## Summary

## Overview

Do your students have their own online accounts like email or social media? What about a login for the school computers? If so, they might have to pick passwords. Have*you*ever had trouble creating (and forgetting) good passwords? This fun lesson plan involves a guessing game that can teach your students how to make their passwords harder to guess. Learn how to keep your accounts safe!

## Learning Objectives

- Understand that allowing more characters for a password results in more possible combinations for that password
- Demonstrate that a password with more possible combinations is harder to guess

## Materials

- Stopwatch (one for entire class)
- Pencil and paper (for each student)

## Background Information for Teachers

*This section contains a quick review for teachers of the science and concepts covered in this lesson.*

You might be familiar with the rules most websites require for creating a "strong" password. They typically must be at least 8 characters long, and have various other requirements (for example, you must use at least one uppercase letter, one number, and maybe one symbol). These rules might seem silly, but there is reasoning behind them. Hackers know that certain types of passwords—especially ones that are all numbers (like "123456789") or all lowercase letters (like "qwerty," "abcdefgh," or "password")—are used commonly. They might try these passwords first when they attempt to break into someone's account. This is called a **dictionary attack** because it uses a "dictionary" of common passwords. Rules requiring that you use a mix of letters, numbers, and symbols force you to avoid these types of passwords.

What if a dictionary attack doesn't work? Hackers might try a **brute force attack**, or guessing every single possible password. For example, imagine that you are trying to crack a suitcase or bicycle lock with three number wheels, each one 0–9. You could try guessing every single possible combination by starting at 000, then 001, then 002, ...all the way up to 999. That will work eventually, but it will take you a while! It would take even longer if the lock had four or five number wheels. The same concept applies to computer passwords. For example, a two-character password, with only lowercase letters (26 letters in the English alphabet) has 26×26=26^{2}=676 possibilities for the password (for each possible choice for the first character, there are 26 possible choices for the second character). Any single attempt at randomly guessing the password only has a 1 out of 676 chance of being right. Including lower *and* upper case letters (52 possibilities for each character) yields 52×52=52^{2}=2,704 possibilities. Doubling the number of possible characters *more* than doubled the number of possible passwords! Now, any single guess only has a 1 out of 2,704 chance of being right. As you continue to add characters (e.g. numbers and symbols) and make the passwords longer, the number of possibilities becomes enormous (see Table 1). There are 95 characters on a standard English keyboard (counting upper/lowercase letters, numbers, and symbols). If your password has to be at least 8 characters long, that gives 95^{8}, or over six *quadrillion* possibilities!

Number of possible password combinations for different character sets | ||||||
---|---|---|---|---|---|---|

Password length | Numbers only (0–9) | Examples | Lowercase letters only (a–z) | Examples | Upper/lowercase letters, numbers, symbols (a–z, A–Z, 0–9, @#$%...) | Examples |

1 | 10 | 3 | 26 | h | 95 | A |

2 | 100 | 45 | 676 | sh | 9,025 | h2 |

3 | 1,000 | 628 | 17,576 | iql | 857,375 | g%3 |

4 | 10,000 | 1973 | 456,976 | bqof | 81,450,625 | vL*6 |

5 | 100,000 | 14850 | 11,881,376 | lnkoq | 7,737,809,375 | r03@B |

6 | 1,000,000 | 355698 | 308,915,776 | zmpqla | 735,091,890,625 | a2&M1s |

7 | 10,000,000 | 8415268 | 8,031,810,176 | rvynimw | 69,833,729,609,375 | v98(Q!i |

8 | 100,000,000 | 82145669 | 208,827,064,576 | xwvrnymu | 6,634,204,312,890,620 | L3$7bv~0 |

**Table 1.**Number of total possible passwords for different lengths and character sets.

In this project your students will split up into pairs and play a "guessing game" to simulate hackers trying to guess a password, except the game is not fair! One student must pick a number 0–9, (10 possibilities) as a "password," and the other student will pick a number *or* a letter; 0–9 or a–z (36 possibilities). So, when playing the game, one student has a 1 in 10 chance of guessing the password with any given guess, and the other student only has a 1 in 36 chance. You would never use a one-character password in real life, but this ensures that the game can be completed in a reasonable amount of time in a classroom setting. The game will demonstrate how allowing more choices for each character makes a password stronger, or more difficult to guess.