When I started thinking about how to teach hashing, salting, and what actually happens when a site stores your password, I kept running into the same wall. The concepts make sense once you see them but just explaining them doesn’t really work. You can define a hash function ten different ways and it still feels disconnected from anything real. So when I started looking at project-based learning and design thinking as instructional approaches, both of them stood out immediately because they fix exactly that problem.
What is project-based learning?
Project-based learning (PBL) is built around one core idea: learners produce something real, not just answer a test. According to PBLWorks (the Buck Institute for Education), PBL is a teaching method where students gain knowledge and skills by working over an extended period to investigate and respond to an authentic, complex question or problem. The learning happens through the process of building something not just absorbing content and repeating it back.
For password security, this maps really naturally. Imagine asking learners to do a short “security audit” of a fictional company’s login system they have to figure out whether that company is storing passwords safely, identify what’s broken, and explain what should change. To do that well, they genuinely need to understand what hashing and salting do. The project gives them a reason to care about the answer.
In technology-mediated environments, PBL works especially well because the tools are already there shared docs, browser-based coding environments, publicly available breach datasets. But the design has to be intentional. If the project is too open-ended with no scaffolding, learners spend their energy figuring out what they’re even supposed to do, rather than learning the concept. Structure matters a lot here.
What is design thinking?
Design thinking is a problem-solving framework built around five stages: empathize, define, ideate, prototype, and test. It’s less about reaching a single correct answer and more about understanding a problem deeply before trying to solve it. According to IDEO’s Design Thinking for Educators toolkit (2012), design thinking is human-centered, collaborative, and experimental it treats learning itself as a design process.
For our topic, the empathize stage is where things get interesting. Instead of starting with SHA-256, you start by asking: who is actually affected when passwords are stored badly? What does a real person experience when their account gets compromised in a breach? That reframe turns security from a technical exercise into a human problem — which is a much stronger entry point, especially for a non-technical audience, which is exactly who our resource is designed for.
In an online environment, design thinking also fits naturally because it’s iterative by design. Learners prototype an idea, test it, get feedback, revise. That cycle works well with tools like shared whiteboards or simple interactive mockups no physical classroom needed.
Do these belong in our Interactive Learning Resource?
Yes and honestly, we’re already using both without labeling them. The “Crack the Hash Challenge,” where learners use CrackStation to test weak hashed passwords and see them crack in real time, is essentially a mini PBL activity. Here’s a real tool, here’s a real scenario, figure out what’s vulnerable and why. That’s the core of project-based learning in practice.
Design thinking shows up in how we framed the whole resource starting with “what actually happens to your password when you log in?” before jumping into any cryptography. That’s the empathize stage: getting learners to feel the stakes of the problem before we explain the solution.
Neither approach works perfectly alone here. PBL needs some baseline knowledge first — you can’t audit a system you don’t understand at all. And design thinking can get too abstract if it never grounds out in actual technical concepts. But together, and alongside what Trevor wrote about direct instruction providing that initial foundation, they give learners a complete arc: understand it, care about it, then actually do something with it.
Also check out Sneh’s post on open pedagogies the idea of learners producing work that lives beyond the course connects really well with the public-facing side of a project-based approach.
References
Ertmer, P. A., & Newby, T. J. (2013). Behaviorism, cognitivism, constructivism: Comparing critical features from an instructional design perspective. Performance Improvement Quarterly, 26(2), 43–71. https://doi.org/10.1002/piq.21143
IDEO. (2012). Design thinking for educators (2nd ed.). https://designthinking.ideo.com/resources/design-thinking-for-educators
PBLWorks / Buck Institute for Education. (n.d.). What is PBL? https://www.pblworks.org/what-is-pbl