Passwords Y7-9

In this course you will learn about passwords, why they are important and how to make good ones.

1. Why are passwords important?

Why do we have passwords?

Think of two or three reasons why you need to have strong passwords that are hard for other people to guess and why you should not share your passwords with other people. If you can, discuss it.

What are some of the non-electronic security devices that people use to protect their possessions from being stolen or used by others?

You might have suggested: a lock on a locker, house (keys), bicycle (locks) or a diary (you might just put it under your bed)

All these are things that you lock up so no one can either steal things or see things that are private to you. For years and years people have wanted to stop others seeing their private things. 

It is the same online plus you have to make sure you are responsible for what is done online in your name. 

From ancient times to fairly recently people sealed their important documents with a wax seal stamped with their own "seal" to stop people prying.

When you are using electronic devices can you think of, and write down, a couple of times or instances when you use a password?

Why do we need passwords anyway?

Passwords protect your online accounts from being stolen or used by others. The older you get, the more important password security will become to you. Choosing good passwords will help you protect yourself and your family online, keep your grades and work private, and protect your bank accounts and online store accounts when you get them. They can stop other people pretending to be you and then doing something bad online - and you get the blame if they do that.

If it was sent from your computer or phone - you could get the blame, this might damage your reputation or hurt people.Click on the "i" for more information.

What do you think could happen if someone got hold of your password? (tick all that apply)

  • They would be able to "pretend" to be you online - and that could get you into big trouble and hurt your reputation.
  • They could steal information that belongs to you and use that to get into other accounts and take data or money or copy your work.
  • They could change your password and lock you out of your own account.
  • They might find out things about me that I don’t want anyone else to know.

2. How DO hackers get your passwords?

Firstly what is a hacker? Click on his head to find out more!

How hackers crack passwords: social engineering

Password cracking is one of the most common challenges for the bad guys online.  A hacker can use low-tech methods to crack passwords. These methods include using social engineering techniques, shoulder surfing, and simply guessing passwords from information that they know about the user. Hackers can also use very high tech methods to steal your information and passwords. 


Social engineering

The most popular low-tech method for gathering passwords is social engineering. Hackers take advantage of the trusting nature of people to gain information that can later be used maliciously. A common  technique is simply to con people into telling them their passwords. It sounds ridiculous, but it happens all the time.

For example, they can simply call a user and tell him that he has some important-looking e-mails stuck in the mail queue, and they need his password to log in and free them up. This is often how hackers and rogue insiders try to get the information!

A common weakness that can facilitate such social engineering in a business is when staff members’ names, phone numbers and e-mail addresses are posted on the company websites. Social media sites such as LinkedIn, Facebook and Twitter can also be used against a company because these sites can reveal employees’ names and contact information. At home they might pretend to be your bank or insurance company or say something is wrong with your computer. 

Social engineering can use phishing (sending emails that look official with malicious links), vishing (telephone calls that might, for example, say you have a problem with your computer) or impersonation (pretending to be someone else).

What can you do?

Awareness and regular reminders are great defenses against social engineering. Security tools like anti virus software are a good if they monitor downloads, e-mails and web browsing.

Look out for attacks and be on your guard!  Don't ever give out any information and alert the appropriate person at home or at school (or work) to see whether an enquiry is real and whether you should say anything.  At school no one should ask for your password. IT already have it if they need it!


Inference is simply guessing passwords from information they know about you— such as your date of birth, phone numbers or favourite car. It may sound silly, but criminals often determine their victims’ passwords simply by guessing them!

What can you do? 

The best defense against an inference attack is to create secure passwords that don’t include information which can be associated with you. This is your responsibility to remember the importance of secure password creation.

Shoulder surfing

Shoulder surfing (a hacker looking over your shoulder to see what you are typing) is an effective, low-tech password hack.


To mount this attack, the bad guys must be near their victims and not look obvious. They simply collect the password by watching either the user’s keyboard or screen when the person logs in.

An attacker with a good eye might even watch whether the user is glancing around his desk or seat for either a reminder of the password or the password itself. Security cameras or a webcam can even be used for such attacks. Coffee shops, learning centres and airplanes provide the ideal scenarios for shoulder surfing.

What can you do? 

Be aware of your surroundings and do not use passwords when you suspect someone is looking over your shoulder. If you suspect someone is looking over your shoulder while you are logging in, politely ask the person to look away or pretend to have forgotten the password and do something else.

Weak authentication (not using a secure system)

External attackers can obtain — or simply avoid having to use — passwords by taking advantage of older or unsecured operating systems that don’t require passwords to log in. The same goes for a phone or tablet that does not use a password. 

What can you do? 

The only true defence against weak authentication is to ensure your operating systems require a password on boot up (starting). To eliminate this vulnerability, at least upgrade to Windows 7 or 8. 

Hi tech hacking

A hacker sometimes uses a computer program or script to try to log in with possible password combinations, usually starting with the easiest-to-guess passwords or with words from the dictionary or maybe by downloading a keylogger (which captures your keyboard strokes) or other software onto your computer. 

What can you do? 

Don't use simple passwords or ones containing words that are easy to guess. You will learn more about this later (and even more in future years!)

Do not leave your computer turned on and unlocked when you are not using it. Do not click on links on websites or emails that might be a dodgy and keep your antivirus software up to date.

What can you remember? Fill in the gaps

Criminals often determine their victims' passwords by  them! Sometimes they might collect the password by   the user’s keyboard or their screen when the person logs in. Make sure all your computers and phones are   with a password and an up to date operating system (like Windows 7 or later). To stop hackers finding your password easily using create a hard to guess password and don't click on any links in emails from people you don't know. 

3. Strong Passwords

Creating a strong password

Perfect passwords checklist
This is important... To make a strong password, use this checklist 

My passwords: 
•     use both letters and numbers

•     use a minimum of 8 characters

•     don’t include any personal information (like your date of birth or name)

•     use special characters like brackets, £, & or %

•     use a mixture of CAPITALS and lower case letters

•    use a sentence or a line from a song/verse instead of just one word and only use the first letters of words from that sentence

•     make it easy  to remember (make a mnemonic)

•     have different passwords for online accounts

•     change passwords again every 6 months or so (use your online diary to remind you when to change)

Sounds straightforward... Don't write your password down! 

Now write this checklist out and save it in a document to remind yourself and your family.

How strong were your "pretend" passwords?

Write down two "pretend" passwords:

Make the first insecure - maybe a simple word/name and two numbers.

Make the second secure following the password guidelines. 

Open a new tab and go to 

Try both passwords and see what happens.

In the space below for your answer: write down your two "pretend" passwords (you wouldn't tell me your real password would you!?!) and how long it would take a computer to crack each one. What have you learnt? 

What have your learnt? Click which of these are true or false.

  • Use only letters or numbers
  • Use the first letter of words in a sentence or a line from a song/verse instead of just one word
  • Use special characters
  • Use a minimum of 6 characters
  • Don’t contain any personal information
  • Make a password difficult for you to remember

Finally. Do you think you have met the course objectives? Is there anything else you would like to know?

The objective of this course was to learn about passwords, how people might steal them and how to make good ones.