1.2 Lab: Password Attack Simulation | AP Cybersecurity Unit 1

AP Cyber Hub Unit 1 1.1 Lesson Ex 1 Ex 2 Lab Quiz 1.2 Lesson Ex 1 Ex 2 Lab Quiz 1.3 Lesson Ex 1 Ex 2 Lab Quiz 1.4 Lesson Ex 1 Ex 2 Lab Quiz 1.5 Lesson Ex 1 Ex 2 Lab Quiz

AP Cybersecurity — Unit 1, Topic 1.2

Lab: Password Attack Simulation

You are a cybersecurity analyst at SecureBank Corp. The CISO has handed you three analysis stations after a suspected authentication breach. Complete each station using the skills and concepts from Lesson 1.2.

Lab Skills 1.A, 1.B, 2.A ~45 min 3 Stations • 30 pts
Stations Complete: 0 / 3 0 / 30 pts
Station 1 — Hash Database Triage (10 pts)

Breach Containment: Classify the Damage

The DBA has exported 5 rows from the users table. Each row uses a different password storage implementation. For each entry, classify the storage method and identify the most effective attack an attacker who has this data would use.

Context: The database was exfiltrated by an attacker. You do not know what hardware the attacker has, but you should assume modern GPU-based cracking capability (~10 billion MD5 hashes/sec, ~300 bcrypt hashes/sec at cost 12). Your job is to classify each entry so the incident response team knows which accounts are at the highest risk of immediate compromise.
# Stored Value Storage Method Best Attack Strategy
1 hunter2
2 5f4dcc3b5aa765d61d8327deb882cf99
3 jsmith:8d969eef6ecad3c29a3a629280e686cf
4 b3f0:a8e2d4f17c9b3e1a24f6c0d5e2b7f9a4
(random_salt:MD5(salt+password))
5 $2a$12$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
Station 2 — Live Attack Log Analysis (10 pts)

Incident Response: Read the Attack Log

The SIEM has flagged unusual authentication activity. Below is a 16-line excerpt from the auth log. Three distinct attack patterns are embedded. Read carefully before answering the questions.

[SecureBank Auth Log — 2026-03-09 02:38:00 to 02:44:00 UTC] 02:38:01 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#1 reason=wrong_password 02:38:04 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#2 reason=wrong_password 02:38:07 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#3 reason=wrong_password 02:38:12 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#4 reason=wrong_password 02:38:16 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#5 reason=wrong_password 02:38:19 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#6 reason=wrong_password 02:38:23 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#7 reason=wrong_password 02:38:26 AUTH_FAIL user=ellen.park@securebank.com ip=185.220.101.47 pw_attempt=#8 reason=wrong_password 02:38:29 LOCKOUT user=ellen.park@securebank.com ip=185.220.101.47 after=8_attempts 02:40:01 AUTH_FAIL user=alice.chen@securebank.com ip=45.33.32.156 pw_attempt=#1 password=Summer2026! 02:40:02 AUTH_FAIL user=bob.martinez@securebank.com ip=45.33.32.156 pw_attempt=#1 password=Summer2026! 02:40:03 AUTH_FAIL user=carol.jones@securebank.com ip=45.33.32.156 pw_attempt=#1 password=Summer2026! 02:40:04 AUTH_OK user=david.kim@securebank.com ip=45.33.32.156 pw_attempt=#1 password=Summer2026! 02:40:05 AUTH_FAIL user=emma.wilson@securebank.com ip=45.33.32.156 pw_attempt=#1 password=Summer2026! 02:42:17 AUTH_OK user=frank.liu@securebank.com ip=203.0.113.88 pw_attempt=#1 reason=valid_credential 02:44:03 AUTH_OK user=grace.taylor@securebank.com ip=198.51.100.42 pw_attempt=#1 reason=valid_credential

Question 1 (2 pts): Lines 1–9 show which attack type targeting ellen.park?

  • ACredential stuffing — the attacker has a confirmed valid credential for ellen.park from a prior breach
  • BOnline brute force — the attacker is making repeated failed attempts against a single account from one IP, triggering lockout after 8 attempts
  • CPassword spraying — the attacker is using one common password across multiple accounts to avoid lockout
  • DRainbow table attack — the attacker is attempting to match ellen.park’s hash to a precomputed table

Question 2 (2 pts): Lines 10–15 show which attack type?

  • AOnline brute force — the attacker is testing many passwords against each account from the same IP
  • BCredential stuffing — the attacker has breach data with working passwords for each account
  • CPassword spraying — the same password “Summer2026!” is tested once per account from one IP, and line 13 shows it succeeded against david.kim
  • DDictionary attack — the attacker is trying a pre-defined wordlist of common passwords against one account

Question 3 (3 pts): Lines 15–16 are flagged by the SIEM as suspicious. What attack type do they suggest, and why is it MORE dangerous than the attacks on lines 1–15?

  • ABrute force — it is more dangerous because it uses multiple IPs to avoid lockout
  • BCredential stuffing — each login succeeds on the first attempt from different IPs with no failures, generating no alerts; the attacker has valid credentials from a prior breach and the lockout policy provides zero protection
  • CPassword spraying — it is more dangerous because it uses a different common password per account
  • DInsider threat — the accounts are logging in from internal IPs during off-hours, suggesting employees with legitimate access are misusing credentials

Question 4 (3 pts): The CISO asks: “What single control would have prevented david.kim’s account (line 13) from being compromised, even though ‘Summer2026!’ was his actual password?”

  • ALower the lockout threshold from 8 attempts to 3 attempts per account
  • BRequire a minimum 16-character password, making “Summer2026!” non-compliant at registration
  • CDeploy multi-factor authentication — even with the correct password, the attacker cannot pass the second factor without access to david.kim’s device or app
  • DBlock the IP 45.33.32.156 after three failed attempts across any accounts in a 60-second window
Station 3 — NIST Policy Audit (10 pts)

Post-Breach: Fix the Password Policy

The CISO shares SecureBank’s current password policy. Using NIST SP 800-63B as your reference, classify each policy item as Compliant or a Violation. Two items are compliant; three are violations.

Reference — NIST SP 800-63B Key Guidelines: (1) No mandatory periodic rotation unless evidence of compromise. (2) Minimum 8 characters required; support up to 64 characters. (3) Block passwords found in known breach datasets at registration. (4) No complexity rules (uppercase/number/symbol mandates). (5) Do NOT block paste in password fields. (6) No security questions or knowledge-based hints.
All employee passwords must be changed every 90 days. New passwords cannot match any of the previous 8 passwords. SecureBank Policy Section 4.2
At account creation, passwords are checked against a list of 1 billion known-breached passwords. If matched, the user is asked to choose a different password. SecureBank Policy Section 4.5
Passwords must contain at least one uppercase letter, one number, and one special character. Minimum length is 8 characters. SecureBank Policy Section 4.1
The password field on the login page has the “paste” attribute disabled to prevent automated credential manager tools from filling in passwords. SecureBank Policy Section 4.8
Users may create passwords up to 64 characters in length, including spaces, emojis, and all printable Unicode characters. SecureBank Policy Section 4.3

Lab Complete — 1.2 Password Attack Simulation

0/30

Take the Quiz →
AP Exam Tip: The exam frequently gives you a log or scenario and asks you to name the attack type AND the appropriate control. The three-attack pattern in this lab (brute force / spraying / stuffing) appears together on real exams. Know all three distinguishing features cold: brute force = many attempts, one account; spraying = one password, many accounts; stuffing = prior breach data, one attempt per account with known-good credentials.
Extension Challenge: The log shows that lines 15–16 (credential stuffing) generated zero alerts in the SIEM. Design a behavioral detection rule that would flag credential stuffing without also flagging legitimate users who travel frequently (new IPs are expected). What signals would you monitor, and what thresholds would you set? Write your rule in plain English.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com