a very strong password using the Diceware method for use in a password manager. This method picks several random words from a dictionary (typically) composed of 7,776 words. A mere 9 words is log2(77769) ≈ 116 bits.

If you use a password manager that supports password-strengthening with an algorithm like PBKDF2, you can reduce the length of the password even further. Using 262,144 (218) hash iterations, you can increase the security of a 6 character password to log2(77766) + 18 ≈ 96 bits. An example password:

octopus handrail chasing hull shy ambition

That's not hard to remember! It does take some practice and it's not as easy as memorizing a weak password with just one or two words or the name of a pet, but it is something that a child, even a young child, is able to do. Some password managers support multiple equivalent master passwords, making it possible for you to keep a backup password until you are sure your daughter won't forget hers. Then you can revoke your own password so you don't need to have unnecessary access to her passwords.

and she's likely to mislay any physical storage.

If you don't want to synchronize the password database, you can use a stateless password manager. This is a password manager which uses a combination of an identifier for the service you want to log into, as well as a single, strong master password. A stateless password manager works by hashing a concatenation of your master password and the service identifier. It has a few downsides, though:

  1. You can't change a site's password without changing the identifier or master password.

  2. If your master password is ever compromised, so are all your site passwords.

  3. The master password must be strong enough to resist attacks on its own.

If reliance on a storage device to hold the password database is simply unacceptable, then stateless password managers are absolutely the way to go. They can be very secure if used correctly.

"Logging in from multiple devices" if you do not own them, is one habit that would need to be stopped for general security.

Once you own all the devices in the scenario, one method that I saw for young people that was useful is to avoid dealing with passwords altogether: use the "forgot password" process.

If the device is owned and access to email is on the device, then you simply request a password reset link and use that. Nothing to remember.

Another method is to use an online, family password manager (LastPass has this feature, for instance). This feature is designed specifically for this problem, but it has a cost, and you might not like the cloud storage and multi-device syncing. But having this and managing it for your child might be worth it.

You could also teach a strong password pattern. Yes, patterns have an inherent and obvious vulnerability, but it is a method that can be considered for your personal risk assessment.

I'm a fan of the "password reset" process, myself.