Blackbox Intelligence Group
Sign in
← All modules

Starter · Module 2

Module 2: Passwords, MFA, and Account Security

Identity is the most-attacked control in the modern stack. Students leave with a real account-security checklist they can apply tonight.

Length
60 min
Level
beginner
Track
Starter
Cadence
Free preview

Career paths

Foundations
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Module 2 - Passwords, MFA, and Account Security

Lesson at a glance

| Field | Value | | ------------------- | --------------------------------------------------------------------- | | Grade band | 9–12 | | Total time | 60 minutes | | Difficulty | Beginner | | Required materials | Account profile handout, projector, student checklist (printed) | | Lab access | None - pencil-and-paper module | | Standards alignment | CSTA 3A-NI-04, NICE Framework K0007, CISA Cyber Essentials (Yourself) |

Safety: Do not allow students to share, type, or photograph real passwords at any point. Every example in this lesson uses fictional accounts.

Learning objectives

By the end of this lesson students will be able to:

  1. Explain why length beats complexity for passwords, with one concrete example.
  2. Define credential stuffing and explain why password reuse is the multiplier that makes it work.
  3. Rank multi-factor authentication options from strongest to weakest (passkey/security key → authenticator app → push → SMS → email).
  4. Audit a fictional user’s account profile and recommend at least 4 specific fixes.
  5. Identify the three settings every student should change on their personal email account this week.

Vocabulary

  • Passphrase - a long string of unrelated words, easier to remember and harder to crack than a short complex string.
  • Credential stuffing - automated login attempts using username/password pairs leaked from a different breach.
  • Multi-factor authentication (MFA) - proving identity with two or more of: something you know, something you have, something you are.
  • Authenticator app - a phone app (Google Authenticator, Authy, 1Password, Microsoft Authenticator) that generates 6-digit codes.
  • Passkey - a phishing-resistant credential that lives on your device. Replaces the password.
  • Recovery code / backup code - one-time codes issued when MFA is enabled. Lose these and you lose the account.
  • Password manager - software that generates and stores unique long passwords for every account.

Why this module follows ethics (teacher background)

Almost every real breach you read about in the news has the same first move: a stolen or guessed credential. Identity is the most-attacked control in modern computing because it’s the cheapest one to attack. The defensive lesson is not “memorize a complicated password” - humans are bad at that and it doesn’t help against the actual attacks. The defensive lesson is length, uniqueness, and a second factor, supported by a password manager so the human only has to remember one good thing.

Students will resist the password manager idea. Many will say “it’s just one more thing to lose.” Counter that with the math: one strong primary password protecting a manager beats 60 weak unique passwords protecting 60 accounts. They are not equally risky.

Materials checklist

  • [ ] Printed Account Profile Handout (one per student) - see “Skylar’s account profile” below.
  • [ ] Printed Student Checklist (the “Account Security Checklist” at the end of this guide).
  • [ ] Projector or board for the warm-up password vote.
  • [ ] Optional: a phone running an authenticator app to demo the 30-second code rotation.

Pacing - minute-by-minute

| Time | Block | What happens | | ----- | --------------- | ----------------------------------------------------- | | 0–5 | Opener | Vote on the strongest password | | 5–18 | Mini-lesson | Length, reuse, MFA, password manager | | 18–40 | Activity | Audit Skylar’s account profile and write the fix list | | 40–50 | Discussion | Whole-class fix list and gray areas | | 50–58 | Personal action | Three settings to change this week | | 58–60 | Exit ticket | One-line commitment |

0–5 min · Opener - vote on the strongest password

Project these three (all fictional, never used):

  1. P@ssw0rd1!
  2. correct-horse-battery-staple
  3. Tr0ub4dor&3

Hands up: which is strongest? Take the count. Most rooms pick #1 or #3 because they look complicated.

Teacher script (verbatim is fine):

“Almost every cracking tool I’ve seen treats #1 and #3 as easy and #2 as hard. The reason is length. A modern attacker isn’t guessing - they’re running billions of tries per second against a leaked hash. Each extra character is roughly an extra factor of difficulty. ‘P@ssw0rd1!’ is 10 characters. ‘correct-horse-battery-staple’ is 28. The math doesn’t care whether your password looks complicated - it cares how long it is and whether it’s in a wordlist or breach dump.”

Transition to the mini-lesson.

5–18 min · Mini-lesson

1. Length beats complexity

Show the math, even at a back-of-the-envelope level:

| Password | Length | Realistic time to crack* | | ------------------------------ | ------ | ------------------------------------------------------ | | P@ssw0rd1! | 10 | minutes - it’s in every wordlist | | Tr0ub4dor&3 | 11 | hours - pattern is well-known | | correct-horse-battery-staple | 28 | longer than the universe’s age, by orders of magnitude |

*Against an offline hash crack with a modern GPU. Adjust numbers as wordlists evolve, but the relative ordering is the lesson.

Say: “Length is the lever. Don’t reach for symbols and numbers. Reach for length.”

2. Reuse is the multiplier

Draw this on the board:

One breached site × reused password = every site you share the password with is breached.

Walk through a real public example (HaveIBeenPwned data without naming victims): a low-importance forum gets breached. Email + password leak. Attackers run that pair against thousands of high-value sites: email providers, banks, school portals. This is credential stuffing and it accounts for a huge share of account takeover.

Say: “Your weakest site’s password becomes the password for every site that shares it. So either every site has to be as strong as your bank - or you don’t reuse. The second one is much easier.”

3. MFA breaks credential-only attacks

Rank MFA options from strongest to weakest:

| Strength | Method | Why | | --------- | ---------------------------------------- | ----------------------------------------------------------- | | Strongest | Passkey or hardware security key (FIDO2) | Phishing-resistant. The credential cannot be intercepted. | | Strong | Authenticator app (TOTP) | Code lives on your device. Phishable but hard. | | OK | Push notification | Convenient. Vulnerable to MFA fatigue / approve-by-mistake. | | Weak | SMS code | Vulnerable to SIM swap. Better than nothing. | | Weakest | Email-only “MFA” | If email is compromised, this is no factor at all. |

Say: “If you set MFA on one thing this week, set it on the email account that all your password resets go to. Email is the master key. Protect it like a master key.”

4. Password managers - recommended and allowed

Address the objection head-on. Students will say:

  • “It’s a single point of failure.” - Yes, but a strong primary plus MFA on the manager is far less risky than 60 weak unique passwords. Risk is reduced, not eliminated.
  • “What if I lose my phone?” - Recovery codes. Print them. Store them somewhere physical and safe.
  • “They’re expensive.” - Bitwarden has a free tier that is sufficient. The school may already license one.

Safety: Do not have students install a password manager during class without your IT department’s blessing. Recommend it as homework with parental awareness.

18–40 min · Activity - audit Skylar’s account profile (22 minutes)

Hand out the Skylar profile (below). Pair students up. They identify weak practices and write specific fixes on the Account Security Checklist worksheet.

Skylar’s account profile (fictional - for classroom use only)

Skylar Reyes, 16, junior. The accounts and habits below are fictional and used only for this exercise.

  • School portal: password is Skylar2008!. No MFA available.
  • Personal email (Gmail): password is Skylar2008!. No MFA enabled.
  • Bank app (parent co-owned): password is Reyes2008. SMS MFA on a phone Skylar shares with a younger sibling.
  • Gaming account (Steam): password is Skylar2008!. Email MFA only - codes go to the personal Gmail above.
  • Streaming service: password is letmeintv - shared with three friends in a group chat last summer.
  • Recovery email for Gmail is skylarmom@yahoo.com - the account hasn’t been used in 4 years and the password is forgotten.
  • Browser on the family laptop saves all passwords. Anyone who unlocks the laptop can see them all.
  • Phone lock: 4-digit PIN, 2008.

Students must:

  1. Identify at least 5 weak practices.
  2. Recommend a specific fix for each.
  3. Pick the single highest-priority fix Skylar should do tonight, with reasoning.

A complete worked answer is in the Answer Key PDF.

40–50 min · Discussion - whole-class fix list and gray areas

Pull fixes from the room. Build a master list on the board. Then push on these gray-area questions every cohort raises:

  • “Is writing passwords down on paper bad?” Better than reusing. A locked drawer at home is a stronger threat model than a forum breach. Ideal is still a password manager.
  • “What if my parents won’t let me install a password manager?” Then the negotiable wins are: long unique passwords for email and banking, MFA on email, and stop sharing the streaming password.
  • “Is biometric MFA stronger than an authenticator app?” It’s convenient but the categories are different. A passkey backed by biometrics is excellent. Biometrics alone, on a phone with a weak PIN, can be defeated by anyone who knows the PIN.

50–58 min · Personal action - three settings to change this week

Each student writes on their checklist:

  1. The email account that controls password resets, and the specific MFA method they will turn on for it.
  2. One reused password they will retire and replace with a unique long passphrase or generated password.
  3. One account they will sign out of on a shared device.

These are concrete, named, and time-boxed. That is the point.

58–60 min · Exit ticket

In one sentence, finish this: “By next class, I will…”

Collect on the way out. Acceptable answers name a specific change.

Differentiation and supports

  • Below grade level / EL: Provide a worked example (the answer for Skylar’s school portal) on the worksheet. Allow drawn icons next to fixes (lock = MFA, key = password manager).
  • Above grade level: Extension - research one MFA bypass technique that has appeared in the news (SIM swap, MFA fatigue, adversary-in-the-middle phish kits) and present a 90-second summary next class.
  • IEP/504 - extended time: Reduce Skylar’s profile to the first 5 bullets and let the rest be homework.

Common student misconceptions

  • “Complexity is what makes a password strong.” → Length is the lever; complexity helps only at small lengths.
  • “Numbers and symbols make a short password safe.” → Crackers know all the patterns. P@ssw0rd! is in every wordlist.
  • “MFA on my bank is enough.” → Email is the master key. MFA on email first.
  • “If a site got breached they’d tell me.” → Often the only way you find out is when your account gets hijacked. Use HaveIBeenPwned.

Career connection

  • Identity & Access Management (IAM) engineer - $90K–$140K. Designs and runs the systems that decide who can log in to what.
  • SOC analyst - $55K–$80K. Watches for credential-related alerts (impossible-travel logins, credential-stuffing patterns).
  • Incident responder - $80K–$130K. Most engagements start with “a credential was stolen.”

Extension (homework)

“Account Security Checklist for My Family” - a one-pager students take home. Must name the three settings that should change on the family’s primary email and the parent’s most-used financial account, and explain why in plain language. Due next class. Counts toward the unit grade.

Account Security Checklist (handout - print and use)

  • [ ] My personal email has MFA enabled (authenticator app or passkey, not just SMS).
  • [ ] My recovery email is one I can actually access.
  • [ ] My bank, school portal, and email passwords are all different.
  • [ ] My most-important password is at least 16 characters.
  • [ ] I am signed out of accounts on shared devices.
  • [ ] My phone lock is at least 6 digits, or biometric with a strong fallback PIN.
  • [ ] I have checked HaveIBeenPwned for my email address.
  • [ ] I have a plan for what to do if my email account gets locked or hijacked.

Assessment

  • Formative: Skylar audit (5+ weak practices identified, fixes are specific not vague).
  • Summative: Exit ticket - does it name a concrete action by next class?
  • Long-term: The Family Checklist homework. This is the artifact that shows whether the lesson made it home.

Ready to use this in class?

Unlock the full Starter edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum