In my Intro to Health Informatics class today, I tackled a subject that I often have done in the past in many computer classes, which is password security and calculating password cracking times. I was happier with my results today, than in the past, but I think I can improve more.
Although, the first step I did with my students, I think should change. This is because, I had my students go into the back-end of the OpenEMR software, and see the users table, and see what one-way encryption looks like. While I like them to see this, I think by showing the back-end of the database so early in the process I drifted from my major point for the day, which was password security, and that probably lowered the ultimate retention of my students. Since “guessing and checking” passwords as a cracking methodology does not necessarily rely upon one-way encryption, in future classes, I will teach the back-end and the one-way encryption later.
The next step, was I led them to some websites that gave some information about hacking passwords. While my goal is not to give them so many tools as to allow them to become hackers, I want them to get real world data about how quickly password cracking software can work and how it basically does it. I think my explanation of brute-force vs. dictionary attacks could improve at this point, and next time I teach this, I want to find a way that I could actually have the students see how the 2 methods and corresponding password creation methods work. I liked using a comic strip from xkcd to show part of this, although the data entropy part was over their heads. But the comic strip gave me 2 types of passwords to “battle”, so I could use them as my examples, and I liked that quite a bit. I think with more focus first on password creation methods, and then looking at the types of attacks for a type of creation method, I will have better luck next time. In fact, maybe I’ll do a mini-wargame type of situation next time.
I didn’t dwell on the formulas today, and in fact I got one of them wrong at first, which I’m sure confused my students more. I would like to bring the understanding of exponents back into the lesson in the future. I just need to think more about how to get it to click better with students.
But, the students were able to copy my Excel Calculator and put in the numbers, and in the past, this is where I would have ended my lesson. And my lesson would have been about just as good as in the past, if I ended it there. Instead of ending there, I had the students use the calculator to see if their current password could be cracked within a year’s time, and also check the password they came up with as a group. This was something concrete that they could do, putting their knowledge into action, and having to talk things out, and I think made a big difference.