Key concepts
Technology
Cybersecurity
Internet safety
Privacy

Introduction
Do you have your own email or other online account? If so, you probably use a password to log in. How did you pick your password? Is it something that might be easy for someone else to guess, like the name of your pet? This fun activity will teach you about password security and how to pick a good password.

Background
Imagine a suitcase lock with three number wheels on it. Each wheel contains digits zero through nine, so you can pick any three-digit number as the combination. Because each wheel has 10 digits, there are 10 X 10 X 10 = 1,000, or 103, possible combinations. If you add a fourth wheel, now there are 10 X 10 X 10 X 10 = 10,000, or 104, possible combinations. What if you used the letters A-Z instead of numbers zero through nine for the three-wheel lock? Then there would be 26 characters for each wheel, so there would be 26 X 26 X 26 = 17,576, or 263, possible combinations. Adding more digits, or more characters per digit, greatly increases the number of possible combinations. This makes it very difficult for a human to guess the combination.

However, computers can try to guess passwords much faster than a human can guess a physical lock combination. A fast computer can try to guess millions of passwords per second. That is why passwords should usually be long—at least eight digits—and made up of different types of characters including numbers, symbols and upper and lowercase letters. A short password made only of lowercase letters might be very easy for a computer to guess. This activity will demonstrate how shorter passwords made up of fewer types of characters are easier to guess than longer passwords with more characters. Since humans will be doing the guessing, the passwords will be very short (just one or two digits), but remember that real-life passwords should be much longer.

Also note that there are other general password safety rules that you should follow. Just because a password is long and mixes letters and numbers does not mean it won't be easy to guess. For example, your name followed by your birthday could be easy for someone who knows you to guess. There are also many commonly used passwords like "password", "qwerty" or "123456789" that you should avoid.

Materials

  • A friend or family member
  • Pen or pencil and paper (optional)

Preparation

  • In this activity you will compete in a series of password "duels" against an opponent. The catch: each person will have to follow different rules for thinking of a password. The rules determine how many total possibilities there are for that person's password. Will passwords with more total possibilities be harder to guess?

Procedure

  • To start, tell your opponent that you will think of a number between zero and nine. Tell your opponent to think of a letter from A to Z. These are your "passwords" (remember that real-life passwords are much longer, the passwords in this game are very short so the activity doesn't take too long). Which type of password do you think will be harder to guess?
  • Now, take turns trying to guess the other person's password. You can decide who gets to go first. Then, keep alternating until one person's password is guessed. Whose password was guessed first? How many guesses did it take?
  • Repeat the same duel four more times, for a total of five rounds. Each time, you should think of a number from zero to nine, and your opponent should think of a letter from A to Z. The rounds are totally independent, meaning it is okay to re-use the same password if you want. Does one type of password seem easier to guess than the other?
  • Now, switch roles. You think of a letter from A to Z, and your opponent thinks of a number from zero to nine. Repeat for a total of five rounds. Which type of password gets guessed more frequently?
  • Now, change the rules for the passwords. You will think of a letter from A to Z, and your opponent will think of a number from zero to 100. How many possibilities are there for each type of password?
  • Repeat for a total of five rounds of the game, then switch roles and do five more rounds. Which type of password is harder to guess? Does having more total possibilities make a password harder or easier to guess?
  • Extra: Keep a tally mark of how often each type of password is guessed, and make a graph of your results. Which type of password is guessed the most often? The least often? To get enough data for a good graph, you might need to do more duels with your opponent, or get other people to join and collect all the data.
  • Extra: Try the activity with other rules for passwords. For example, what if someone is allowed to pick a number zero to nine or a letter A to Z? What about a two-digit password made of numbers or letters (for example, "A7")? Pit different combinations of password rules against each other in duels, and keep track of all your results.

Observations and results
You should find that passwords with fewer total possibilities are easier to guess than those with more possibilities. For example, in the first matchup where one person thinks of a number zero to nine and the other person thinks of a letter A to Z, the person with a number zero to nine will usually (but not always) "lose" the duel. Depending on how quickly you guess back and forth, each duel should take less than a minute.

Because of the random nature of guessing, it is important that you do enough duels to see this trend, which is why we suggest doing at least 10 of each type of duel. If you only do a couple duels, there is a higher chance that one person will "get lucky" and guess the other person's password, even if that person has the more difficult password type (as analogy, think about flipping a coin: if you only flip a coin twice, there is a relatively high chance that you will get two heads or two tails. However, if you flip a coin 1,000 times, your results should be very close to 50:50).

You should find that very short (one or two digit) passwords work best with this activity. Longer passwords (three digits or more) have so many possibilities that they generally take a very long time for a human to guess.

More to explore
Password Security: How Easily Can Your Password Be Hacked?, from Science Buddies
Password Duel, from Science Buddies
Memory Trick Increases Password Security, from Scientific American
NOVA Cybersecurity Lab: Explore the world of coding, cyber scams and online safety, from Scientific American
Science Activities for All Ages, from Science Buddies

This activity brought to you in partnership with Science Buddies

Science Buddies