Hands-on exercises

Practical activities that make security concepts tangible through doing rather than hearing.

Exercise: Password cracking demonstration (20 minutes)

Materials: Laptop, password cracking tool (Hashcat or John the Ripper), list of common passwords

Activity:

  • Show hash of weak password

  • Run cracking tool live

  • Time how fast common passwords crack

  • Compare weak vs. strong password times

Impact: Seeing “password123” crack in 2 seconds while random 16-character password still running after 10 minutes makes strength concrete.

Follow-up: Show password manager generating strong passwords, demonstrate autofill convenience.

Materials: Examples of phishing links (don’t click!), smartphone and computer

Activities:

  1. Hover over links to reveal true destination

  2. Examine URL structure for red flags

  3. Practice using URL checking services

  4. Compare legitimate vs. phishing URLs side-by-side

Examples:

  • microsoft-login.com (not microsoft.com)

  • yourbank.customer-verify.net

  • bit.ly/a3s2f (shortened URL hiding destination)

Tools shown: URL expanders, VirusTotal, URLScan.io

Exercise: Multi-factor authentication setup race (20 minutes)

Materials: Smartphones, computers, authenticator app (Authy, Google Authenticator)

Activity:

  • Teams race to properly set up MFA on test account

  • Must configure backup codes

  • Test login with MFA

  • Fastest correct setup wins

Learning: MFA isn’t complicated. Hands-on experience removes fear/resistance. Backup codes prevent lockout.

Exercise: Incident reporting practice (25 minutes)

Materials: Realistic incident scenarios on cards, incident reporting system/form

Scenarios:

  • Received suspicious email

  • Lost laptop containing work data

  • Clicked link in phishing email

  • Found unknown USB device

  • Overheard colleague sharing passwords

  • Noticed unusual network activity

Activity:

  • Each person gets scenario

  • Must report through actual system

  • Receives confirmation response

  • Discusses what information helped investigation

Learning: Reporting is safe and easy. Know what information to include. Speed matters.

Exercise: Clean desk challenge (15 minutes)

Materials: Staged desk with security issues, camera

Activity:

  • Participants examine desk photo

  • List everything that violates security

  • Score: 1 point per correct identification

  • Highest score wins

Desk contains:

  • Sticky notes with passwords

  • Unlocked computer

  • Sensitive documents visible

  • Visitor badge left out

  • USB drives unlabeled

  • Personal devices connected to work network

Follow-up: What does good clean desk look like? Show example.

Exercise: Secure communication practice (20 minutes)

Materials: Test accounts for encrypted email/chat, smartphones

Activity:

  • Pair up

  • Send encrypted message

  • Verify encryption indicators

  • Discuss when encryption matters

Tools: Signal, ProtonMail, or encrypted corporate chat

Learning: Encryption doesn’t have to be hard. Know when it’s necessary.