Lesson Plan: Understanding Password Reuse, Variations & Multi-Factor Authentication Risks

September 17, 2025 Ann S. Michaelsen Lesson plans Leave a comment

Subject Area: Digital Citizenship / Cybersecurity
Target Audience: Secondary or University / Adult non-specialists

Objectives

Explain credential stuffing and the risks of password reuse/variation.
Describe MFA and its protections as well as key vulnerabilities (adversary-in-the-middle, push fatigue, session theft, fallback methods).
Assess and improve personal password and authentication practices.
Reflect on personal risk and share experiences with peers.

Materials

The Guardian article “Password1: how scammers exploit variations of your logins”
Astra, MFA bygass risks.
Forbes; How Hackers Bypass MFA, And What You Can Do About It

Activities & Structure

Reading & Concept Introduction

Read, or have students read, the Guardian article carefully.
Define key terms together: credential stuffing, password reuse, password variation, multi-factor authentication, attack vectors, session hijacking, etc.

Group Discussion / Sharing

In small groups, students discuss prompts such as:
1. Have you ever wondered whether your accounts could have been compromised because of password reuse or a known breach?
2. Do you know which of your accounts have MFA enabled, and what kind of MFA?
3. What are the weak points in your practices or systems you use (personal, school, etc.)?
Groups propose measures to improve safety (for individuals and organisations).

Reflection Activity

Individually, students reflect on a set of prompts:
1. How secure do you feel your own online accounts are, given what you now understand?
2. Identify one concrete change you will make to your password or authentication practice.
3. Optional: consider whether you think you have been targeted (e.g. noticed unusual login requests, reset-notifications) or might be.
Opportunity to share reflections with peers voluntarily.

Consolidation / Best Practices

Collect group suggestions & reflections, synthesise best practices: strong, unique passwords; using password generators or managers; enabling strong MFA; awareness of phishing and social engineering; using phishing-resistant methods; monitoring account alerts; etc.

Reflection & Discussion Prompts

Have you been or do you believe you may be part of a data breach or had some credentials leaked/reused? What signs or alerts have you noticed, if any?
Which kind of MFA do you personally use (SMS, app, hardware/authenticator key, etc.) and how confident are you in its security?
What organisations you are part of (school, work) could improve their policy / infrastructure around passwords / MFA?

Related

I would love to hear from youCancel reply