L33 — Information Security

🎯Learning Objectives

Name the main types of cyber threats (malware, phishing, social engineering)
Explain why strong, unique passwords matter — with real data from breaches
Check password strength and understand what makes a password hard to crack
Set up two-factor authentication (2FA) on a real account
Identify a phishing email from a legitimate one

📖Theory

1. Why Information Security Matters

In 2023 alone, cybercriminals stole over $10 billion from individuals and companies through online fraud. The most common victim isn't a big corporation — it's an ordinary person who reused a password or clicked the wrong link.

Information security is about protecting data from unauthorised access, theft, or damage. It applies to your phone, your school account, your email, and your social media.

You don't need to be a hacker's target to get hacked. Most attacks are automated — bots trying millions of username/password combinations every second until they find one that works.

2. Types of Cyber Threats

Malware — malicious software installed on your device without your knowledge:

Type	What it does
Virus	Copies itself to other files and programs
Trojan	Disguises itself as a useful program; steals data once installed
Ransomware	Encrypts all your files, demands payment for the key
Spyware	Silently records keystrokes, passwords, webcam
Adware	Shows unwanted ads, often bundled with free software

Phishing — fake emails, websites, or messages pretending to be a trusted source to steal your login or payment info.

Example: you get an email from "support@g00gle.com" saying your account is locked. You click, enter your password. You just gave it to an attacker.

Social engineering — manipulating people into giving up information or doing something harmful. The attacker exploits trust, urgency, or fear rather than technical vulnerabilities.

Example: "Hi, I'm from IT. We need your password to fix your account right now or it will be deleted."

Brute force — automatically trying millions of password combinations. A 6-digit numeric password has 1,000,000 combinations — a computer cracks it in under 1 second.

3. Passwords — The First Line of Defence

What makes a password weak:

Short (under 12 characters)
Uses only lowercase letters
Is a common word, name, or date of birth
Reused on multiple sites

What makes a password strong:

Long — at least 12 characters, ideally 16+
Mix of uppercase, lowercase, numbers, symbols
Doesn't contain real words or personal info
Unique — different for every account

Password	Time to crack (brute force)
`password`	instantly
`P@ssword1`	5 minutes
`Tr0ub4dor&3`	3 centuries
`correct-horse-battery-staple`	550 years

The last example is 4 random common words. Long but memorable. This is called a passphrase and is one of the best password strategies.

The #1 rule: never use the same password on two different sites. If one site gets hacked and your password leaks, attackers try it on every other site automatically (called "credential stuffing").

4. Password Managers

Nobody can memorise 50 unique strong passwords. The solution is a password manager — software that stores all your passwords in an encrypted vault, protected by one master password.

Free password managers:

Bitwarden — bitwarden.com — open source, browser extension, free tier
KeePass — offline only, completely free, open source
Built-in: Google Password Manager (Chrome), iCloud Keychain (Safari)

With a password manager, you only need to remember one strong master password. It generates and stores unique random passwords for everything else.

5. Two-Factor Authentication (2FA)

2FA means you need two things to log in:

Something you know — your password
Something you have — your phone (an app generates a 6-digit code that changes every 30 seconds)

Even if an attacker steals your password, they can't log in without the second factor.

How to set up 2FA:

Download Google Authenticator or Authy on your phone (free, no account needed)
In any account settings (Gmail, Instagram, etc.) find "Security → Two-Factor Authentication"
Scan the QR code with the app
From now on, after entering the password, you enter the 6-digit code from the app

2FA is one of the most effective security measures you can take. Google's research showed that 2FA blocks 99.9% of automated attacks.

6. Recognising Phishing

How to tell a phishing email from a real one:

Real email	Phishing email
From a real domain: `@google.com`	Fake domain: `@g00gle.com`, `@google-support.net`
Addresses you by name	"Dear Customer" or "Dear User"
No urgent threats	"Act NOW or your account will be deleted!"
Links go to the real domain	Link says "google.com" but actually goes to `g00gle.xyz`
No attachment (usually)	`.zip`, `.exe`, `.pdf` attachment asking you to open it

How to check a link before clicking: hover over it (don't click!) and read the actual URL shown in the bottom-left of the browser. If it doesn't match what you expected, don't click.

Check if your email was in a data breach: Go to haveibeenpwned.com — type your email address. It shows all known data breaches that included your email. If your email appeared in a breach, change that password immediately.

💻Code Examples

Example A — Checking password strength

Go to howsecureismypassword.net — type a password and see how long it would take to crack by brute force.

Try these:

Your name + year of birth (e.g. alex2008)
A random 8-character string (e.g. Xq7!mK2r)
A 4-word passphrase (e.g. tree-lamp-river-cloud)
Your actual password (don't use your real one — use something similar)

Note: this site does not send your password anywhere — it calculates locally in the browser. Even so, never type your actual current password into any third-party site.

Example B — Spotting phishing in an email

Read this email carefully:

Code

From: security@paypa1.com
Subject: Urgent: Your account has been limited!

Dear Customer,

We have detected unusual activity on your PayPal account.
Your account has been limited until we verify your information.

Click here to verify: http://paypa1-secure.login.ru/verify

Failure to verify within 24 hours will result in permanent
account suspension.

PayPal Security Team

Red flags:

Sender domain: paypa1.com (that's the number 1, not the letter l)
"Dear Customer" — no name
Urgent threat with 24-hour deadline
Link domain: paypa1-secure.login.ru — completely different from paypal.com
Russian domain .ru for an American company

✏️Practice Tasks

Task 1Password strength audit

EASY — IN CLASS

Go to howsecureismypassword.net
Test 5 different password types. Record the time-to-crack for each.
Create your own strong passphrase (4 random words + a number, e.g. lamp-river-cloud-42)
Test it on the site

Then check your email on haveibeenpwned.com. If it appears in a breach, which sites were breached? (You don't have to share this with the class — keep it personal.)

💡 Hint

Don't use your real password on the strength checker — use something similar (same length and character types). The site calculates strength without sending anything to a server, but good habits mean never typing real passwords into unfamiliar sites.

Task 2Spot the phishing

MEDIUM — IN CLASS

Your teacher will show (or print) 5 emails. For each email, decide: real or phishing?

Mark the red flags you found:

Suspicious sender domain?
Generic greeting?
Urgency / threat?
Suspicious link URL?
Attachment?

For each phishing email: describe in one sentence what the attacker wants the victim to do and what would happen if they did it.

💡 Hint

Hover over links (in a screenshot, read carefully) — the displayed text and the actual URL are often different in phishing emails. For example, text says "Click here to verify your PayPal account" but the URL shows "http://evil.ru/paypal/steal". That's the biggest giveaway.

Task 3Set up 2FA on one account

HARD — HOMEWORK

Install Google Authenticator (free, on Android or iOS) on your phone
Enable 2FA on one of your accounts: Gmail, Instagram, or any other that supports it
- Gmail: myaccount.google.com → Security → 2-Step Verification
- Instagram: Settings → Security → Two-Factor Authentication
Scan the QR code with Google Authenticator
Log out and log back in to test: you should need the code from the app
Save the backup codes somewhere safe (not in the same email account!)

Write in your notebook:

Which account did you enable 2FA on?
What happens if you lose your phone and can't generate the 2FA code?

💡 Hint

The backup codes question is important: most services give you 8–10 one-time backup codes when you set up 2FA. Print them or write them down and store somewhere physically safe (not in your email). Without them, losing the phone means losing access to the account.

⚠️Common Mistakes

Using the same password everywhere

This is the single most dangerous habit. When one site leaks your password (and sites do get hacked — see haveibeenpwned.com), every account with that password is immediately at risk.

Thinking 2FA means you're invincible

2FA stops automated attacks. A skilled attacker can still trick you into giving them the 2FA code (by calling you pretending to be tech support and asking for "the code we just sent you"). Never share your 2FA code with anyone who contacts you first.

Opening attachments from unknown senders

.pdf, .doc, .zip files can contain malware. If you didn't expect an attachment, even from someone you know (their account could be compromised), verify with them by a different channel first.

Entering your password on a site you didn't navigate to yourself

Always type the URL yourself or use a bookmark. Never click an email link to a login page. If someone says "click here to log in", open the real site directly in a new tab.

🎓Instructor Notes

⚡ How to run this lesson (~80 min)

[5 min] Hook. Show the haveibeenpwned.com stats page — billions of accounts compromised. Ask how many students have reused a password.
[15 min] Threats + password theory. The cracking time table always generates discussion. Students are usually shocked that password is instant.
[10 min] Live demo: phishing email. Show a realistic phishing example on the projector. Ask students to find the red flags before revealing them.
[10 min] 2FA explanation. Show Google Authenticator on a phone — live, with the 30-second rotation.
[30 min] Tasks 1 + 2 in class. Task 1 = password testing + haveibeenpwned (personal, private). Task 2 = phishing quiz (can be done as class voting with hands).
[10 min] Set up Bitwarden together. Optional: guide class through creating a Bitwarden account and installing the browser extension.

💬 Discussion questions

"Is it possible to be 100% secure online? Why or why not?"
"If a password manager gets hacked, doesn't that make you less safe? (Research: all major password managers use zero-knowledge encryption — even they can't see your passwords.)"
"Should the government be allowed to read encrypted messages to catch criminals? What are the trade-offs?"

🧰 Resources

Password strength: howsecureismypassword.net
Breach check: haveibeenpwned.com
Password manager: bitwarden.com (free)
2FA app: Google Authenticator (iOS/Android, free)