# Facilitator/Educator Guide: Password Duel

### Background Information

Students who are old enough to have their own email or social media accounts may be familiar with basic guidelines for creating passwords. Many websites will suggest rules to help you create passwords, such as:

- Avoid using common passwords that are easy to guess, like "password" or "123456789."
- Avoid using personal information that might be easy for someone who knows you to guess, like your pet's name or your birthday.
- Use a combination of uppercase and lowercase letters, symbols, and numbers.
- Make sure your password is long enough (usually at least 8 characters is recommended).

This activity will investigate the last two points. Passwords that are too short are vulnerable to a "brute force" attack, where a computer simply tries to guess all the possible passwords. For example, imagine a combination lock like this one:

**Figure 1.**Sample combination lock. (

*Image credit Wikimedia Commons user JuliaFromIT*)

The lock has three wheels with numbers 0–9, or 10 possibilities for each individual wheel. That means that there are 1,000 possible combinations for the entire lock (10×10×10, or 10^{3}). It might take a while for a human to try all 1,000 combinations on a physical lock, but a computer can make thousands, or even millions, of guesses per second. So, 3-digit passwords that consist only of numbers would be a very poor choice for a computer system or website.

Now imagine adding the lowercase letters a–z to each wheel, in addition to the numbers 0–9. Now there are 36 possibilities for each wheel instead of 10. That means there are 46,656 (36×36×36, or 36^{3}) possible combinations. Adding more characters to each wheel dramatically increases the number of possible combinations, making the password much harder to guess.

Now imagine adding a fourth wheel to the same lock. This brings it up to 1,679,616 possible combinations (36×36×36×36, or 36^{4})—significantly more than a human could ever guess! As you add more wheels to the lock, and more characters to each wheel, the number of possible passwords keeps going up, making the password harder and harder to guess. But remember that computers can guess much faster than humans. Even with millions of possible combinations, it might only take a few seconds or minutes for a computer to guess the password. This is why most websites recommend that passwords be a minimum of 8 characters long. There are 94 characters on your keyboard, so an 8-character password has 94^{8}, or over 6 *quadrillion* possibilities. Even for a fast computer that can make 1 million guesses per second, it would take nearly 200 years to guess every possible password.

However, that does *not* mean that just because a password is long that it will automatically be safe. Most websites also recommend that passwords contain a combination of uppercase and lowercase letters, numbers, and symbols. If a thief is trying to guess passwords completely at random, then "a$Hy8Tj0" is just as likely as "abcdefgh". However, the latter password consists only of lowercase letters and has an easily recognizable pattern. That means it might be much easier for a person to remember, but that also makes it easier to guess.

Since this activity will involve humans trying to guess each other's passwords and needs to work in a reasonable classroom time frame, the "passwords" will be very short (just one or two characters, as described in the "Science Activity" section). However, it will still demonstrate the mathematical concept that as you add more digits or more available characters for each digit, the total number of possibilities for a password goes up, making it harder to guess.

### For Discussion

- Ask your students about passwords in general. Why are passwords used at all? Why do they think passwords are important? Can they think of physical analogies for passwords (like keys to a house or a combination to a locker)?
- Ask about their personal password use. What do they have passwords for? How do they come up with their passwords? Caution them not to reveal their actual passwords out loud or give away other information that could help people guess their passwords (like "I use my dog's name").
- Ask your students if they can think of rules for "strong" passwords that are hard to guess, like those listed in the Background Information section. Are they aware of the guidelines? If so, do they actually follow them?
- Ask your students if they think that longer passwords, or passwords with more types of characters, are harder to guess. For example, what is harder to guess: a 3-digit number or a 6-digit number? What about a 3-digit password of only lowercase letters, or a 3-digit password of upper and lowercase letters and numbers?
- Optional: Discuss other aspects of password security. For example, you should not use the same password for multiple websites or accounts, and you should not share your passwords with anyone or write them down.

### Materials

#### Needed for preparing ahead:

- Paper and pencil for each student (if you decide to have them write down their passwords, see step 2 in the "Science Activity" section)
- Whiteboard/chalkboard or posterboard

#### Needed at the time of the activity:

- Stopwatch
- Even number of participants divisible into 3 or 4 groups. For example, 16 participants will work because you can split into 4 groups of 4. 15 participants will not work—even though you can split into 3 groups of 5, when you pair up for the "duels," you will have one person left over.
- If you have an odd number of students, you or another adult can join the activity.
- If you cannot get the right number of participants, you may have to ask students to take turns sitting out individual rounds.
- The activity will work better with larger groups of students. For small groups (12 or less), you may need to repeat the activity multiple times to get enough data, which will add about 10 minutes per repetition.

### What to Do

#### Prepare Ahead (< 10 minutes)

- Write Table 1 on the chalkboard. Fill in the first three columns, but leave the last column blank for now. Your students will help fill that in after the activity.
*Note*: If your class size is divisible by 3 and not by 4, then you can eliminate one of the middle groups (Password Type B or C). Remember that you or another adult can participate if necessary.

Password Type | Rules | Examples | Total Possibilities |
---|---|---|---|

A | 1-digit, numbers 0–9 only | 0, 1, 2... | 10 |

B | 1-digit, lowercase letters a–z only | a, b, c... | 26 |

C | 1-digit, numbers 0–9 or lowercase letters a–z | 0, 1, 2, a, b, c... | 36 |

D | 2-digit, numbers from 0–99 | 00, 01, 02... | 100 |

**Table 1.**Rules and examples for the different types of passwords.

- Write Table 2 on the chalkboard. You will use this table to collect data as your class does the activity.

Password Type | Total Guessed |
---|---|

A | |

B | |

C | |

D |

**Table 2.**Data table in which to tally how many of each type of password are guessed.

#### Science Activity (10-20 minutes)

- Split the class into four equally sized groups with team names (or three groups, as described previously). Students will be getting up and walking around, so the physical locations of the groups do not matter. Avoid using the letters A, B, C, and D for the team names, in order to avoid confusion with the types of passwords. These directions will use red, green, blue, and yellow teams as an example.
- Explain to your students that the game will consist of rounds where they are paired against someone from another group and have to try to guess their opponent's password in a "password duel." There are four (or three) password types for the game; and for each round, each group will have to think of a password from one of the types. For example, in Round 1 students on the red team will have to pick a type A password, and students on the green team will have to pick a type B password. The goal is to see if some passwords are harder or easier to guess than others overall. The groups will rotate through password types, so everyone will get a chance to try each one.
- Have students create their passwords. Ultimately, each student will pick four passwords (one of each type). There are two decisions you can make regarding how to do this: whether students think of their passwords all at the beginning or before each round, and whether they memorize their passwords or write them down. These options will not affect the outcome of the activity, but will affect classroom management during the activity, so you can decide what is best, based on your students' needs:
- Creating passwords all at once vs. one at a time: Have students create four passwords (one of each type) in advance,
*or*have them think of a new one before each round (based on their group's current assignment). Creating them all in advance might make the activity flow more smoothly, but it may be difficult for students to remember all four if they are not written down (see next point). - Writing down passwords vs. memorizing: Have students write the passwords down (either all four in advance, or one before each round, depending on previous point),
*or*only have them memorize the passwords. Writing them down has the advantage of keeping the students honest and resolving any disputes over guessing, but may be a concern if you think students will try to peek at each other's passwords.

- Creating passwords all at once vs. one at a time: Have students create four passwords (one of each type) in advance,
- Assign a different password type to each group for the first round. For example, "Red team is type A, green team is type B, blue team is type C, yellow team is type D."
- Have members of each group pair up with someone from another group. You cannot pair up with someone from your own group. Try to make sure the group pairings are about evenly distributed; for instance, make sure everyone from the red team does not pair up with everyone from the green team. Students might need your help with this and you might need to re-organize a few pairs. There are six possible matchups (red vs. green, red vs. blue, red vs. yellow, green vs. blue, green vs. yellow, and blue vs. yellow). If you have at least 12 students, then you should have at least one of each matchup. If you have more than 12 students, you might have "extras" of some matches. For example, you might have two "red vs. green" pairs, but only one "green vs. blue" pair. This is okay, and any extra matches of each type should average out over multiple rounds of the game. Make sure everyone knows what group their "opponent" is in and what password type that group is using for this round, so they know how to guess.
- Explain that students in each pair will have 1 minute to take turns guessing the other person's password. If a student guesses their opponent's password, they "win" that round and the other person should stop guessing. This rule applies to each pair individually, meaning each pair should keep guessing until a password is guessed or time runs out. After 1 minute has elapsed, you will announce "STOP" and everyone should stop guessing.
- Establish rules for who gets to guess first. For example "red team gets to guess first, followed by green team, then blue, then yellow" (and rotate through these rules each round, so everyone gets a chance to guess first).
- Announce "ready...GO" and start the timer. Students should take turns trying to guess each other's passwords.
- Stop the timer after 1 minute and announce "STOP." Some pairs might not have guessed either student's password yet. This is okay.
- Use Table 2 to keep a tally of how many passwords were guessed for each type. For example, say "Raise your hand if you had password type A and your password was guessed" and repeat for each password type.
- Now, rotate each group to a new password type for the next round. For example, if in the first round, the red group used password type A, then in the next round they will use password type B. If necessary, you can use a table like Table 3 to keep track of which group had which password type in each round.

Round | Group and Password Type | |||
---|---|---|---|---|

Red | Green | Blue | Yellow | |

1 | A | B | C | D |

2 | B | C | D | A |

3 | C | D | A | B |

4 | D | A | B | C |

**Table 3.**Method to keep track of which group had which password type in each round.

- Repeat steps 5–11 three more times, for a total of four rounds. Remember that depending on what you decided in step 3, you might need to pause for students to think of new passwords each time.
- In order to collect enough data, it is recommended that you repeat steps 5–12 at least one more time, for a total of 8 rounds. Due to the random nature of creating and guessing passwords, the trends in the results might not be visible if you do not perform enough trials (conceptually, this is similar to how if you only flip a coin twice, you are not guaranteed to get one heads and one tails; but if you flip a coin 1,000 times, your results will be very close to 50% heads and 50% tails). For small groups of students, you might need to repeat the activity more than once. Use your discretion based on how much time you have available and whether obvious trends are appearing in your tally marks.
- Make a bar graph (or have your students make the graph) using the data from Table 2, showing total number of passwords guessed vs. password type.
- Have your students fill in the fourth column of Table 1 (how many total possibilities there are for each type of password). Make another bar graph using this data, showing the total number of possibilities vs. password type.
- Have your students compare the two bar graphs. How do they compare? What does this show? (the graphs should show that passwords with fewer total possibilities are guessed more frequently than those with more total possibilities).
- As a closing, remind students that this activity is scaled down drastically to work in a format where humans can try to guess the passwords in a reasonable time frame. They should
*never*pick a one- or two-character password in the real world, or limit it to only numbers and lowercase letters. Re-iterate real-world password rules, such as being at least 8 characters long and using both uppercase and lowercase letters, numbers, and symbols.

### Expected Results

The results should show the longer the password and the more possible characters it can contain, the harder it is to guess. In the most extreme case for this activity, a student with password type A (1 digit, numbers 0–9 only, the weakest type) will usually "lose" a match against a student with password type D (2 digits, numbers 0–9, the strongest type). There are only 10 possibilities for type A, so it is very easy to just cycle through all of them in under 1 minute. However, there are 100 possibilities for type D, so they are much harder to guess. When you make the bar graph, you should see that type A passwords were guessed the most, followed by types B, C, and then D. Figure 2 shows an example bar graph of what your results might look like.

**Figure 2.**An example graph showing typical results. Due to the random nature of the activity, your graph will not look exactly like this one.

Remember that due to the random nature of the activity, your graph may not look exactly the same, especially if you do not repeat enough rounds; it might be especially difficult to see the difference between types B and C, since their total number of possibilities are relatively close (26 and 36). For example, your graph could look like Figure 3. This is why it is recommended that you repeat the activity several times in order to collect more data.

**Figure 3.**For a small number of rounds, there is a chance the results will be confusing to students. The results in this graph show that password type C was guessed more frequently than type B, even though type C has more possibilities. This is analogous to flipping a coin. If you flip a coin twice, there is a relatively high chance that you will get two heads or two tails, instead of 50/50 heads and tails. However, if you flip a coin 1,000 times, your results will trend toward 50/50. Unless you are doing the activity with older students who understand probability in this manner, it is best to do multiple rounds so you can collect more data and your results will converge toward the ideal trend shown in Figure 2.

### For Further Exploration

- Expand the activity to allow additional characters (like uppercase letters) or longer passwords. You will need to increase the time limit for each round as the passwords become more complex, but there are limits to what you will be able to do in a reasonable classroom time frame.
- Collect passwords used in this activity from the entire class. Are there any common passwords that students seemed to pick more frequently than others overall? For example, for type A passwords, is the number 3 more popular than the number 7? Or does the distribution of passwords seem to be random? How does this relate to real-world passwords?
- Ask students what they think some of the most common real-world passwords are. Many news agencies update and publish this list every year (it typically contains things like "password" and "123456789"), so you can do an internet search to find a list for the current year and compare it to your students' guesses.
- Ask students about the challenges of picking and maintaining strong passwords for multiple accounts. Strong passwords might be the most secure, but also the most difficult to remember. Many times this makes it tempting to write passwords down, but that creates the risk that someone will find your written passwords. Can students think of any tricks or tips for remembering long, complicated passwords?
- Discuss what practical steps some websites take against brute-force password attacks. For example, many sites will "lock out" a user after three incorrect password attempts.
- Have students make graphs showing how the total number of possible passwords increases as you change either the password length or the number of available characters:
- Keep the password length fixed (for example, 8 digits), but change the available number of characters (for instance, numbers only, lowercase letters only, numbers and letters...). How does the total number of possibilities change as you increase the available number of characters?
- Keep the available character set fixed (for example, all 94 characters on the keyboard), but change the password length. How does the total number of possibilities change?
- For advanced students (who have had algebra), you can ask them to describe the shape of each graph (linear, polynomial, exponential etcetera.).

- If your classroom has access to computers, you can use a free programming language called Python to do an electronic version of this activity. This allows you to greatly increase the length and complexity of the passwords, since computers can guess much faster than humans. See the Science Buddies project Password Security: How Easily Can Your Password Be Hacked? for reference.

### Credits

Ben Finio, PhD, Science BuddiesSponsored by a generous grant from EMC