Practice making stronger passwords
You’ll need
- Scrap paper
- Pens or pencils
Before you begin
- Use the safety checklist to help you plan and risk assess your activity. There's also more guidance to help you carry out your risk assessment, including examples.
- Make sure all young people and adults involved in the activity know how to take part safely.
- Make sure you’ll have enough adult helpers. You may need some parents and carers to help.
Planning and setting up this activity
- If unsure about cyber security knowledge, you can use the National Cyber Security Centre (NCSC) resources and improve your skills before running the activity.
- Have a printed or written copy of the password profiles for each team.
- Alternatively, you could create your own profiles. You’ll just need to adapt the password answers.
- Use a strong and different password for your email: Combining 3 random words that each mean something to you is a great way to create a password that is easy to remember but hard to crack. You should use a different password for each of your accounts, particularly your email account.
- Consider using a Password Manager: A password manager can store all your passwords securely, so you don’t have to worry about remembering them, helping you to use strong, separate passwords for all your important accounts.
- Enable Two-Step Verification (2SV): Aim to use Two-Step Verification (2SV) wherever possible. This can involve entering a code that’s sent to your phone or email, as well as your password. It’s often also known as Two-Factor Authentication or Multi-Factor Authentication (MFA).
- Keep software regularly updated: Regularly update your operating system, apps and antivirus software to protect against the latest threats. Cybercriminals, often known as hackers, make use of and benefit from weaknesses in outdated software to steal information.
- Look out for phishing and scams: For emails, messages or texts, always avoid using suspicious links or downloading attachments from unknown sources. Phishing emails, messages and texts often look legitimate, but their aim is to steal your information. They often use suspicious URL’s or email addresses, use bad spelling and have bad formatting.
- Back up data regularly: Always back up your most important files stored in a secure location, such as on an external hard drive or in cloud storage. This helps to protect you from data loss if there’s malicious software (such as viruses, worms, spyware) or hardware failures.
- Educate others: Make sure you stay informed about the latest cybersecurity threats and how to protect yourselves from them. It's always good to tell your friends, family and loved ones about them too.
Multi-Factor Authentication (MFA) or Two-Step Verification (2SV) are the same thing and you may see it referred to as either.
Why set-up 2SV?
If someone got into your account and cracked your password, 2SV would give them another layer of security to get through. The hacker would need your fingerprint, face recognition – or the code sent to your alternative account to access your account.
How can you remember all your different passwords?
A password manager app can store your passwords securely all in one place (and can even create passwords on some accounts) so you do not need to worry about saving them. They can be found on your phone, tablet or computer – once you’ve logged into the password manager using a master password (using three random words – don’t forget this as it will then lock you out of your other accounts) it will generate and remember your passwords for your online accounts. This allows you to use unique, strong passwords for all your important accounts rather than using the same password for all of them, which you should never do. They can even sometimes enter your passwords into websites and apps automatically, so you don’t need to type it in every time.
Password managers can also help you spot fake websites to protect you against a cyber attack and they can even be used across multiple devices to make it easier to log into your accounts across different devices.
An easy way to save passwords – when you’re logging into your online accounts, most browsers and devices will offer to save them for you. It is safe for you to do this on your own device, but make sure you have your own account if it’s shared.
Guessing game
- Gather everyone together and explain that you’re going to be learning about what makes a good online password, such as for social media platforms. For younger groups, you could ask if anyone’s ever made a password before. For older groups, you could see if they can think of anything that might make a password stronger.
- Ask everyone to get into small teams, such as two or three, then give each group a copy of the password profiles. They’re attached to this page.
- Explain to the group that they’ll have to guess each person's password, based on the information they’ve been given. They’ll have 10 minutes to come up with as many guesses for each person’s password as they can.
- Once the time’s up, gather everyone together and ask for each group to say a few of their guesses if they want to.
- Now, reveal what each person’s password is – did anyone guess any correctly?
- Explain how all the information that was included on these people’s profiles can be easily found out about real people in everyday life. Hackers are also very good at asking you for this kind of information without you even realising. You were probably able to guess the passwords correctly, or get very close to the right password, in about ten minutes, so imagine how quickly a professional hacker could find the passwords out.
- Explain that personal information could be found online and used by someone attempting to get access to your accounts, so you should avoid using personal information in a password. You should use three random words instead.
Password answers
- Alexander: ManUtd2013
- Lily: LilySparky23
- Arjan: Horse08012000
- Mya: WillowbrookBubbles2015
Making stronger passwords
- Ask everyone to get back into their teams, then give each time a theme, such as animals, capital cities, sports, films, musicians, foods, dinosaurs, superheroes and so on.
- Explain to everyone that the groups will have a few minutes to come up with 20 words connected to their theme. They can write them down or draw them on a piece of paper.
- Once each group has finished their list, explain to everyone that they’re going to use the sheets to generate their own three-word, random passwords.
- Give everyone a few minutes to pick three words from three different lists. They shouldn’t discuss their choice or tell anyone which three words they’ve chosen.
- When people have chosen their three words, they should write them down or draw them, then keep them hidden from the rest of the group.
- Explain that the strongest passwords are created by combining three random words and that we should have a separate password for every account we have.
- Explain that passwords should be kept safe and secure and should never be shared with anyone else. A password manager is recommended. This is an app which can create, save and manage passwords all in one place. An authenticator app or password manager is usually installed on a phone or tablet.
- Another layer of protection that is important to note is 2 step verification. When you set up 2 step verification, also known as 2SV, or multi-factor or two-factor authentication, you will be sent a PIN or code, often by SMS or email. You then need to enter that PIN into the website to prove that it is really you. Another form of 2SV is fingerprint identification or face scan.
Let us know how it went:
Our supporter, the National Cyber Security Centre (NCSC), is keen to know how much you have learned about cyber security. If you’re happy to take part in their review, please ask your group these questions and send their answers to the NCSC using our Microsoft form.
You’re going to read out a set of statements and everyone must decide if they Agree, Disagree or are Unsure. You could do this in lots of ways. You could use a thumbs up, thumbs down and thumbs in the middle. You could go round in a circle and ask people to say their answer, or you could set up three labelled areas for people to move between to show their answer. You will then report what the majority of the group answered.
You may wish to run this before and after the activity to see what people have learned during the session.
Reflection
This activity was all about knowing how to create a strong password. What did you learn about what makes a good password? How will this change what actions you take to protect yourself online in the future? Is there one thing that you’ve learned today would you tell someone else?
You also had to try and guess some passwords. Did you find it easy or hard to guess the passwords? How close did you get? Did anything trick you, such as the numbers or capital letters?
Ask everyone to think about how people could try to steal their passwords. Think about the personal profiles you saw. How much of your personal information that’s like what's in the profiles do you think exists online? You should always try to avoid using personal information in passwords.
You also had to then create a password. What can you do to keep your information safe? How can you remember all of these different passwords? Why do you think you should you set up 2SV? What will you do to change how you make a password in the future?
There’s lots of ways people can try to find out our passwords. Scammers, or cyber criminals, can also pretend to be a company or person to try to get our passwords or personal data. A reputable company will never ask for your password or bank PIN, either over the phone, by text or by email. If they need you to reset your password, they'll send you a link to a secure page on their official site, which will allow you to do it safely.
Safety
All activities must be safely managed. You must complete a thorough risk assessment and take appropriate steps to reduce risk. Use the safety checklist to help you plan and risk assess your activity. Always get approval for the activity, and have suitable supervision and an InTouch process.
To make this activity easier, you could give the young people a few potential passwords to guess from for the personal profiles. You could also create word lists, with 20 words per theme, that are pre-made for people to use. You could also ask everyone to make a personal profile, just like the one’s in the first game. They should then create a password based on the profile for other people to guess, rather than using the three random words and themed word lists.
- If anyone needs help or struggles with fine motor skills, give them the opportunity to work in pairs, with a young leader or an adult volunteer.
- People who struggle with making choices could find all the options a bit overwhelming, so they might need extra support or to work with a young leader/volunteer.
All Scout activities should be inclusive and accessible.
If you enjoyed this activity, check out our others on cyber security or encourage the young people to check out the fun resources from the National Cyber Security Centre such as Cyber Sprinters - the award-winning interactive online security resources for 7-11 year olds. Or Cyber Navigators - all about how to stay secure online, it's an interactive online security resources for 11–14 year olds.
Young people could make their own profile to guess the passwords from.