Thursday, October 8, 2009

Programming Project Idea

Here's a random class programming project idea. Everyone submits their name and a newly-made up password (not one that they use for anything else). Then, everyone writes a program to guess passwords, lets them run for an hour against the list, and sees how many matches they can make. Suggest a few strategies like a "brute force attack", a "dictionary attack" (providing a dictionary text file), guessing that some people use no numbers or caps (or all numbers), etc. Afterwards, analyze both successful attacks and the more secure passwords.

This would be more advanced than anything I've done in my classes, even though some of the programs could be relatively short. Interesting both for basic programming skill and insights on password security. Maybe seed the list with some instructor-made weak passwords as a baseline target.


  1. Not bad. It would be something they could relate to (which is hard to do with a project small enough for class), and provide some insight as to what makes a bad password.

    I want to mention a class project idea as well: provide students with raw data that could support 2 sides of an argument. Assign different sides of the argument to 2 groups of students, each of which forms the most convincing argument they can to argue their side based on the data.

    Example: the argument could be which is safer, traveling by car or by plane; the data could be fatalities per mile traveled by plane, fatalities per mile traveled by car, fatalities per flight, fatalities per car ride, etc. Group A argues for car travel; group B argues for plane travel.

    I don't know what class it would fit in -- the arithmetic should be trivial, so perhaps it's more for "critical thinking" class if a school has such a thing.

  2. That's cool, too -- sounds kind of like the classic "debate team" situation.

    With my idea, I also think I'd want to be a bit specific about the assignment, to make it more reasonable to assess. For example, in week (1), assign the specifics of the "dictionary attack" to everyone (which is just file I/O and a single loop). In week (2) assign the specifics of the "brute force" attack (some kind of multiple looping), perhaps with an "A" grade for catching both upper & lower case, "B" grade for just one case. Analyze how many passwords were caught by each thereafter.

    Either provide a test suite (method call API) with some example passwords for student testing purposes, or if you're really fancy, actually use a weburl API and set up a mock "server" to run it against.