This module opens with an introduction to common attacks on online accounts, and the need for two-factor authentication. It then moves on to a few activities having students investigate the security of their own passwords, and where they might set up two-factor authentication for their primary email provider. It closes with a discussion about risk mitigation.

This module intends to tee up a second conversation about password management, and slides about phishing and password stuffing can be reused for the password management discussion.

Prerequisites

Threat modeling

Estimated time

35-45 minutes

Objectives

• Upon successful completion of this lesson, students will be able to identify a phishing email.
• Students will have a basic understanding of automated, dictionary-based attacks on online accounts.
• Students will be able to identify common types of two-factor authentication tools.
• Students will be able to identify step-by-step resources for setting up these defenses.

Why this matters

Understanding in concrete terms how likely attacks are executed in practice will help students focus their attention on the most common threats, and realistic ways to defend. Two-factor authentication is one of the most effective defenses against account break-ins. Chances are, your students are already familiar with it in some way — whether through their bank, hospital, or even your university's security requirements, so reiterating why this tactic is effective is key.

Homework

(Before class)

• Read this piece from The Washington Post about the hijacking of AP's Twitter account in 2013: "Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism?"
• Read this article from The Guardian, describing Google's security research demonstrating phishing attacks against news organizations: "Google: 80% of news organisations are targeted by state hackers"
• (Optional) Listen to this episode of the Darknet Diaries podcast about a wordlist commonly used in automated attacks on passwords, "Rockyou"

(After class)

• Read this piece from Freedom of the Press Foundation on account security: "Phishing prevention and email hygiene"
• Watch this video demoing a popular security operating system, Kali Linux: "Social Engineering Attack Demo - Kali Linux setoolkit - Cybersecurity - CSE4003"
• Students should try setting up two-factor authentication on at least one email account they have access to, document which "factor" they chose, why, and how this compares to alternatives. For additional help setting up 2FA, have students read this article by our team at Freedom of the Press Foundation: "Two-factor authentication for beginners"

Sample slides

Authentication, Part 1 (Google Slides)

Activities

• Have students try out their own email addresses at Have I Been Pwned.
• Look at rockyou.txt, wordlist of common passwords from a major dump, to see if an old password has ever appeared there: rockyou.txt password list
• Visit 2fa.directory and locate your primary email provider.

Questions for discussion

• Have you or someone you know ever experienced a security breach? (A stolen credit card, hacked account, and so on?) What happened?
• How might this have been prevented?
• How much risk is tied to your personal behaviors, versus the behaviors of the service provider?
• What do you think service providers could do to better protect your data?

Related resources

• Check out our list of guides and resources for strengthening online account security.