|Young children routinely authenticate themselves with alphanumeric passwords but are probably not ready to use such passwords due to their emerging literacy and immaturity. They might adopt insecure coping tactics, which could become entrenched. Because children have a superior pictorial recognition ability, graphical authentication mechanisms will likely represent more suitable mechanisms for this demographic. We propose and study KidzPass, a configurable graphical authentication framework that one can use to tailor these mechanisms for children of different ages. We carried out two empirical investigations with four- to five-year-old children and with six- to seven-year-old children using personalized images as secrets (familiar faces and self-drawn doodles). KidzPass proved efficacious and our younger (four- to seven-year-old) participants mostly preferred it to text passwords. The personalized images maximize memorability but take significant time to obtain. As children mature, it might be possible to replace personalized images with generic images. Thus, we carried out a final empirical study with older children using generic images (that we chose). From this study, we found that that generic images can indeed be viable if they display particular qualities, which we enumerate. From our experiences and the research literature, we conclude by providing principles to inform efforts to design and evaluate age-appropriate authentication mechanisms for young children both from an ethical and technical perspective.