Password Duel

You might be familiar with the rules most websites require for creating a "strong" password. They typically must be at least 8 characters long, and have various other requirements (for example, you must use at least one uppercase letter, one number, and maybe one symbol). These rules might seem silly, but there is reasoning behind them. Hackers know that certain types of passwords—especially ones that are all numbers (like "123456789") or all lowercase letters (like "qwerty," "abcdefgh," or "password")—are used commonly. They might try these passwords first when they attempt to break into someone's account. This is called a dictionary attack because it uses a "dictionary" of common passwords. Rules requiring that you use a mix of letters, numbers, and symbols force you to avoid these types of passwords.

What if a dictionary attack doesn't work? Hackers might try a brute force attack, or guessing every single possible password. For example, imagine that you are trying to crack a suitcase or bicycle lock with three number wheels, each one 0–9. You could try guessing every single possible combination by starting at 000, then 001, then 002, ...all the way up to 999. That will work eventually, but it will take you a while! It would take even longer if the lock had four or five number wheels. The same concept applies to computer passwords. For example, a two-character password, with only lowercase letters (26 letters in the English alphabet) has 26×26=26²=676 possibilities for the password (for each possible choice for the first character, there are 26 possible choices for the second character). Any single attempt at randomly guessing the password only has a 1 out of 676 chance of being right. Including lower and upper case letters (52 possibilities for each character) yields 52×52=52²=2,704 possibilities. Doubling the number of possible characters more than doubled the number of possible passwords! Now, any single guess only has a 1 out of 2,704 chance of being right. As you continue to add characters (e.g. numbers and symbols) and make the passwords longer, the number of possibilities becomes enormous (see Table 1). There are 95 characters on a standard English keyboard (counting upper/lowercase letters, numbers, and symbols). If your password has to be at least 8 characters long, that gives 95⁸, or over six quadrillion possibilities!

In this project your students will split up into pairs and play a "guessing game" to simulate hackers trying to guess a password, except the game is not fair! One student must pick a number 0–9, (10 possibilities) as a "password," and the other student will pick a number or a letter; 0–9 or a–z (36 possibilities). So, when playing the game, one student has a 1 in 10 chance of guessing the password with any given guess, and the other student only has a 1 in 36 chance. You would never use a one-character password in real life, but this ensures that the game can be completed in a reasonable amount of time in a classroom setting. The game will demonstrate how allowing more choices for each character makes a password stronger, or more difficult to guess.