Password Games: Understanding and Testing Online Passwords

By Amy Cowen on June 24, 2014 12:08 PM

Computer bugs and vulnerabilities like the Heartbleed bug provide frightening reminders of how important it is to set strong passwords online. Students can learn more about password practices and experiment with testing passwords by using and improving a password-guessing program written in Python.

How many possible passwords could be created from the lock above? How long would it take to crack a password on this lock? When you move to online passwords, you may have many more possible options for setting your password. How can you create passwords that are harder for a computer program to guess? Science projects at Science Buddies help students explore human behavior related to setting and remembering passwords—and let students learn more about computer science and programming by trying a password guessing program written in Python.

The Heartbleed bug detected a few months ago created a flurry of "change your password" warnings. The bug, a hole in popular opensource code that could let hackers grab chunks of server memory (including user login information) without leaving any trail, sat quietly for two years before it was discovered.

Heartbleed was a pervasive bug because many, many servers use OpenSSL, a tool used by sites, ironically, to help protect the transmission of sensitive information. Both the number of servers potentially affected by the bug and the fact that someone exploiting the bug (and stealing user information) could do so without being detected makes the bug particularly frightening.

Not every site and company was impacted by the Heartbleed bug, but many were. (According to some estimates, as much as 66% of the Internet was impacted by the Heartbleed security flaw.) Thankfully, news of the bug and checklists for sites for which users definitely needed to change their logins, traveled fast. Heartbleed was big news in both public and private circles. You may have even shared, retweeted, emailed, or texted warnings or public service announcements about Heartbleed to your own friends and family.

News of the Heartbleed bug immediately caused password and online security and privacy panic. While coders and server owners raced to patch the bug, users faced up to the fact that changing passwords was necessary. According to a recent Wired article, "Heartbleed triggered what was probably the single largest mass-password change in history: In response to the bug, some 86 million internet users in the U.S. alone changed at least one password or deleted an internet account."

After reviewing several charts of online sites that were affected by the Heartbleed bug, including many social media sites, I realized I didn't have a choice. To ignore the risk of the Heartbleed bug would be to bury my head in the sand. I needed to change passwords at least on some of the major sites I access frequently, sites that are part of my daily routine.

You may know that a simple password like "apple" is not a good idea. Neither is the name of your pet or your birth date. But what is a good password? How complicated does a password need to be to be safe from hackers? Is any password really unbreakable?

Taking a look at how passwords can be guessed can help answer that question. By experimenting with a password guessing program, students may better understand strategies to take to make sure passwords are as strong as possible.

Personal Password Protocol

Once upon a time, I used a single password for all of my logins. Gradually, a bit of paranoia crept into my approach as stories of identify theft began to rise and as the number of places requiring a login increased. Did I really want the same password at x gaming or shopping site as I use to access my bank? If someone hacks my email or my iTunes, to how many other accounts might they also gain access?

Along the way, I changed how I create my passwords, how many I use, and how I structure them.

Then there was Heartbleed.

Dealing with the Heartbleed bug was definitely not fun. Many of us have dozens and dozens of logins, possibly involving dozens and dozens of passwords. All those passwords add up!

In response to Heartbleed, I changed a handful of passwords in one afternoon. I jotted down a few of the changes on a slip of paper. (This probably wasn't the smartest choice.) I promptly lost the paper in moving between rooms and between computers. (More than a month later, I still have not caught sight again of that scrap of paper.)

When I next tried to use Facebook... bam. Trouble. I tried dozens of combinations and tweaks on my old password. Dozens of failed attempts. Lots of wasted time. I finally got in, and then repeated, amazingly, the same difficulty when I was prompted to log in again on another computer. And then again on my phone.

When I tried to log into one of several email accounts, my Instagram account, my Pinterest, I ran into password trouble at every turn. Because so many of my passwords differ, I repeatedly found myself at a loss trying to get logged back in, a process I had to repeat on every device I use.

Unfortunately, while I had trouble cracking my own passwords, even though I know the general parameters of how I set them and how I had tried to systematically change them, a hacker probably would not have nearly as much trouble breaking my passwords or yours.

Real-world Online Security

Password security is always something about which you want to be cautious, mindful, and protective.

In the movies, you often see people—on the well-intended side as well as on the criminal side—trying to figure out a password based on somewhat obvious details or identifying information about the person (like a child's name, a birth date, or a favorite rock band).

Off the big screen, guessing someone's password is not usually that easy. Most people are savvy enough about online security to use something less than obvious, to throw in some mix of capitalization, and to intermix numbers, letters, and symbols.

Guessing a friend or family member's password might be harder than you think, or even impossible—for you. But for someone applying technology to the process of stealing passwords, you might be surprised at how quickly a password can be broken by a bit of computer code.

A program isn't trying to "guess" the password the same way you might. Instead, a computer program may be coded to run systematically through all possible combinations to try and break your code.

Making Student Science Connections

Two science projects at Science Buddies tackle password security and guide students in an investigation of computer security behaviors and technologies.

Do People Use Different Passwords for Different Accounts? is a human behavior project in which students investigate password practices among groups of users. In this project, students survey people to better understand how different users think about, use, and create passwords for online sites and services. Do they use the same password everywhere? How many passwords do they have? What kinds of trends can be identified among users regarding password practices? (For more information about conducting survey-based science projects, see the Designing a Survey and Sample Size: How Many Survey Participants Do I Need? resources from the Science Buddies Project Guide. Don't overlook the ways in which your online connections and social media can be used to help broaden your survey pool!)

Password Security: How Easily Can Your Password Be Hacked? is a computer science project in which students take an inside look at how difficult (or not difficult) figuring out a password can be. By first thinking about a standard combination lock and doing the math to determine the number of combinations (and how much time it might take to test each one) and then moving on to thinking through the same process for more difficult kinds of locks, students look from the ground up at password construction and password cracking.

Using an introductory exercise in reading and writing Python code, the project guides students in an exploration of how computer routines can try and guess passwords. You can't use this code to steal someone's information from somewhere else, but you can have fun experimenting with guessing a password a friend inputs in the program code or testing the code to guess your own strings and compare the time it takes the program to guess different kinds of passwords. What makes it harder for the program to guess a password? What kind of password takes longest? Can this simple program crack the passwords you normally use? Can you come up with a password the program can't guess? You can also test the password guessing code to see if you can figure out a few sample passwords from Science Buddies.

Note: the project above is not designed to encourage students to try and write code that might steal user information. Instead, the project gives students a better understanding of how passwords can be systematically tested and guessed by software (even if millions of possible combinations have to be checked). The project also gives students a fun, real-world scenario in which to experiment with Python computer programming. Learning to run, edit, and revise the provided code involves installing Python, learning to interpret the code, and familiarizing oneself with the syntax specific to Python, which is important for students who may already have experience with other coding languages.

Memorizing Passwords

Keeping track of multiple passwords can be complicated, and as the number of passwords you use increases, so does the challenge of remembering them all! One strategy people often talk about in setting a password is to use the first letter of each word in a title or phrase. This kind of password is called a passphrase.

When using a passphrase password, you are using a memorable (you hope) sentence as a way to help you remember your password. People use similar approaches to help remember other strings of information. Mnemonic devices help people remember information by attaching the information to something more easily remembered. A silly sentence made from the first letters of the names of the planets, for example, may make it easier to remember the order of the planets than just trying to memorize the planet names in order.

The Memory Mnemonics science project guides students in an exploration of mnemonic devices and how they may help improve someone's ability to remember information. For a simplified family science activity version of this project, see Memory Science.

Protect Yourself Online

For additional information regarding best practices for online safety and privacy, see the Internet Safety Guide.

Support for resources and Project Ideas related to cybersecurity is provided by Northrop Grumman.

Support for Computer Science Project Ideas and Internet Safety information at Science Buddies is provided by Symantec Corporation.