Creating Strong Passwords

Students will learn about how weak passwords can be discovered by cyber thieves and how that compromises their personal information. Students will learn strategies to help create strong passwords when creating online accounts.

Learning Goals

Students will learn the difference between weak and strong passwords, and some misconceptions about passwords that may have been considered “secure”. They will learn about different ways people are able to learn others passwords and ways to protect their private passwords in a world that increasingly requires online interaction and often multiple online accounts.

Guiding Questions

1. How many passwords do you have across different accounts?
2. How much do you consider the security of your information when signing up for a new service or creating a new user ID and password?

Curriculum Links

This module can connect with the Computer Studies curriculum.

Vocabulary

Phishing

“Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.” (Wikipedia contributors. “Phishing.” Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 15 Oct. 2018. Web. 15 Oct. 2018.)

Brute Force Attack

A “brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.” (Wikipedia contributors. “Brute-force attack.” Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 15 Oct. 2018. Web. 15 Oct. 2018.)

Malware

“Malware” is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it’s a virus, spyware, et al.” (Moir, Robert. “Defining Malware: FAQ.” Microsoft Docs, 31 Mar. 2009, docs.microsoft.com/en-us/previous-versions/tn-archive/dd632948(v=technet.10)., 15 Oct 2018.)

Why is having a strong password important?

It is very important to keep your personal information and identity safe. Having your information fall into the hands of cyberthieves can have serious consequences. Cyberthieves look to find information they can use to get more information that can then be used to steal your identity. With enough information they can steal from you and do illegal things in your name.

Though some of the passwords from the introductory activity may look complex, they are easy for computers to crack.

How do cyberthieves get people’s passwords? (4 different types of attacks)

Phishing Pages

• Phishing pages are web pages that are disguised to look identical to trusted sources, like banks, shopping sites etc. Targets of this attack are often sent an email or even text message that disguise themselves as people the target knows or a request from a trusted institution, such as your bank. With some urgency, targets are directed to click a link to “verify” information by entering your personal details. This fake website then captures those details for attackers.
• Phishing emails can also carry attachments that include malicious files. Those files can install malware that can capture your keystrokes to send to third parties to use on the sites you visit.
• Phishing pages and phishing attacks are successful due to social engineering techniques that play on people’s weaknesses in creating trust even in circumstances that seem unusual or misleading.
• See more about social engineering in phishing on this infographic

Brute Force Attack

• A brute force attack uses computer programs to try as many combinations as possible to guess a password.
• These programs can check thousands of combinations in a single second.
• This attack can take a long time to find a password, and the best defense against it is a long and complex password.

Dictionary Attack

• A dictionary attack also uses computer programs and is similar to a brute force attack but uses acquired information about the target to focus the attack.
• For example, if the hacker knows the target’s birthday and the name of their pet, they may use those in a series of combinations. They can also use information such as likes, names of family and other pieces of information that are commonly but unsafely used as passwords.
• Using targeting techniques such as these makes it a much quicker attack than a brute force attack.

Shoulder Surfing/Guessing Attacks

• Shoulder surfing is the act of looking over people’s shoulders while they are entering sensitive information on an ATMs, computers/laptops or mobile phones.
• Precautions as simple as being aware of your surroundings and ensuring you are vigilant about protecting your screens and entered PIN numbers (covering with your hand, having your back against a wall when using a laptop), you can effectively protect yourself from these types of attacks.
• For passwords, having a long, complex password that aren’t easily captured at a glance can also protect you.

What is considered a strong password?

Length

• Length is the most important element in creating a difficult password to crack.
• Sufficient length for a password is one as long as you can remember. Passwords with eight characters are not long enough. The minimum length for the basis of a strong password is 12 to 16 characters.
• The difference between a short password, even with special character complexity, and a long password, is that takes it takes a computer program more time to crack the longer password.

Not exact words or phrases

• Although there can be some similarity if there is sufficient length, it is important to not use exact phrases from popular songs, poems, speeches etc. Password thieves can use databases of these in their password cracking software.

Combination of letters (upper and lower), numbers, special characters (a.k.a. complexity)

• Adding in a combination of different character types adds complexity to your passwords, but it only makes a significant difference if your password is of sufficient length.

Using your strong passwords (don’t use the same one in more than one place)

You should never use the same password on two different accounts. Cyberthieves know it is a common practice and will use verified email/user id and password combinations on a multitude of popular sites to gain access to additional accounts. The more accounts that can be accessed the more likely identity theft and other losses could occur.

Pros and cons of strong passwords

• Pro: More complex to discover, even for a computer.
• Cons: Hard to remember, hard to use.

Tools that can help you with remembering passwords and keeping them safe

Password Managers

• Using a password manager such as the open source KeyPass allows you to store all your passwords in a strongly encrypted database environment, needing only to remember one master password to unlock your entire database. They also include strong password generators to help keep your accounts safe.

Two-Step Authentication

• This type of verification requires you to have a password as well as access to another device or account where the login system can send you a code for one-time use. A common example of this is getting a text message to an authorized phone number you added to the account you are logging in to. This reduces the risk of password theft as the thief would need to have your password, plus another element (often a physical element like a phone) to unlock your account.

Remember, even strong passwords do not protect you from being fooled by phishing attacks. If a text or email feels wrong and is leading you to give up sensitive information, verify it is from a legitimate source before clicking on any links or opening attachments that could be unsafe.

Activity

Write these examples of passwords on the board/screen:

• Password
• QWERTY
• Ilovemycat
• 13579
• L33t
• W3lc0m3
• uPPerC^5e
• #9057648961#
• MarvelInfinityWars

How strong are these passwords? Are they secure? What is weak about these passwords?

Use this as an opportunity to have students go through their passwords on various accounts (email, social media) and ensure their passwords are the most secure they could be. Consider…

• Longer passwords are much harder to break than shorter ones (even if the shorter ones have more character complexity.)
• Longer passwords with character complexity are the start of safer passwords.
• Be vigilant against phishing attacks and keep your passwords safe.
• Use two-step authentication when possible and consider a password manager if you have trouble remembering long and complex passwords.

Encourage students to consider changing any weak passwords. Encourage them to protect their private information and question untrusted people’s requests for information, no matter how innocent it seems.

Strong versus weak passwords

Use the following examples and ask students if they are strong or weak passwords and why. If they are weak, is there a way they can be changed?

• Princess123
• U856wf-@D8f2
• Bpa?DXX29!U8ndzP
• LetMeInThisT1m3
• itsyBitsySpider
• jelly22fi$hk1tteNLunch5
• Ros3sar3r3d
• Axis#47B/\/\/\/\

How to remember complex passwords

Write some complex passwords on the board. Can the students think of some tricks to remember these passwords more easily?

• Comic – A famous comic on this topic, but somewhat outdated. Passwords need some complexity.
• How to pick a proper password video
• Great infographic on phishing and social engineering

Social Media Resources

• Troy Hunt – A security expert who has testified in front of Congress on the impact of data breaches.