Objective(s):
In this session, you will review with participants why we need strong passwords and how to create them and develop better password habits. You will also review why we need multi-factor authentication and how to use it.
Teaching points:
- Creating strong passwords;
- Managing passwords;
- Using multi-factor authentication (MFA).
Practical skills taught:
- Creating a strong password;
- Using different passwords for different accounts;
- Changing passwords regularly;
- Setting up a password manager;
- Setting up MFA;
- Setting up and storing back-up codes;
- Restoring your 2FA if phone is lost.
Session length:
1 hour
Skill level:
Basic
Required knowledge:
Basic computer and email/social media literacy
Resources needed:
Projector, slides, paper, laptop connected to the internet, handouts, LastPass account for practical demonstration
Deck:
Handouts:
Quiz: My Passwords, Handout: Strong Password Anatomy, Activity Sheet: Creating a Strong Password
A. Setting the scene (15 min)
-
Start the session by describing what it is about, situating the session among the other points of the CyberSTAR, and outlining what the participants will learn by the end of the session.
-
Set the scene by asking participants:
-
How do they come up with passwords?
-
When was the last time they changed any of their passwords?
-
How do they remember all their passwords?
-
-
Now discuss briefly what we protect with passwords:
-
Passwords provide secure access to important accounts such as email, banking accounts, social networking sites, etc.
-
These accounts often contain personal and sensitive information, sensitive communications, or access to money and important documents.
-
Passwords also provide access to a number of other things – Wi-Fi access points, unlocking mobile devices, logging-in to computers, decrypting devices, files and more.
-
-
Ask participants what can happen if their passwords are compromised (remind them of Firefox Monitor / HaveIBeenPwned) and someone gets access to their accounts or devices. Ensure that the following key points are addressed:
-
Important information or documents could be stolen, modified or deleted. If someone copies your information or your files, you may not realize it immediately.
-
Money could be stolen or spent via access to credit cards or bank accounts.
-
Email or social media accounts could be used to impersonate you and deceive your friends, family, and colleagues.
-
Someone with a password could use this access to monitor communications and activities without your knowledge.
-
Someone could use your email account to reset passwords to other important accounts by requesting password reset links. So, by losing your email password, you risk losing access to many other accounts.
-
B. Creating safer and stronger passwords (10 min)
-
Tell participants that the best way to prevent the negative consequences identified above is to have stronger passwords.
-
Share key qualities of safer, stronger passwords with the group:
-
Complexity: passwords should include combinations of upper-case and lower-case characters, numbers & symbols. Ideally, your password should be so complex that it would be impossible or nearly impossible for a human being to remember or crack it.
-
Length: passwords should be at least 12 characters long (some experts suggest at least 15 characters);
-
Although character substitutions make passwords more secure, you should avoid the most common character substitutions (D00RB311 = DOORBELL).
-
Passwords should not include easy to guess personal details (your child’s/pet’s name, etc).
-
Passwords should be unique for each account;
-
Passwords should not be based on memorable keyboard paths (e.g. qwerty, qazwsxedcrfv, pass1234, etc.).
-
-
Discuss some of the ways to create a stronger password:
-
Passphrase: a series of at least four words, separated by spaces or not. Use random word combinations and mix in upper-case and lower-case characters, numbers and symbols.
-
Password generator: you can use a reliable web-based random password generator that would allow you to customize the length and complexity of your password.
-
Password card: a credit card-sized card that you can download online, print out and keep in a safe place. The card lets you pick very secure passwords for all your accounts, without having to remember them.
-
-
Ask participants to reflect on the earlier discussion about what can happen if their passwords are compromised, and based on this, lead the discussion towards why it is important to use different passwords for different accounts.
-
Mention briefly key general best practices related to passwords:
-
Use unique passwords for different accounts;
-
Never share your password with anyone else;
-
Cover up your password when entering it
-
Check the URL to ensure that the website asking for your password is not fake;
-
Change your password every 90 days.
-
C. Hands-on activity (10 min)
-
Ask participants to break into groups of two and create two strong passwords for each group, jotting down the passwords on activity sheets (5 minutes). During the activity, walk around the room, helping participants to ensure that the passwords they are creating are sufficiently strong.
-
Invite volunteers to present the passwords they came up with and ask them to repeat the passwords without reading from their notes. The objective here is to ensure that participants understand how to create strong passwords and realize that such passwords are hard to remember.
D. Password managers (10 min)
-
Use the above activity as a scene-setter to discuss the importance of using a password manager, without which it is practically impossible to remember so many unique and strong passwords that you need to change regularly. With a password manager, all they need to remember is a single strong password.
-
Share the names of three reliable password managers (1Password (pay), LastPass and KeePass) with the participants and explain that it is up to them to choose which password manager to use, based on their needs and personal preferences.
-
Demonstrate how to use a selected password manager (LastPass).
E. Multi-factor authentication (10 min)
-
Share with the group the benefits of using multi-factor authentication and discuss what can serve as the second factor.
-
Even the strongest password in the world can be lost or compromised. Two-factor authentication provides an additional layer of security by requiring a second means of verifying who you are other than your password.
-
The most common second authenticating factors include your biometrics (fingerprint scanner or Apple’s Face ID), numeric codes (app-based pin-codes or SMS-codes), and physical security tokens (such as Google security key).
-
Using SMS codes as the second factor is not very safe (phone can be lost, stolen or unavailable when you need it).
-
-
Demonstrate briefly how to set up two-factor authentication on a web-based service or social networking site that most participants are likely to use (e.g. Facebook).
-
Explain what backup codes are and why participants might want to set up and store them.
-
When you use a second factor of authentication that requires you to have access to a smartphone (e.g. SMS-code or app-based pin-code), you need to safeguard yourself from the problems that might arise if you don’t have access to the smartphone (e.g. if it is lost or stolen).
-
This is where it is important to have backup codes.
-
Download backup codes and save them in a password manager. You can also print the backup codes and keep them somewhere safe.
-
F. Wrap-up (5 min)
-
Provide a brief summary of practical skills that the participants should have learnt during the session.
-
Ask participants if they have any questions, answering the questions when possible or pointing them to online resources when the questions are not relevant to the rest of the group.
-
Distribute handouts with step-by-step practical guides on the most common technical issues the participants are known to encounter (e.g. restoring two-factor authentication when a mobile phone is lost or stolen).