CS50 Cybersecurity - Lecture 0 - Securing Accounts with David Malan

Cybersecurity is currently a hot topic - it feels pretty everywhere - especially with the M and S attack it led me to thinking I do not know enough, how can I learn more. So I turned to see what CS50 had to offer by way of Cybersecurity. Sure enough David Malan has some content so off we go…

In lecture 0, David Malan—computer science professor from Harvard’s CS50 course—walks through core concepts of cybersecurity.

Key Topics Covered

1. Passwords

David dicusses ‘Dictionary attacks’ - this idea literally guesses passwords from a dictionary of words. brute force attacks.

David discusses 4 digit passcodes - and states there are 10^4 possible combinations and how simple python code can geenrate these combinations in fractions of a second. He then poses the question: if your password is 8 characters long, and each character could be any of 94 possible characters (letters, digits, symbols), then:

There are 94⁸ possible combinations.

That’s: 94^8 = 6,095,689,385,410,816 combinations

Malan uses this to illustrate:

• The mathematics of brute force resistance
• How just a few more characters dramatically increase security
• Why using a wider character set (e.g., including symbols) helps

I found this concept really tangible, it was a numerical demonstration of how secure—or insecure—a password really is.

2. Credentials stuffing

Malan described how hackers can buy already hacked credentials online and then ‘stuff’ them into all other accounts you own. So it isn’t good practice to re use passwords.

3. Social Engineering and Phishing

He emphasizes that humans are often the weakest link in security. He explains phishing through simple examples, showing how easily people can be tricked into revealing credentials. This highlights the importance of user education alongside technical defenses.

3. Multi-Factor Authentication (MFA)

Modern cybersecurity often revolves around multi-factor authentication (MFA) — the idea is to combine at least two of the following:

Knowledge — something you know (e.g. password, PIN)

Possession — something you have (e.g. phone, YubiKey)

Inherence — something you are (e.g. fingerprint, face ID)

The more factors you use, the harder it becomes for an adversary to breach your account — this is what he means by “raising the bar to adversaries.”

4. Machine-in-the-middle attacks

4. Best Practices and Final Takeaways

Malan wraps up with actionable advice:

• Use long, random, and unique passwords.
• Use a password manager.
• Enable MFA.
• Be skeptical of unexpected messages or links.

Why This Lecture Matters

Whether you’re new to cybersecurity or need a refresher, Malan’s talk is a superb primer. The 94^8 section alone makes it worth watching—it transforms password entropy from an abstract idea into something intuitive and memorable.

It’s a reminder that cybersecurity isn’t just a technical challenge—it’s also psychological, educational, and behavioral.

Keylogging: Malware records your keystrokes to capture passwords.

SIM swapping: Attackers socially engineer mobile providers to port your number to their SIM, intercepting SMS-based 2FA codes.

Social engineering & phishing: Trick users into revealing credentials or clicking malicious links.

Man-in-the-middle (MitM): Intercepts communication between you and a site, often over unsecured networks.

📵 Why Voice Biometrics Are Weak Troy advises against voice recognition as a secure method of authentication. Why?

Replay attacks: Recorded voice can be reused.

Deepfakes: AI can now convincingly synthesize voice from samples.

Environmental variables: Background noise and microphone quality affect accuracy.

Voice ≠ secret. It’s public and easy to steal.

🏛️ NIST Guidance The National Institute of Standards and Technology (NIST) is highly respected in cybersecurity circles. Their Digital Identity Guidelines (SP 800-63 series) recommend:

Dropping outdated password rules (like mandatory character types or periodic changes).

---