AP Cybersecurity 4.2: Authentication

Score0 / 10
📅 Last Updated: June 2026 ~65 min 📚 Lesson 2 of 4 — Unit 4
AP Cybersecurity — Unit 4: Securing Devices

Topic 4.2: Authentication

Cryptographic hashing, salting, four authentication factors, seven password attack types, and five configurable login policy settings — the most content-dense topic in the AP Cybersecurity course.

Lesson 2 of 4 ~65 min LO 4.2.A – 4.2.D Skills: Analyze Risk • Mitigate Risk
★ AP Exam Focus — Topic 4.2

• Explain why passwords are stored as hashes, not plaintext — and the four properties that make a hash function cryptographically useful (collision resistant, pre-image resistant, repeatable, fixed-length)
• Explain salting: random bits added to a password before hashing so two users with the same password get different hashes
• Distinguish online vs. offline password attacks — offline attacks bypass account lockout entirely because they run on the adversary’s machine
• Identify all seven password attack types: credential stuffing, password spraying, brute force, dictionary attack, rainbow table, and the two attack classes (online/offline)
• Classify the four authentication factors: something you know (knowledge), something you have (possession), something you are (biometric), somewhere you are (location)
• Apply the five login policy settings: password complexity, minimum length, maximum age, password history, and account lockout

College Board Essential Knowledge Coverage

Topic 4.2 — What Is Testable

CED Ref Essential Knowledge Covered In
4.2.A.1 Cryptographic hash function: takes binary data of arbitrary length, outputs a fixed-length binary string (hash/checksum/digest). Examples: MD5, SHA-1, SHA-256, SHA-512, NTHash, RIPEMD-160 Section 2 — Hashing
4.2.A.2 n-bit hash has 2n possible outputs; infinite inputs → inevitably two different inputs produce the same hash = collision Section 2 — Collisions
4.2.A.3 Four hash properties: collision resistant (hard to find two inputs with same hash), pre-image resistant (given hash, infeasible to find input), repeatable (same input always same hash), fixed-length (constant bit length per function) Section 2 — Hash Properties
4.2.A.4 MD5 and SHA-1 are deprecated — efficient collision-forcing algorithms exist; deprecated = no longer used in secure settings Section 2 — Deprecated Hashes
4.2.A.5 Passwords stored as hashes (not plaintext) so compromised database doesn’t immediately reveal passwords. Login: user enters password → hashed → compared to stored hash → match = authenticated Section 2 — Password Storage
4.2.A.6 Salt: few random bits hashed with password; each user’s salt is unique → even same password produces different hash for different users → prevents rainbow table attacks on shared passwords Section 2 — Salting
4.2.B.1 Compromised password without MFA: adversary can act with all access rights of that user Section 3 — Password Attack Impact
4.2.B.2 Online attacks: attempt combinations in active auth portal. Offline attacks: captured user:password database, run attacks on adversary’s own computer, bypasses account lockout Section 3 — Online vs. Offline
4.2.B.3 Credential stuffing: use stolen/leaked credentials from one breach to try other accounts; targets password reuse Section 3 — Attack Types
4.2.B.4 Password spraying: attempt one common password against many different user accounts Section 3 — Attack Types
4.2.B.5 Credential stuffing also includes trying default credentials on devices (switches, routers, IoT) Section 3 — Attack Types
4.2.B.6 Offline attacks: brute force (test all possible passwords) and dictionary attack (test list of common passwords) using hash-cracking tools Section 3 — Attack Types
4.2.B.7 Rainbow table attack: precomputed table of passwords and their hashes, sorted by hash; search for captured hash to find matching password. Defeated by salting. Section 3 — Rainbow Tables
4.2.C.1 Four authentication factors: something you know (knowledge), something you have (possession), something you are (biometric), somewhere you are (location) Section 4 — Auth Factors
4.2.C.2–C.5 Knowledge: passwords/PINs/challenge questions. Possession: access card, bank card, phone, auth token. Biometric: fingerprint, palm print, facial recognition, iris/retina, voice. Location: Wi-Fi signals, GPS, time zone, IP address Section 4 — Auth Factors
4.2.C.6 MFA: more than one factor to authenticate; more secure than single-factor because requires at least two separate factors Section 4 — MFA
4.2.D.1–D.5 Five configurable login settings: (1) Password complexity (character set requirements), (2) Minimum length, (3) Maximum age (expiry), (4) Password history (prevent reuse, typically 5–10 hashes stored), (5) Account lockout after N invalid attempts Section 5 — Login Policy

Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 2.A Identify security controls • 2.B Determine layered controls

♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. A company stores user passwords as SHA-256 hashes. An adversary steals the entire password database. Why can’t the adversary immediately log in as every user, even though they have all the hashes? What attack method can they still use?
  2. Two users at a company both use the password “Summer2026!”. Without salting, their stored hashes are identical. Explain how salting prevents this from being a problem, and why identical hashes in a database are dangerous.
  3. An adversary successfully obtains an employee’s password through a phishing attack. The company does not use MFA. What can the adversary now do, and what would MFA have changed?

Answers: (1) Pre-image resistance: given a hash, it is infeasible to determine the input that generated it. They can still run offline hash-cracking tools (brute force or dictionary attack). (2) Salting adds unique random bits to each password before hashing → same password produces different hashes for different users. Identical hashes reveal that two users have the same password, allowing rainbow table attacks targeting that one hash to crack all matching accounts simultaneously. (3) Adversary can act with all access rights available to that user (CED 4.2.B.1). MFA would have required a second factor — even with the correct password, the adversary would be blocked without the second factor (phone, token, etc.).

In This Lesson
  • 4.2.1 — Learning Objectives (3 min)
  • 4.2.2 — Cryptographic Hashing (12 min)
  • 4.2.3 — Password Attack Types (12 min)
  • 4.2.4 — Authentication Factors (8 min)
Continued
  • 4.2.5 — Login Policy Settings (8 min)
  • 4.2.6 — Worked Scenarios & CFUs (10 min)
  • 4.2.7 — Common Mistakes (3 min)
  • 4.2.8 — Key Terms & FAQ (5 min)

14.2.1 — Learning Objectives

  • Explain why passwords are stored as hashes and describe the four properties of cryptographic hash functions (4.2.A)
  • Explain how salting prevents rainbow table attacks and why identical stored hashes are a vulnerability (4.2.A.6)
  • Distinguish online vs. offline password attacks and identify all seven attack types by mechanism (4.2.B)
  • Classify authentication factors as knowledge, possession, biometric, or location, and explain MFA (4.2.C)
  • Apply the five configurable login policy settings to reduce password attack risk (4.2.D)

24.2.2 — Cryptographic Hashing (LO 4.2.A)

Authentication systems need to verify passwords without storing them in plaintext. If a database is compromised, plaintext passwords immediately expose every user. Cryptographic hashing solves this by storing a mathematical fingerprint of the password instead of the password itself.

How Password Authentication Works (CED 4.2.A.5) At registration: user sets password → system hashes it → stores the hash (not the password).
At login: user enters password → system hashes it → compares to stored hash → if hashes match, authentication succeeds.

Four Properties of Cryptographic Hash Functions (CED 4.2.A.3)

Property What It Means Why It Matters for Security
Collision Resistant Difficult to find two different inputs that produce the same hash output Prevents adversaries from finding alternate passwords that hash to the same value
Pre-Image Resistant Given a hash, it is infeasible to determine the input that produced it Even with the stored hash, an adversary cannot reverse-compute the password
Repeatable The same input always produces the same hash output Enables login verification: user’s password always hashes to the same value for comparison
Fixed-Length The hash output has constant length regardless of input size A 1-character password and a 1,000-character password produce hashes of the same length
⚠ Collisions and Deprecated Hash Functions (CED 4.2.A.2, A.4)

An n-bit hash has only 2n possible outputs, but inputs are infinite — so collisions (two different inputs producing the same hash) are mathematically inevitable. When an efficient algorithm is found to force collisions for a specific hash function, that function is deprecated. MD5 and SHA-1 are both deprecated. Deprecated = no longer used in secure settings. SHA-256 and SHA-512 are currently secure.

Salting — Defending Against Rainbow Tables (CED 4.2.A.6)

4.2.A.6How Salting Works
A salt is a few random bits added to a user’s password before hashing. Each user gets a unique salt. Even if two users have identical passwords, their salts differ, so their stored hashes differ. The salt is stored alongside the hash and used during login verification.
Why this defeats rainbow tables: A rainbow table is a precomputed list of common passwords and their hashes. Without salting, an adversary finds your hash in the table and immediately knows your password. With salting, even if they find your hash, the precomputed table doesn’t help — the table doesn’t contain hashes of “password + your unique salt.” They would need a separate table for each possible salt value.
Check for UnderstandingMCQ
Q 1 of 10

A database administrator notices that 50 user accounts all have the same stored hash in the password database. What does this indicate, and which security measure would have prevented this from being exploitable?

AAll 50 accounts are using the same username. Requiring unique usernames would prevent this.
BThe hash function has been deprecated and is producing collisions. Upgrading to SHA-256 would fix this.
CThe database was not encrypted at rest. Encrypting the database would prevent this from being visible.
DAll 50 accounts use the same password. Salting would have prevented this — unique salts ensure different hashes even for identical passwords, so an adversary cracking one hash cannot automatically crack all 50.

34.2.3 — Password Attack Types (LO 4.2.B)

Online vs. Offline Attacks (CED 4.2.B.2)

Online Attacks
4.2.B.2
Attempt user:password combinations against an active authentication portal in real time. The adversary interacts with the live login system.
Limited by: Account lockout policies (too many failed attempts = account locked). Slower because each attempt requires a network round-trip to the authentication server.
Offline Attacks
4.2.B.2
The adversary has captured a user:password hash database and runs hash-cracking tools on their own computer. No interaction with the target system.
Key advantage: Bypasses account lockout entirely because the attack happens on the adversary’s machine. Can run billions of attempts per second using GPUs. This is why database security and salting are critical.

Seven Password Attack Types

Attack Mechanism Online or Offline Defeated By
Credential Stuffing (4.2.B.3, B.5) Uses stolen/leaked credentials from one breach to try other accounts (targets password reuse) or default device credentials Online Unique passwords per account; MFA; device credential changes
Password Spraying (4.2.B.4) One common password attempted against many different user accounts Online Account lockout; MFA; strong password policy
Brute Force (4.2.B.6) Automated tool tests all possible passwords systematically Offline Long passwords (exponentially increases time); salting
Dictionary Attack (4.2.B.6) Automated tool tests a list of common passwords Offline Avoid common passwords; complexity requirements; salting
Rainbow Table Attack (4.2.B.7) Uses precomputed table of passwords and their hashes sorted by hash; searches for matching hash Offline (uses precomputed data) Salting completely defeats rainbow tables
★ Rainbow Table Attack — How It Works and Why Salting Defeats It

An adversary precomputes a table: for each common password, they calculate its hash and store both. The table is sorted by hash value. When they capture a hash database, they search the table for matching hashes — if found, they immediately know the password. Salting defeats this because the table contains hashes of passwords alone, not hashes of passwords combined with unique random salts. The adversary would need a separate table for each possible salt — computationally infeasible.

Check for UnderstandingI / II / III
Q 2 of 10

Which of the following statements about password attacks are TRUE per the CED?

I. Offline password attacks can be detected through authentication logs because they generate many failed login attempts on the target server.
II. Password spraying attempts one common password against many user accounts, making it harder to trigger per-account lockout thresholds.
III. Salting a password hash defeats rainbow table attacks because the precomputed table does not include hashes of passwords combined with unique salts.

AI and II only
BII and III only
CI and III only
DI, II, and III
Check for UnderstandingMatching
Q 3 of 10

Match each attack scenario to the attack type it describes.

Click a scenario, then click the matching attack type.
Scenario
1An adversary tries the password “Summer2026!” against every account in a 10,000-employee organization’s login portal.
2An adversary obtains leaked LinkedIn credentials from a 2024 breach and tries the same email/password combinations on banking websites.
3An adversary steals a password hash database and searches a precomputed table of password-hash pairs to find matching entries.
4An adversary uses a GPU cluster to automatically test every possible 8-character password combination against a captured hash.
Attack Type
APassword Spraying
BCredential Stuffing
CRainbow Table Attack
DBrute Force Attack

44.2.4 — Authentication Factors (LO 4.2.C)

Authentication mechanisms verify identity by requiring a user to provide proof called a factor. The CED defines four factor types.

Knowledge
Something You Know
Passwords, PINs, answers to pre-selected challenge questions. For a knowledge factor to be effective it must be something an adversary can’t easily guess — but difficult-to-guess factors are also harder for users to remember.
Examples: bank account password, ATM PIN, security question answer
Possession
Something You Have
An object unique to the user: access card, bank card, cell phone, or authentication token. The more difficult the object is to obtain or copy, the more secure the possession factor.
Examples: RSA token (6-digit code), smartphone running an authenticator app, RFID badge
Biometric
Something You Are
Measures features of the human body: fingerprints, palm prints, facial recognition, iris or retina scans, voice identification. Difficult for adversaries to duplicate because they are unique to an individual.
Examples: iPhone Face ID, fingerprint scanner on a laptop, voice authentication banking phone lines
Location
Somewhere You Are
Uses Wi-Fi signals, GPS data, time zone settings, and IP address information to determine location. Rules can allow or deny access based on location factor (e.g., access denied from outside the country).
Examples: VPN required to access system from outside corporate network; login blocked from unexpected countries
MFA — Multifactor Authentication (CED 4.2.C.6) MFA uses more than one factor to authenticate a user. It is more secure than single-factor authentication because it requires at least two separate factors. An adversary who steals a password (knowledge factor) still cannot authenticate without the second factor (e.g., possession of the user’s phone).
Check for UnderstandingClassification
Q 4 of 10

A user logs into their work computer by inserting their employee badge (which the system reads electronically) and then scanning their fingerprint. Which authentication factors are being used, and is this MFA?

ATwo knowledge factors (badge PIN + fingerprint data stored in the badge). This is not MFA because both are knowledge factors.
BTwo possession factors (the badge and the fingerprint reader). This is MFA because two devices are involved.
CPossession (employee badge — something you have) and biometric (fingerprint — something you are). This is MFA because two different factor types are combined.
DBiometric (badge reads body characteristics) and possession (fingerprint is something you have). This is MFA.

54.2.5 — Login Policy Settings (LO 4.2.D)

Organizations configure login settings to make password-based authentication more resistant to attacks. The CED identifies five configurable settings.

Setting CED Ref What It Requires Attack It Mitigates
Password Complexity 4.2.D.1 At least one character from each character set: uppercase (A–Z), lowercase (a–z), numeric (0–9), special characters Brute force and dictionary attacks — larger character set = exponentially more possible passwords
Minimum Length 4.2.D.2 Users must have at least a specified number of characters in their password Brute force — longer passwords take exponentially longer to crack
Maximum Age (Expiry) 4.2.D.3 Users prompted to change password after N days (typically 90 or 120). Note: some national standards advise against this to prevent predictable patterns (e.g., PasswordFall2028) Limits damage from compromised passwords — adversary loses access when password changes
Password History 4.2.D.4 System stores N previous password hashes (typically 5–10) to prevent reuse Password cycling (reusing old passwords when forced to change)
Account Lockout 4.2.D.5 Account locked after N invalid attempts (typically 3–5). Lockout period varies. Online brute force and spraying — limits how many guesses an adversary gets. Does NOT protect against offline attacks.
⚠ Account Lockout Only Stops Online Attacks

Account lockout (4.2.D.5) prevents an adversary from making unlimited guesses against a live authentication portal. But it has zero effect on offline attacks (4.2.B.2) — when the adversary runs hash-cracking tools on their own machine against a stolen database, there is no lockout mechanism. This is why stolen password databases are so dangerous and why salting + strong hashing are critical.

Check for UnderstandingFill in the Blank
Q 5 of 10

Fill in the correct term for each blank.

Word Bank salt offline pre-image resistant rainbow table account lockout

1. A hash function that makes it infeasible to determine the original input from the output is called .

2. A few random bits hashed with a user’s password to ensure different users have different stored hashes is called a .

3. An adversary who has stolen a password hash database and runs cracking tools on their own computer is conducting an password attack.

4. A precomputed table containing common passwords and their corresponding hashes, sorted by hash value for rapid lookup, is called a .

5. A login setting that locks a user’s account after a specified number of invalid attempts is called , and it does not protect against offline password attacks.

64.2.6 — Worked Scenarios

Check for UnderstandingSpot the Error
Q 6 of 10

A security manager states: “Our account lockout policy after 5 failed attempts protects us against all password attacks, including scenarios where adversaries have captured our password database.” What is the error?

AAccount lockout only stops online attacks against the live portal. Offline attacks run on the adversary’s machine against the stolen database — there is no lockout mechanism. The adversary can make billions of attempts against the captured hashes without ever interacting with the company’s authentication system.
BAccount lockout after 5 attempts is too many — the limit should be 3 to prevent brute force attacks on the captured database.
CAccount lockout protects against all attack types including offline attacks, but it requires the adversary to be trying passwords against the live portal rather than the database.
DAccount lockout is only effective against password spraying, not brute force or dictionary attacks.
Check for UnderstandingScenario Application
Q 7 of 10

A security log shows: within a 10-second window, 847 different user accounts each had exactly one failed login attempt from the same IP address, all using the password “Welcome123”. Which attack type does this indicate, and why is account lockout ineffective against it?

ABrute force attack — the adversary is testing all possible passwords, starting with simple ones like Welcome123.
BCredential stuffing — the adversary is reusing stolen credentials across many accounts.
CDictionary attack — the adversary is trying a list of common passwords against one account.
DPassword spraying (CED 4.2.B.4) — one common password (“Welcome123”) tried against many different accounts. Account lockout is ineffective because each account only sees one failed attempt — far below the lockout threshold.
Check for UnderstandingI / II / III
Q 8 of 10

Which of the following statements about authentication factors are TRUE per the CED?

I. Using a password and a PIN together constitutes MFA because two separate items are required.
II. Biometric factors are difficult for adversaries to duplicate because they are unique to an individual.
III. Location factors use Wi-Fi signals, GPS data, time zone settings, and IP address information to make access decisions.

AI and II only
BI and III only
CII and III only
DI, II, and III
Check for UnderstandingSpot the Error
Q 9 of 10

A company’s security policy requires all passwords to be changed every 60 days. A security advisor states: “This policy is required by the CED and is universally recommended best practice for all organizations.” What is the error?

AThe policy is correct but should require 90-day intervals, not 60-day intervals, per CED standards.
BThe CED notes that some national standards recommend against required periodic password changes because it encourages predictable patterns (e.g., PasswordFall2028). The policy is a configurable option, not a universal CED requirement.
CThe policy should not require password changes at all — the CED states that password expiry has been deprecated as a security practice.
DThe advisor is correct — maximum password age is a required CED configurable setting that all organizations must implement.
End of LessonIntegrative Scenario
Q 10 of 10
A financial firm discovers their password database has been stolen. The database contains unsalted MD5 hashes. Security logs show no unusual activity on the authentication portal. The CISO asks the security team: “Can the adversary crack these passwords, and what should we do right now?”

Which response is most accurate per the CED?

AYes — MD5 is a deprecated hash with known collision vulnerabilities, and without salting, rainbow tables can be used immediately. No authentication log activity is expected because this is an offline attack running on the adversary’s machine. All users should be forced to reset passwords immediately because all hashes in the database should be considered insecure.
BNo — hashes cannot be reversed due to pre-image resistance, so the adversary cannot crack the passwords. However, users should be notified as a precaution.
CMaybe — the adversary would need to run online attacks, which the current authentication logs would show. If no portal attacks are detected, the passwords are safe.
DYes — but only common passwords are at risk. Users with complex unique passwords are safe because rainbow tables only contain simple passwords.

!Common AP Exam Mistakes — Topic 4.2

Mistake Why It’s Wrong What to Do Instead
Thinking account lockout stops offline attacks Offline attacks run on the adversary’s machine against a stolen database. No authentication portal is involved, so no lockout can trigger. CED 4.2.B.2 is explicit: offline attacks bypass any account lockout protections. Lockout = online attack defense only. Against offline: salting + strong hashing + database access controls.
Saying two knowledge factors = MFA Password + PIN = two knowledge factors (something you know + something you know). MFA requires factors from different categories. Using two of the same category does not qualify as MFA per CED 4.2.C.6. MFA = at least two different factor types (e.g., password + phone token = knowledge + possession).
Confusing credential stuffing with password spraying Credential stuffing uses stolen credentials from one breach on other services (targets password reuse). Spraying uses one common password across many accounts in one system. Different targets, different mechanisms. Stuffing = stolen credentials, different services. Spraying = one common password, many accounts, same portal.
Thinking salting makes hashes reversible Salting makes identical passwords produce different hashes, defeating rainbow tables. It does not change the mathematical one-way nature of hashing. The hash is still not reversible. Salting prevents rainbow table attacks. Pre-image resistance prevents hash reversal. These solve different problems.
Calling MD5 “weak” only because it’s old MD5 is deprecated because efficient algorithms exist to force collisions — not simply because it’s old. SHA-1 is also deprecated for the same reason. Deprecation = a specific technical vulnerability, not age alone. Deprecated = efficient collision-forcing algorithm exists. MD5 and SHA-1 are the CED examples. SHA-256/SHA-512 are currently secure.

84.2.8 — Key Terms & FAQ

Term Definition AP Exam Note
Hash / Digest / Checksum Fixed-length output of a cryptographic hash function All four names are synonyms per the CED
Collision Two different inputs producing the same hash output Mathematically inevitable; deprecated when efficiently forceable
Salt Random bits added to a password before hashing to ensure unique hashes per user Defeats rainbow table attacks; doesn’t change hash reversibility
Deprecated Hash Hash function with known efficient collision-forcing algorithm; no longer used in secure settings MD5 and SHA-1 = deprecated. SHA-256/SHA-512 = currently secure.
Online Password Attack Attempts against a live authentication portal; subject to account lockout Password spraying, credential stuffing
Offline Password Attack Runs hash-cracking tools on adversary’s machine against captured database; bypasses lockout Brute force, dictionary, rainbow table; cannot be detected
Password Spraying One common password attempted against many different user accounts Evades per-account lockout; IoC: many accounts, one password, same IP
Credential Stuffing Using stolen credentials from one breach to access other accounts or default device credentials Exploits password reuse; also applies to default IoT credentials
Rainbow Table Precomputed table of passwords and hashes sorted by hash for rapid lookup Defeated completely by salting
MFA Multifactor authentication — more than one factor type required Must be different factor types; two knowledge factors does not qualify
  • If hashes can’t be reversed, how do offline hash-cracking tools work?

    Pre-image resistance means you can’t mathematically reverse a hash to find its input. But that’s not what offline tools do. Instead, they hash millions of candidate passwords and compare those hashes to the captured hash. If the adversary hashes “password123” and gets the same result as the captured hash, they’ve found the original password — without ever reversing anything. This is why long, random, unique passwords still matter even with good hashing: more entropy makes the candidate space too large to exhaust.

  • What is the difference between a dictionary attack and credential stuffing?

    A dictionary attack (offline) tests a list of common passwords against a captured hash. The adversary hashes each candidate and compares. Credential stuffing (online) takes stolen actual credentials (username + password pairs) from one breach and tries them against different services, targeting users who reuse passwords. Dictionary attacks target weak passwords; credential stuffing targets password reuse behavior. Both are covered in CED 4.2.B.

  • Why is maximum password age controversial per the CED?

    The CED (4.2.D.3) explicitly acknowledges that some national standards recommend against mandatory periodic password changes. The concern: when users are forced to change passwords on a schedule, they often create predictable variations (PasswordSpring2026, PasswordFall2026) that are weaker than a stable strong password they’ve never shared. The CED presents maximum password age as a configurable option, not a universally required control, and notes this debate specifically.

📋 Exit Ticket — Topic 4.2 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name all four properties of cryptographic hash functions (CED 4.2.A.3) and explain in one sentence why each matters for password storage security. (AP Skill: Analyze Risk)
  2. Explain how a rainbow table attack works step by step, and explain exactly why salting defeats it. (AP Skill: Analyze Risk)
  3. Classify each authentication factor and determine whether each scenario uses MFA: (a) Password + SMS code sent to phone; (b) Fingerprint + retina scan; (c) PIN + security question. (AP Skill: Mitigate Risk)
  4. A security log shows 2,000 failed login attempts against one account from one IP address in 60 seconds. Which attack type is this, and why does account lockout help here but NOT in an offline attack scenario? (AP Skill: Analyze Risk)
  5. A company’s password policy requires: minimum 12 characters, at least one uppercase + lowercase + number + special character, password expiry every 90 days, lockout after 5 failed attempts, and stores last 8 password hashes. Map each requirement to its CED 4.2.D item number and the attack type each mitigates. (AP Skill: Mitigate Risk)
Answer Key: (1) Collision resistant (hard to find two inputs with same hash → prevents alternate password attack); Pre-image resistant (can’t reverse hash to find password → stolen hash doesn’t reveal password); Repeatable (same password always same hash → enables login verification); Fixed-length (constant output size regardless of input → prevents timing attacks that reveal password length). (2) Adversary precomputes table: [common password → its hash], sorted by hash. When they capture a hash database, they search the table for matching hashes to find corresponding passwords. Salting defeats this: each user’s hash = hash(password + unique_salt). The precomputed table contains hash(password) only, not hash(password + that_specific_salt). A separate table per salt is computationally infeasible. (3a) Password (knowledge) + SMS code/phone (possession) = different types = MFA. (3b) Fingerprint + retina scan = both biometric = same type = NOT MFA. (3c) PIN + security question = both knowledge = same type = NOT MFA. (4) Brute force or dictionary attack — many attempts on one account. Lockout stops this online attack (account locks after threshold). In offline: adversary runs tools against captured hash on their own machine, no auth portal involved, no lockout triggers. (5) 12 char min = 4.2.D.2 (mitigates brute force); complexity = 4.2.D.1 (mitigates brute force + dictionary); 90-day expiry = 4.2.D.3 (limits damage from compromised passwords; note: some standards advise against this); lockout after 5 = 4.2.D.5 (mitigates online brute force + spraying); last 8 hashes = 4.2.D.4 (mitigates password cycling/reuse).
Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

2,067+ Verified Hours 5.0 Wyzant Rating 499+ Reviews
Learn About Expert Sessions →
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 5.0 Rating on Wyzant
Content last reviewed and updated: June 2026
← Topic 4.1 Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]