Computing · Secondary 3

Active learning ideas

Strong Passwords and Multi-Factor Authentication

Active learning helps students grasp password security by making abstract threats concrete. When students test weak passwords in real time or role-play hacking scenarios, they see why rules exist instead of memorizing them. These hands-on tasks also build critical thinking about trade-offs between security and convenience.

MOE Syllabus OutcomesMOE: Cybersecurity - S3
20–40 minPairs → Whole Class4 activities

Activity 01

Numbered Heads Together30 min · Pairs

Pair Work: Password Strength Challenge

Pairs brainstorm five passwords from weak to strong based on criteria. They input each into a free online strength checker and record scores with reasons for differences. Pairs then create and test one unbeatable password together.

Justify the criteria for a 'strong' password in today's digital landscape.

Facilitation TipDuring the Pair Work challenge, circulate with a password cracker tool on a laptop to let pairs test their own passwords and adjust them on the spot.

What to look forPresent students with a list of 5-7 passwords. Ask them to identify which ones meet the criteria for a strong password and explain why, referencing at least two specific attack types (e.g., brute-force, dictionary attack).

RememberUnderstandApplyRelationship SkillsSelf-Management
Generate Complete Lesson

Activity 02

Numbered Heads Together40 min · Small Groups

Small Groups: MFA Role-Play Scenarios

Groups of four act out login attempts: one successful with MFA, one failed hack despite strong password, and one breach without MFA. They perform skits for the class and discuss key takeaways on layered security.

Explain why multi-factor authentication significantly enhances account security.

Facilitation TipFor MFA role-play, assign clear roles (hacker, user, MFA app) and provide scripted prompts so students focus on the process rather than improvising.

What to look forPose the question: 'Imagine you have a password manager and MFA enabled on all your accounts. What are the potential downsides or trade-offs of this security setup?' Facilitate a class discussion on convenience versus security.

RememberUnderstandApplyRelationship SkillsSelf-Management
Generate Complete Lesson

Activity 03

Numbered Heads Together25 min · Individual

Individual: Personal Security Plan

Students list their top five accounts, generate unique strong passwords or note password manager use, and identify MFA options. They outline a weekly review routine and share one tip with a neighbor.

Design a personal strategy for managing strong and unique passwords across multiple accounts.

Facilitation TipWhile students draft their Personal Security Plan, ask guiding questions like, 'Which account feels riskiest to you?' to push reflection.

What to look forAsk students to write down two specific actions they will take this week to improve their personal password security, based on what they learned about strong passwords and MFA.

RememberUnderstandApplyRelationship SkillsSelf-Management
Generate Complete Lesson

Activity 04

Numbered Heads Together20 min · Whole Class

Whole Class: Attack Demo

Display a password cracker tool live. Class predicts crack times for sample weak, medium, and strong passwords. Debrief how length and complexity extend times from seconds to centuries.

Justify the criteria for a 'strong' password in today's digital landscape.

Facilitation TipRun the Attack Demo on a controlled test account so students observe the failure without real consequences.

What to look forPresent students with a list of 5-7 passwords. Ask them to identify which ones meet the criteria for a strong password and explain why, referencing at least two specific attack types (e.g., brute-force, dictionary attack).

RememberUnderstandApplyRelationship SkillsSelf-Management
Generate Complete Lesson

A few notes on teaching this unit

Teach password security by combining theory with immediate, low-stakes practice. Use live demos to show how crackers exploit predictable patterns, then let students revise passwords and see the results. Avoid lecturing on entropy formulas; instead, focus on observable weaknesses. For MFA, stress that the second factor is not optional but a critical barrier when the first fails. Research shows that students retain concepts better when they experience failure and recovery in a safe setting.

Students will justify password rules using attack models and explain MFA’s role through scenarios and personal plans. They will compare password strength, simulate breaches, and design safer habits they can apply immediately. Evidence of learning includes clear reasoning about brute-force and dictionary attacks and confident use of MFA in role-plays.

Watch Out for These Misconceptions

  • During Pair Work: Password Strength Challenge, watch for students who create long passwords using only letters, assuming length alone makes them strong.

    Circulate with a dictionary-attack tool and let these students enter their passwords to see how quickly a cracker guesses them. Ask them to adjust by adding numbers and symbols, then test again to prove the difference.

  • During Small Groups: MFA Role-Play Scenarios, watch for students who say MFA is unnecessary if the password is strong.

    Run a mock phishing scenario where a hacker steals the password but still fails to log in. Have students analyze why MFA blocked access and discuss real-world breaches where passwords were leaked but accounts stayed safe.

  • During Individual: Personal Security Plan, watch for students who plan to reuse one strong password across multiple accounts.

    Ask them to map their accounts and trace how one breach could cascade. Provide a template for unique passwords or a password manager so they see the domino effect of reuse and the simplicity of alternatives.

Methods used in this brief

More in Cybersecurity and Defense

Introduction to Cybersecurity

Students will understand the importance of cybersecurity and common terms like threats, vulnerabilities, and risks.

2 methodologies

Malware: Viruses, Worms, and Trojans

Students will learn about different types of malicious software, their characteristics, and how they spread.

2 methodologies

Phishing and Social Engineering

Students will investigate social engineering tactics, particularly phishing, and learn to identify and avoid them.

2 methodologies

Online Scams and Fraud

Students will learn about various online scams (e.g., fake giveaways, tech support scams) and strategies to protect themselves from financial and personal harm.

2 methodologies

Protecting Data with Encryption (Basic Concept)

Students will understand the basic idea of encryption as a way to scramble data to protect its privacy and security, without delving into specific methods.

2 methodologies