## Summary

Key Concepts
Cybersecurity, internet safety, privacy
Credits
Ben Finio, PhD, Science Buddies

## Introduction

Do you have your own email or social media accounts? If so, you probably use a password to log into them. How did you pick your password? Is it something that might be easy for someone else to guess, like the name of your pet? This fun activity will teach you about password security and how to pick a stronger password.

This activity is not recommended for use as a science fair project. Good science fair projects have a stronger focus on controlling variables, taking accurate measurements, and analyzing data. To find a science fair project that is just right for you, browse our library of over 1,200 Science Fair Project Ideas or use the Topic Selection Wizard to get a personalized project recommendation.

## Background

Imagine a suitcase lock with three number wheels on it. Each wheel contains digits 0-9, so you can pick any three-digit number as the combination. Since each wheel has 10 digits, there are 10x10x10 = 1,000, or 103, possible combinations. If you add a fourth wheel, now there are 10x10x10x10=10,000, or 104, possible combinations. What if you used the letters a-z instead of numbers 0-9 for the three-wheel lock? Then there would be 26 characters for each wheel, so there would be 26x26x26 = 17,576, or 263, possible combinations. Adding more digits, or more characters per digit, greatly increases the number of possible combinations. This makes it very difficult for a human to guess the combination.

However, computers can try to guess passwords much faster than a human can guess a physical lock combination. A fast computer can try to guess millions of passwords per second. That is why passwords should usually be long-at least 8 digits-and made up of different types of characters including numbers, symbols, and upper and lowercase letters. A short password made only of lowercase letters might be very easy for a computer to guess. This activity will demonstrate how shorter passwords made up of fewer types of characters are easier to guess than longer passwords with more characters. Since humans will be doing the guessing, the passwords will be very short (just one or two digits), but remember that real-life passwords should be much longer.

Also note that there are other general password safety rules that you should follow. Just because a password is long and mixes letters and numbers does not mean it won't be easy to guess. For example, your name followed by your birthday could be easy for someone who knows you to guess. There are also many commonly used passwords like "password", "qwerty" or "123456789" that you should avoid. Do a web search for "most common passwords [year]" where [year] is the current year (e.g. 2015) and you should be able to find a list of this year's most common passwords.

## Materials

• A friend or family member

## Instructions

1. In this activity you will compete in a series of password "duels" against an opponent. The catch: each person will have to follow different rules for thinking of a password. The rules determine how many total possibilities there are for that person's password. Will passwords with more total possibilities be harder to guess?
2. To start, tell your opponent that you will think of a number between 1 and 10. Tell your opponent to think of a letter between a-z. These are your "passwords" (remember that real-life passwords are much longer, the passwords in this game are very short so the activity does not take forever). Which type of password do you think will be harder to guess?
3. Now, take turns trying to guess the other person's password. You can decide who gets to go first. Then, keep alternating until one person's password is guessed. Whose password was guessed first? How many guesses did it take?
4. Repeat the duel four more times, for a total of five rounds. Each time, you should think of a number from 1-10, and your opponent should think of a letter from a-z. The rounds are totally independent, meaning it is OK to re-use the same password if you want. Does one type of password seem easier to guess than the other?
5. Now, switch roles. You think of a letter from a-z, and your opponent thinks of a number from 0-10. Repeat 5 more rounds. Which type of password gets guessed more frequently?
6. Now, change the rules for the passwords. You will think of a letter from a-z, and your opponent will think of a number from 0-100. How many possibilities are there for each type of password?
7. Repeat 5 more rounds of the game, then switch roles and do 5 more rounds. Which type of password is harder to guess? Does having more total possibilities make a password harder or easier to guess?

Extra: Keep a tally mark of how often each type of password is guessed, and make a graph of your results. Which type of password is guessed the most often? The least often? To get enough data for a good graph, you might need to do more duels with your opponent, or get other people to join and collect all the data.

Extra: Try the activity with other rules for passwords. For example, what if someone is allowed to pick a number 0-9 or a letter a-z? What about a two-digit password made of numbers or letters (for example, "a7")? Pit different combinations of password rules against each other in duels, and keep track of all your results.

## Observations and Results

You should find that passwords with fewer total possibilities are easier to guess than those with more possibilities. For example, in the first matchup where one person thinks of a number 0-10 and the other person thinks of a letter a-z, the person with a number 0-10 will usually (but not always) "lose" the duel. Depending on how quickly you guess back and forth, each duel should take less than a minute.

Because of the random nature of guessing, it is important that you do enough duels to see this trend, which is why we suggest doing at least 10 of each type of duel. If you only do a couple duels, there is a higher chance that one person will "get lucky" and guess the other person's password, even if that person has the more difficult password type (as analogy, think about flipping a coin: if you only flip a coin twice, there is a relatively high chance that you will get two heads or two tails. However, if you flip a coin 1,000 times, your results should be very close to 50/50).

You should find that very short (1 or 2 digit) passwords work best with this activity for young students. Longer passwords (3 digits or more) have so many possibilities that they generally take a very long time for a human to guess, so students may lose interest in the activity. For a computerized version of the activity, see the "More to explore" section.

### Careers

Career Profile
Cryptographers, also called cryptologists and cryptanalysts, develop the encryption algorithms that keep our modern online transactions, like emails and credit card purchases, safe from prying eyes. Even if information or a message is stolen, as long as it is encrypted, the person who stole it cannot read it! Cryptographers also work to test and break these algorithms, to check them for weaknesses and vulnerabilities. They even analyze and decipher codes used by terrorists and foreign… Read more
Career Profile
Have you ever seen a story on the news about how a company or government agency was "hacked" and people's personal information, like names, addresses, or credit card numbers, was stolen? It is an information security analyst's job to prevent that from happening. Organizations hire information security analysts to analyze possible threats against their computer systems, which can range from malicious hackers trying to steal data to careless employees who accidentally forget to log out of a… Read more
Career Profile
In movies and in the media, computer hackers are often portrayed as the bad guys—criminals who steal money or important information. What if you could be a good hacker? Somebody whose job is to find security flaws in computer systems; but rather than exploiting them for personal gain, you help fix the problems before criminals can find them? That is what penetration testers—also called "white hat" or "ethical" hackers—do. Companies pay them to intentionally try to break into… Read more
Career Profile
Security incident responders, also called intrusion analysts or incident response engineers, are like the "firefighters" of the cyber world. Companies can take steps to safeguard their computer networks and systems, but sometimes prevention is not enough and cyber attacks still happen. Sensitive data like customer credit card information can be stolen, entire websites could be brought down or altered, or personal contact information can be leaked. When this happens, incident responders must act… Read more

## Reviews

|
Science Buddies |