AP Cybersecurity Unit 1 Lesson 2 Exercise 1

AP Cybersecurity — Unit 1, Topic 1.2

Exercise 1: Password Autopsy

Examine real-world password patterns, analyze an authentication log for attack indicators, and recommend security improvements — the three core skills tested on the AP exam for this topic.

Exercise 1 of 2 Skills 1.A, 2.A ~30–40 min 3 Parts • 24 pts
Progress: 0 / 3 Parts Complete 0 / 24 pts

Dissect the Password

Below are 4 passwords recovered from a simulated data breach. For each one, identify the weakness, the attack that would crack it, and how long it would likely take.

Password Specimen A

Fluffy2019!
Owner: High school teacher. Context: School email account. Public Facebook profile shows a cat named Fluffy adopted in 2019.

Password Specimen B

P@ssw0rd123
Owner: Office employee. Context: Corporate VPN login. Company requires "at least 1 uppercase, 1 number, 1 special character."

Password Specimen C

qwerty
Owner: College student. Context: Free streaming service account. Also uses this password for email and banking.

Password Specimen D

correct-horse-battery-staple
Owner: IT administrator. Context: Server root access. This is the only account without MFA enabled. Password has not been changed in 3 years.

Read the Authentication Log

Your organization’s SIEM system flagged the following authentication log. Analyze it for indicators of a password attack.

# Timestamp User Source IP Result
1 2026-03-04 08:15:22 jsmith 10.0.1.45 Success
2 2026-03-04 08:32:10 kpatel 10.0.1.62 Success
3 2026-03-04 02:41:03 admin 185.220.101.33 Fail
4 2026-03-04 02:41:18 admin 185.220.101.33 Fail
5 2026-03-04 02:41:29 admin 185.220.101.33 Fail
6 2026-03-04 02:41:44 admin 185.220.101.33 Fail
7 2026-03-04 02:41:57 admin 185.220.101.33 Fail
8 2026-03-04 02:42:11 admin 185.220.101.33 Fail
9 2026-03-04 02:42:30 admin 185.220.101.33 Success
10 2026-03-04 09:05:44 mgarcia 10.0.1.78 Success

Recommend Improvements

Based on what you learned in the lesson about making authentication stronger (1.2.C), recommend fixes for each scenario.

Scenario 1: Small Business

A dental office has 8 employees. All use the same shared password (DentalOffice2024) to access the patient records system. There is no MFA. The password is written on a sticky note attached to the front desk monitor.

Scenario 2: Student Account

A student uses BaseballFan99 for their school Google account, their Instagram, their bank, and their gaming accounts. They recently saw a notification that their email appeared in a data breach.

Scenario 3: Corporate Policy

A company requires passwords to be exactly 8 characters, changed every 30 days, with at least 1 uppercase, 1 number, and 1 special character. Employees complain they can never remember passwords and keep getting locked out.

Exercise Complete

0 / 24

AP Exam Tip: The exam frequently presents authentication log tables and asks you to identify attack indicators. Memorize the three signs: (1) many failed attempts in a short window, (2) login attempts at unusual times, (3) login attempts from unknown devices or external IPs. When a question mentions “the user recently switched banks” or “changed password patterns,” think dictionary attack with personal info. A question about a pre-built wordlist points to a dictionary attack; credentials leaked from another site points to credential stuffing.
AP Cybersecurity · Unit 1 · Lesson 1.2 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]