Password Process

Prior to beginning the activity, you will want to cut up slips of paper for the participants to avoid having to do this during Section 1.

1. Have participants take a minute to consider the worst possible password (easiest to guess) that they can think of (not one they actually use hopefully). Once they each have an example or two, have them write them on a whiteboard or flip paper so that all the examples can be shared with the group.
2. Discuss as a group what aspects of these passwords make them bad? Length? Simplicity? This will help participants to begin to consider what makes a good or a bad password. How does commonality or composition contribute to this?
3. Share with the participants the list of “Worst Passwords of 2016”, included below. Note how all (except #18) of the top 20 are simple words or sequences of numbers with very few layers of complexity. Modern computers can attempt > 2 billion passwords a second, that is why building more complexity into the password is important.
4. Ask the group to brainstorm possible ways to add complexity to the password. Write the participants’ ideas on the whiteboard to document them. Fill in the gaps with some common methods that include:
   • Mixture of upper and lower case letters
   • Numbers
   • Symbols
   • Increasing the length, while remaining something that is memorable
   • Significant complexity comes when you layer all 4 of the above with:
     • No consecutive letters, numbers or symbols (fff, GGG, @@@, 333)
     • No sequential letters, numbers or symbols (bcd, 3456, !@#$%)
     • No personal references (people, animals, birthdays or places)
     • A passphrase with a number of words interspersed with numbers and symbols

1. Participants should now take a few minutes to create a new password, one they would like to share with others, to participate in the password challenge competition. This actively allows them to apply the discussion into practice
   • Note that students should not use any passwords that they actually use and passwords created today should not be used in the future.
2. Once they are ready, they should write this password on a slip of paper and exchange with their partner. With their partner’s password, each participant now scores the new password based on the attached Password Scoring Table. This Scoring Table evaluates the strength of the password to give it a score based on complexity and use of various features.
3. Once completed participants should write their password and score on the whiteboard for discussion:
   • Were you surprised by your score and where it fell in terms of the rest of the participants?
   • What made the “best” password for the group so good?
   • What makes a password something you can remember?
4. Give the participants a minute or two to re-work their password. Can they alter it easily to get a better score? This gives participants another opportunity to apply their knowledge and improve their skill set.

1. Ask the participants to consider the WHY? Why do these features make a good password? What makes a password hard to hack? What is even done with the passwords once they are entered into a website? Once the participants have described some ideas, introduce the concept of hashing. This can be done using either a video describing the process or verbally:
   • Hashing Video
2. Have the participants try using a rudimentary hash function using the attached Hashing Function sheet. Participants will use their newly created passwords and hash them using the hashing table included. This process will show them how a hash function could process inputs. This builds towards an understanding of the need for hashing functions, why they are different and how they can work to change a password
3. Discuss how this rudimentary hash function has issues with collisions. This is when the hash function produces the same hash for 2 (or more) different inputs. The simpler the hash function is the more likely it is that this will happen. Ideally a hash function can produce more characters in its output than characters that were put in. This can be done in a number of ways, including introducing math operations.
4. Once the participants have used the Hashing function sheet, it is time for them to build their own hashing function. Working with a partner, construct a hashing function to protect passwords. Consider how the function might deal with:
   • Various lengths of passwords? Long passwords
   • Different character types – UPPER case, lower case, symbols, numbers, spaces?
   • Repeating letters,numbers or symbols
   • Similar passwords, such as ‘Dog’ and ‘Bog’
   • How can you reduce the number of collisions your hashing function makes?
   • Test out the hash function using the following word list:
     • Cat, Hat, Car, PASSword, PA$$worD
5. Each participant should now use their hash function to process a new secret password. Partners then exchange their hashed values and try to decipher it knowing how the hash function works. This is key to seeing how difficult a hashing functions (even simple ones) are to break through. Most participants will struggle to find the original input password.

• Discuss how well this process worked.
  • Were you successful at deciphering the hash of your partner?
  • If you receive someone elses hash and did not know the hash function, would you be able to determine the original password?
  • Use of computers allows billions of combinations a second, would your hashing function stand up to this type of attack? What changes might you need to make?
• Describe the drawbacks of using simple hash functions:
  • Collisions are the biggest issue. The simpler the hash function is the more likely it is that this will happen and the more likely that the security of the data can be compromised . As a result professional security hashes use very long and very complicated hashing functions. As these are computed by programs and not humans, they can be processed very quickly, despite the complexity.
  • Additionally, it is desirable for hash functions to be slow to process. The average user is not going to notice a half second wait when they enter their password during login, but if a hacker is trying 2 billion passwords a second, extending each one by a half a second makes the process a lot longer.

Close the activity with a summary video (if possible). This video is an extension of the first and describes how hashes can be made more secure, leading to hackers looking for other ways to attempt to steal passwords.

How might you adapt the time, space, materials, group sizes, or instructions to make this activity more approachable or more challenging?

• Ways to male this activity more challenging:
  • Limit password length to 10 characters for the password competition.
  • Have participants swap hashing functions and try to “break them” by finding collisions.
  • Learn more about ciphering and how hashing can be further secured using encryption. See Actua lesson – Codemakers Level up with CS

• Ways to make this activity more approachable:
  • Share the Password scoring table with participants before the activity.
  • Work through the rudimentary hashing function with the participants.
  • Work in groups of 4 instead of groups of 2.
  • Instead of designing their own hashing function, participants can improve the rudimentary one to reduce the number of collisions. This could be done as a group activity.