Imagine walking up to the door of a school computer room. Before you can use anything, two
different questions have to be answered. First: who are you? Second: what
are you allowed to do once we know that? These are two of the biggest ideas in
Getting the first one right stops strangers pretending to be you. Getting the second right stops you — or an intruder using your account — from doing damage you were never meant to.
Every way of proving who you are falls into one of three groups, called authentication factors. A memory hook: something you know, something you have, and something you are.
A single factor on its own can fail. So the strong approach is to demand two different factors at once — this is two-factor authentication, or 2FA (sometimes called multi-factor authentication). The key word is different: two passwords is still only one factor, but a password plus a code from your phone is two.
The everyday example is a cash machine. To take money out you need your bank card (something you have) and your PIN (something you know). A pickpocket with just the card is stuck; a shoulder-surfer who saw your PIN but has no card is stuck too. They'd need both, which is far harder to pull off.
If your account is protected by a password and nothing else, then that one secret is a single point of failure: the moment it leaks — through a data breach, a phishing email, or malware — whoever has it is you, as far as the system can tell. There's nothing left to stop them.
2FA fixes exactly this. A stolen password is no longer enough on its own, because the attacker still can't produce the code on your phone or your fingerprint. And it's why reusing one password everywhere is so dangerous: when one website is breached, attackers try that same email-and-password pair on your email, your bank and your school account (this is called credential stuffing). One leak then unlocks everything. Use a long, unique password for each account — a password manager makes this painless — and turn on 2FA wherever it's offered.
Attackers who steal a list of scrambled passwords often try to crack them by
guessing every possible combination — a brute-force attack. The number of
combinations depends on how many symbols you allow and how long the password is. If there are
That exponent is the whole story: every extra character multiplies the effort to crack it. Change the length in the program below and press Run to see how fast the crack time explodes — even at a billion guesses per second.
A short password falls in seconds; adding just a few characters pushes the crack time past a human lifetime. That's why security advice keeps saying: make it long.
Authentication got you through the door. Access control now decides what you can touch inside. The most common tool is file permissions: for each file, the system records who may read it (open and view) and who may write to it (change or delete it).
Permissions are usually tied to the type of account you have. An ordinary user account can work with its own files but can't change how the whole computer is set up. An administrator (admin) account can install software, create accounts and edit system files — powerful, and therefore dangerous if it falls into the wrong hands.
Notice the pattern in the table: the student can only touch their own work, the teacher can mark everyone's, and only the admin can change the settings that keep the whole system running.
A golden rule of access control is the principle of least privilege: give every account only the permissions it genuinely needs to do its job — and no more.
Why? Because every extra permission is an extra thing that can go wrong. If an attacker breaks into an ordinary user account, they can only reach that user's files. But if they break into an admin account, they own the whole machine. Running day to day as a limited user — and only becoming admin for the brief moment you actually need to — keeps the blast radius of any mistake or attack as small as possible. It's the same reason a shop doesn't give every employee a key to the safe.
That pop-up is least privilege in action. Even on your own machine you normally run as a limited user, so a rogue program you accidentally downloaded can't quietly install itself or change system files. When something genuinely needs admin power, the system stops and asks you to confirm — turning a silent action into a deliberate one you have to approve.