Jump to main content

Password Duel

1 review


Grade Range
Group Size
2 students
Active Time
30 minutes
Total Time
30 minutes
Area of Science
Computer Science
Key Concepts
Cybersecurity, probability
Ben Finio, PhD, Science Buddies
Many username and password login prompts


Do your students have their own online accounts like email or social media? What about a login for the school computers? If so, they might have to pick passwords. Have you ever had trouble creating (and forgetting) good passwords? This fun lesson plan involves a guessing game that can teach your students how to make their passwords harder to guess. Learn how to keep your accounts safe!

Learning Objectives


Background Information for Teachers

This section contains a quick review for teachers of the science and concepts covered in this lesson.

You might be familiar with the rules most websites require for creating a "strong" password. They typically must be at least 8 characters long, and have various other requirements (for example, you must use at least one uppercase letter, one number, and maybe one symbol). These rules might seem silly, but there is reasoning behind them. Hackers know that certain types of passwords—especially ones that are all numbers (like "123456789") or all lowercase letters (like "qwerty," "abcdefgh," or "password")—are used commonly. They might try these passwords first when they attempt to break into someone's account. This is called a dictionary attack because it uses a "dictionary" of common passwords. Rules requiring that you use a mix of letters, numbers, and symbols force you to avoid these types of passwords.

What if a dictionary attack doesn't work? Hackers might try a brute force attack, or guessing every single possible password. For example, imagine that you are trying to crack a suitcase or bicycle lock with three number wheels, each one 0–9. You could try guessing every single possible combination by starting at 000, then 001, then 002, ...all the way up to 999. That will work eventually, but it will take you a while! It would take even longer if the lock had four or five number wheels. The same concept applies to computer passwords. For example, a two-character password, with only lowercase letters (26 letters in the English alphabet) has 26×26=262=676 possibilities for the password (for each possible choice for the first character, there are 26 possible choices for the second character). Any single attempt at randomly guessing the password only has a 1 out of 676 chance of being right. Including lower and upper case letters (52 possibilities for each character) yields 52×52=522=2,704 possibilities. Doubling the number of possible characters more than doubled the number of possible passwords! Now, any single guess only has a 1 out of 2,704 chance of being right. As you continue to add characters (e.g. numbers and symbols) and make the passwords longer, the number of possibilities becomes enormous (see Table 1). There are 95 characters on a standard English keyboard (counting upper/lowercase letters, numbers, and symbols). If your password has to be at least 8 characters long, that gives 958, or over six quadrillion possibilities!

Number of possible password combinations for different character sets
Password length Numbers only (0–9) Examples Lowercase letters only (a–z) Examples Upper/lowercase letters, numbers, symbols (a–z, A–Z, 0–9, @#$%...) Examples
1 10 3 26 h 95 A
2 100 45 676sh 9,025 h2
3 1,000 62817,576 iql 857,375 g%3
4 10,000 1973 456,976 bqof 81,450,625 vL*6
5100,000 14850 11,881,376 lnkoq 7,737,809,375 r03@B
6 1,000,000 355698 308,915,776 zmpqla 735,091,890,625a2&M1s
710,000,0008415268 8,031,810,176 rvynimw 69,833,729,609,375 v98(Q!i
8100,000,000 82145669208,827,064,576 xwvrnymu6,634,204,312,890,620L3$7bv~0
Table 1. Number of total possible passwords for different lengths and character sets.

In this project your students will split up into pairs and play a "guessing game" to simulate hackers trying to guess a password, except the game is not fair! One student must pick a number 0–9, (10 possibilities) as a "password," and the other student will pick a number or a letter; 0–9 or a–z (36 possibilities). So, when playing the game, one student has a 1 in 10 chance of guessing the password with any given guess, and the other student only has a 1 in 36 chance. You would never use a one-character password in real life, but this ensures that the game can be completed in a reasonable amount of time in a classroom setting. The game will demonstrate how allowing more choices for each character makes a password stronger, or more difficult to guess.

Prep Work (5 minutes)

Engage (5 minutes)

Explore (15 minutes)

Reflect (10 minutes)


Make Career Connections

Free science fair projects.