- Be able to give examples of weak passwords.
- Be able to describe how weak passwords are easy for attackers to guess.
- Be able to describe why it’s a risk to use variations of the same password across different accounts.
- Be able to explain the dangers of giving honest answers to “security questions.”
- Be able to describe what makes a strong password.
- Be able to explain why the randomness of using dice or a book is effective at producing a secure passphrase.
- Produce a highly secure passphrase.
If you plan to have learners actually generate their own passwords and phrases, then they should bring their devices and have password managers installed on them (see module on password managers).
Learners should have a general understanding of what a web browser is, and familiarity with logging into a website.
GOTCHAS AND OTHER PROBLEMS YOU MIGHT HIT
- When making new passwords, there may be a few participants who will forget their new passwords. If people have changed the passwords for critical accounts or for their devices without memorizing their passwords, this activity may cause more harm than good.
- Consider suggesting people write down their passwords (on paper or in password managers). For those who write down their passwords, remind them to watch out for others peeking at their papers, and to keep these papers in a safe place!
- It is also worth looking into memory retention techniques for those who have trouble remembering their passwords, like mnemonics, creating illustrations or imagery to accompany the password in the course of their memorization, creating a funny story around the password, and so on.
- Some people may have trouble with typing long passphrases due to motor difficulties. If this is the case, provide accommodations for them to still participate, but perhaps loosen requirements on the exact number of words for the passphrase.
- Others may have trouble with a passphrase generated from the diceware or random dictionary word selection technique, perhaps due to issues with being able to spell the word. Consider making an accommodation by helping them to choose another more familiar, but still sufficiently random, word.
- XKCD comic about password strength and diceware passwords: https://xkcd.com/936/
WARMUP: Partner Introduction
Put up a slide with three questions:
Your name and preferred pronouns
What you ate for breakfast
What was the first time you created an account for a website? Did you make a password? If you feel comfortable sharing that first password, what was it?
Pair everyone off and have them tell each other their answers to the questions. Then, go around the room and have everyone introduce their partner to the room; e.g.: “This is Naima. She ate eggs for breakfast. The first time she made a password was in 3rd grade for a website for going on adventures with a cartoon pet. The password was ‘iamcool.’”
Things you’ll learn from this ice breaker:
- How social the participants are; how much they enjoy working in groups.
- Whether they all know what passwords are.
- How good they are at following instructions and remembering details.
Part of what’s fun about this icebreaker is that people are better at remembering than they think they will be. When you’re explaining how to remember a passphrase later on, you can remind them how easy it was to remember random details about their partners.
ACTIVITY: What is a Weak Password?
Facilitator can use a whiteboard for this activity, or jot comments down on a piece of paper during this activity
Narrow View: If Someone Knows You, What is a Weak Password?
Facilitator: “In your pairs over the next three minutes, I’d like you to take turns answering the following questions:”
“Have you been able to guess someone’s password before, based on things you knew about them, like when they were born, what their favorite animal is, what their favorite song is, or their interests?”
“Has someone ever shared their password with you, and you were completely unsurprised about what their password was?”
“Think about someone you know very well. Would you be able to answer their security questions on their behalf?”
After the pairs have discussed, the facilitator can check back in with the group. The facilitator can ask for volunteers to (without disclosing the password itself), share an anecdote of an “easy” or “unsurprising” password.
Facilitator: “Still in your pairs, I’d like you to discuss the following over the next two minutes: If someone was to do a Google search about your friend in that scenario, or to look at their social media accounts, or look around their desk for hints, would they be able to guess that friend’s interests? Would any of those interests lead them to hints for their passwords? Would any of those interests lead them to hints for their security questions?”
After the time allotted, the facilitator can check back in with the group.
Facilitator: “Show of hands: How many of you would be able to find out information about your friend’s passwords, based on the type of information that they are unaware they share about themselves?”
Wide View: If Looking at the Data, What is a Weak Password?
Facilitator: “What’s your guess: What are some of the most common passwords? In your pairs, over the next three minutes, I’d like for you to come up with at least five passwords that you feel the majority of people will pick. Which passwords do you think other people are likely to pick?”
Facilitator will check in with the group after the time is up. “What did you come up with in your pairs?”
Facilitator will write down the passwords on the board. The facilitator can occasionally ask: “Did anyone else have this password as one of their most common password guesses?” and highlight it (like by putting a star next to the word each time someone raises their hand).
Learners will likely come up with variations on the spelling of “password”, common placements of keys on the keyboard (“qwerty”), sequential numbers “123456”, commonly used phrases in pop culture like “open sesame” or something less appropriate, maybe even words included on the webpage like “admin”, and “Facebook.”
The facilitator can prompt the learners. “What about favorite sports? Favorite colors? Popular names? Quotes from a movie or book? Song lyrics?”
Facilitator: “In your pairs, I’d like you to discuss over the next minute: How do you think people are able to determine what the most common passwords are?”
Facilitator will check back in after the allotted time and ask for volunteers. “What did you come up with?” Facilitator will wait for participants to come up with the idea of a leak, or the breach of a website’s databases.
If there is a major database breach in the news (e.g. Yahoo! In 2013, Adobe in 2013, and LinkedIn in 2012), you can use it as a discussion point for why strong passwords are important, and why it’s important to have unique passwords across accounts.
ACTIVITY: What Can You Do With Weak Passwords?
Facilitator can then show the live site for HaveIBeenPwned.com, which has a huge database of passwords obtained from major breaches.
Facilitator: “Breaches can be very valuable sources of information in revealing people’s password habits. Unfortunately, the vast numbers of passwords show us that we are all quite predictable in how we choose these secret and valuable codes.”
[Facilitator can show a gif of what a dictionary attack looks like, or show what a password list looks like.]
Facilitator explains: “Let’s say that you just learn about a breach of a major social networking site, and the passwords, security questions, and answers, and the associated emails of a couple million users are now suddenly available as a downloadable file. And oh no! The website did not use strong encryption for this sensitive data. This is a lot of information. Let’s say, in this scenario, you are an attacker looking to make some money.”
Facilitator: “In your pairs, you have three minutes to discuss: What could you do with all these emails, security questions, and passwords? I’d like for you to come up with a few scenarios. What value would this information hold for you?”
Facilitator checks in after the time allotted, and asks the question again: “What did you come up with? How will you use those emails and passwords? How will you use those security questions and answers?” Facilitator waits for participants to respond. They may have a variety of answers, ranging from “look out for usernames of note,” “try to find someone valuable,” “share that information with a network of other attackers,” “try all these password combinations on other associated accounts,” and so on. Feel out where the discussion goes, and give participants the opportunity to think about how a malicious actor views their account details when it is at scale.
Facilitator: “Let’s talk a little bit about the capabilities of an attacker. This is a numbers game, and the attacker in this scenario is counting on humans being fairly predictable. Many people use the same password across different websites, maybe adding a few numbers at the end, or swapping a letter with a number. It is a fairly common practice for attackers to “brute force” their way into as many accounts as possible: that is, the attackers use passwords from these leaks across as many associated emails in different websites as possible. They’re able to do so fairly quickly with their computers plugging in the account information for them. They’re able to write a script for their computers to add those numbers at the end of passwords, or to swap numbers with letters, and so on. They’re able to pull from known common words, from common quotes and phrases.”
Facilitator: “You might remember [insert hack where millions of account passwords, IDs, and associated information were taken here—facilitator can browse news sites and share a screenshot of the headline, or browse around the breaches in HaveIBeenPwned]. When something like this breach happens, what can you do?”
Participants’ responses may range from: “nothing” and “delete your account,” to the more proactive suggestions of “monitor account information,” “set up two-factor authentication,” or “change your password.” The facilitator can encourage the latter three behaviors, and mention that users can take advantage of the three options if they are available for a given service.
Facilitator can use the suggestion of “change your password” to prompt the discussion of: what could you change your password to?
KNOWLEDGE SHARE: What is a strong password?
Facilitator: “Let’s say that you’ve decided to change your password. Keep in mind that you’ve learned:
We may pick passwords that are personally relevant to us and can be guessed by learning about our interests or histories,
Humans are fairly predictable in choices of passwords even when they aren’t directly related to our personal experiences,
We have a tendency to make predictable variations of the same password,
We tend to use the same or similar password across many sites,
The shorter a password is, the easier it is for a computer to guess.”
Facilitator will write the above constraints on the board, as a slide, or in another visible way.
Facilitator: “Considering these common weak experiences with passwords...What qualities might a strong password have? You have a minute to chat in your pairs.”
Facilitator checks back in with the group. Hopefully, participants arrive at similar conclusions: “long”, “random,” and “unique” are the keywords to look out for.
Facilitator should then write these qualities in a visible way:
“Passwords should be random, long, and unique for every site.”
The facilitator can show the XKCD comic illustrating this point. https://xkcd.com/936
Audience members may ask “But how am I supposed to possibly remember these random, unique and long passwords?” That serves as an excellent segue to teaching about password managers.
Walk learners through why bad passwords are easy to guess.
Common English words
Common English words with some letters turned into numbers
Names and dates
Patterns on the keyboard (even ones you think are clever)
- Show list of most popular passwords: https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
Other points you can cover include:
- Show examples of really strong passwords.
- Discuss why you should never reuse a password for multiple sites or services.
- Discuss why a password manager is useful.
- Discuss the purpose of a master password or passphrase.
- Discuss remembering a passphrase.
ACTIVITY: Generate a Passphrase
There are a few options for leading participants through the process of creating a passphrase. One nice thing about these activities is that learners can participate in them even if they didn’t bring a computer or other device.
The following activities require learners to remember their new passphrases. Memorization is not realistic for everyone, and people may forget their new passphrases after the workshop. It may be useful to provide post-its and pens for learners to write down their new passphrases.
The facilitator may want to follow up with suggestions for memory-recalling measures, like using mnemonics (e.g. “Elephant Rainbow Novel” can be remembered by “ERN”), or creating a visual story around the passphrase (e.g. “I remember ‘Elephant Rainbow Novel’ by imagining an elephant walking on top of a rainbow, and reading a book at the end of the rainbow”).
Word selection from books
One option simply requires that you have a book for each learner, which makes it a great option for trainings in schools, libraries, or other places with a lot of books sitting around.
Close your eyes
Open your book to a random page
Put your finger somewhere on the page
Open your eyes and write down the word closest to your finger.
If the word is a very common (easy to guess) word, go back to step 1.
Repeat steps 1-5 four more times, giving you a total of five words.
Voila! You have a new passphrase.
KNOWLEDGE SHARE: Passphrase Generation with Diceware (optional)
Another option is a system called Diceware, where you use a set of 5 dice and a predetermined word list to generate a passphrase. We’re big fans of Diceware at EFF. We even created our own customized EFF dice set and our own word list. It can be a lot of fun for users with a certain kind of geeky sensibility.
That said, Diceware can also be intimidating for some participants. If you don’t have several sets of dice and word lists on hand, it can create an awkward lull while everyone is waiting for their turn.