AP Cybersecurity 4.2: Authentication
Topic 4.2: Authentication
Cryptographic hashing, salting, four authentication factors, seven password attack types, and five configurable login policy settings — the most content-dense topic in the AP Cybersecurity course.
• Explain why passwords are stored as hashes, not plaintext — and the four properties that make a hash function cryptographically useful (collision resistant, pre-image resistant, repeatable, fixed-length)
• Explain salting: random bits added to a password before hashing so two users with the same password get different hashes
• Distinguish online vs. offline password attacks — offline attacks bypass account lockout entirely because they run on the adversary’s machine
• Identify all seven password attack types: credential stuffing, password spraying, brute force, dictionary attack, rainbow table, and the two attack classes (online/offline)
• Classify the four authentication factors: something you know (knowledge), something you have (possession), something you are (biometric), somewhere you are (location)
• Apply the five login policy settings: password complexity, minimum length, maximum age, password history, and account lockout
Topic 4.2 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 4.2.A.1 | Cryptographic hash function: takes binary data of arbitrary length, outputs a fixed-length binary string (hash/checksum/digest). Examples: MD5, SHA-1, SHA-256, SHA-512, NTHash, RIPEMD-160 | Section 2 — Hashing |
| 4.2.A.2 | n-bit hash has 2n possible outputs; infinite inputs → inevitably two different inputs produce the same hash = collision | Section 2 — Collisions |
| 4.2.A.3 | Four hash properties: collision resistant (hard to find two inputs with same hash), pre-image resistant (given hash, infeasible to find input), repeatable (same input always same hash), fixed-length (constant bit length per function) | Section 2 — Hash Properties |
| 4.2.A.4 | MD5 and SHA-1 are deprecated — efficient collision-forcing algorithms exist; deprecated = no longer used in secure settings | Section 2 — Deprecated Hashes |
| 4.2.A.5 | Passwords stored as hashes (not plaintext) so compromised database doesn’t immediately reveal passwords. Login: user enters password → hashed → compared to stored hash → match = authenticated | Section 2 — Password Storage |
| 4.2.A.6 | Salt: few random bits hashed with password; each user’s salt is unique → even same password produces different hash for different users → prevents rainbow table attacks on shared passwords | Section 2 — Salting |
| 4.2.B.1 | Compromised password without MFA: adversary can act with all access rights of that user | Section 3 — Password Attack Impact |
| 4.2.B.2 | Online attacks: attempt combinations in active auth portal. Offline attacks: captured user:password database, run attacks on adversary’s own computer, bypasses account lockout | Section 3 — Online vs. Offline |
| 4.2.B.3 | Credential stuffing: use stolen/leaked credentials from one breach to try other accounts; targets password reuse | Section 3 — Attack Types |
| 4.2.B.4 | Password spraying: attempt one common password against many different user accounts | Section 3 — Attack Types |
| 4.2.B.5 | Credential stuffing also includes trying default credentials on devices (switches, routers, IoT) | Section 3 — Attack Types |
| 4.2.B.6 | Offline attacks: brute force (test all possible passwords) and dictionary attack (test list of common passwords) using hash-cracking tools | Section 3 — Attack Types |
| 4.2.B.7 | Rainbow table attack: precomputed table of passwords and their hashes, sorted by hash; search for captured hash to find matching password. Defeated by salting. | Section 3 — Rainbow Tables |
| 4.2.C.1 | Four authentication factors: something you know (knowledge), something you have (possession), something you are (biometric), somewhere you are (location) | Section 4 — Auth Factors |
| 4.2.C.2–C.5 | Knowledge: passwords/PINs/challenge questions. Possession: access card, bank card, phone, auth token. Biometric: fingerprint, palm print, facial recognition, iris/retina, voice. Location: Wi-Fi signals, GPS, time zone, IP address | Section 4 — Auth Factors |
| 4.2.C.6 | MFA: more than one factor to authenticate; more secure than single-factor because requires at least two separate factors | Section 4 — MFA |
| 4.2.D.1–D.5 | Five configurable login settings: (1) Password complexity (character set requirements), (2) Minimum length, (3) Maximum age (expiry), (4) Password history (prevent reuse, typically 5–10 hashes stored), (5) Account lockout after N invalid attempts | Section 5 — Login Policy |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 2.A Identify security controls • 2.B Determine layered controls
Answer independently. No notes.
- A company stores user passwords as SHA-256 hashes. An adversary steals the entire password database. Why can’t the adversary immediately log in as every user, even though they have all the hashes? What attack method can they still use?
- Two users at a company both use the password “Summer2026!”. Without salting, their stored hashes are identical. Explain how salting prevents this from being a problem, and why identical hashes in a database are dangerous.
- An adversary successfully obtains an employee’s password through a phishing attack. The company does not use MFA. What can the adversary now do, and what would MFA have changed?
Answers: (1) Pre-image resistance: given a hash, it is infeasible to determine the input that generated it. They can still run offline hash-cracking tools (brute force or dictionary attack). (2) Salting adds unique random bits to each password before hashing → same password produces different hashes for different users. Identical hashes reveal that two users have the same password, allowing rainbow table attacks targeting that one hash to crack all matching accounts simultaneously. (3) Adversary can act with all access rights available to that user (CED 4.2.B.1). MFA would have required a second factor — even with the correct password, the adversary would be blocked without the second factor (phone, token, etc.).
- 4.2.1 — Learning Objectives (3 min)
- 4.2.2 — Cryptographic Hashing (12 min)
- 4.2.3 — Password Attack Types (12 min)
- 4.2.4 — Authentication Factors (8 min)
- 4.2.5 — Login Policy Settings (8 min)
- 4.2.6 — Worked Scenarios & CFUs (10 min)
- 4.2.7 — Common Mistakes (3 min)
- 4.2.8 — Key Terms & FAQ (5 min)
14.2.1 — Learning Objectives
- Explain why passwords are stored as hashes and describe the four properties of cryptographic hash functions (4.2.A)
- Explain how salting prevents rainbow table attacks and why identical stored hashes are a vulnerability (4.2.A.6)
- Distinguish online vs. offline password attacks and identify all seven attack types by mechanism (4.2.B)
- Classify authentication factors as knowledge, possession, biometric, or location, and explain MFA (4.2.C)
- Apply the five configurable login policy settings to reduce password attack risk (4.2.D)
24.2.2 — Cryptographic Hashing (LO 4.2.A)
Authentication systems need to verify passwords without storing them in plaintext. If a database is compromised, plaintext passwords immediately expose every user. Cryptographic hashing solves this by storing a mathematical fingerprint of the password instead of the password itself.
At login: user enters password → system hashes it → compares to stored hash → if hashes match, authentication succeeds.
Four Properties of Cryptographic Hash Functions (CED 4.2.A.3)
| Property | What It Means | Why It Matters for Security |
|---|---|---|
| Collision Resistant | Difficult to find two different inputs that produce the same hash output | Prevents adversaries from finding alternate passwords that hash to the same value |
| Pre-Image Resistant | Given a hash, it is infeasible to determine the input that produced it | Even with the stored hash, an adversary cannot reverse-compute the password |
| Repeatable | The same input always produces the same hash output | Enables login verification: user’s password always hashes to the same value for comparison |
| Fixed-Length | The hash output has constant length regardless of input size | A 1-character password and a 1,000-character password produce hashes of the same length |
An n-bit hash has only 2n possible outputs, but inputs are infinite — so collisions (two different inputs producing the same hash) are mathematically inevitable. When an efficient algorithm is found to force collisions for a specific hash function, that function is deprecated. MD5 and SHA-1 are both deprecated. Deprecated = no longer used in secure settings. SHA-256 and SHA-512 are currently secure.
Salting — Defending Against Rainbow Tables (CED 4.2.A.6)
A database administrator notices that 50 user accounts all have the same stored hash in the password database. What does this indicate, and which security measure would have prevented this from being exploitable?
34.2.3 — Password Attack Types (LO 4.2.B)
Online vs. Offline Attacks (CED 4.2.B.2)
Seven Password Attack Types
| Attack | Mechanism | Online or Offline | Defeated By |
|---|---|---|---|
| Credential Stuffing (4.2.B.3, B.5) | Uses stolen/leaked credentials from one breach to try other accounts (targets password reuse) or default device credentials | Online | Unique passwords per account; MFA; device credential changes |
| Password Spraying (4.2.B.4) | One common password attempted against many different user accounts | Online | Account lockout; MFA; strong password policy |
| Brute Force (4.2.B.6) | Automated tool tests all possible passwords systematically | Offline | Long passwords (exponentially increases time); salting |
| Dictionary Attack (4.2.B.6) | Automated tool tests a list of common passwords | Offline | Avoid common passwords; complexity requirements; salting |
| Rainbow Table Attack (4.2.B.7) | Uses precomputed table of passwords and their hashes sorted by hash; searches for matching hash | Offline (uses precomputed data) | Salting completely defeats rainbow tables |
An adversary precomputes a table: for each common password, they calculate its hash and store both. The table is sorted by hash value. When they capture a hash database, they search the table for matching hashes — if found, they immediately know the password. Salting defeats this because the table contains hashes of passwords alone, not hashes of passwords combined with unique random salts. The adversary would need a separate table for each possible salt — computationally infeasible.
Which of the following statements about password attacks are TRUE per the CED?
I. Offline password attacks can be detected through authentication logs because they generate many failed login attempts on the target server.
II. Password spraying attempts one common password against many user accounts, making it harder to trigger per-account lockout thresholds.
III. Salting a password hash defeats rainbow table attacks because the precomputed table does not include hashes of passwords combined with unique salts.
Match each attack scenario to the attack type it describes.
44.2.4 — Authentication Factors (LO 4.2.C)
Authentication mechanisms verify identity by requiring a user to provide proof called a factor. The CED defines four factor types.
A user logs into their work computer by inserting their employee badge (which the system reads electronically) and then scanning their fingerprint. Which authentication factors are being used, and is this MFA?
54.2.5 — Login Policy Settings (LO 4.2.D)
Organizations configure login settings to make password-based authentication more resistant to attacks. The CED identifies five configurable settings.
| Setting | CED Ref | What It Requires | Attack It Mitigates |
|---|---|---|---|
| Password Complexity | 4.2.D.1 | At least one character from each character set: uppercase (A–Z), lowercase (a–z), numeric (0–9), special characters | Brute force and dictionary attacks — larger character set = exponentially more possible passwords |
| Minimum Length | 4.2.D.2 | Users must have at least a specified number of characters in their password | Brute force — longer passwords take exponentially longer to crack |
| Maximum Age (Expiry) | 4.2.D.3 | Users prompted to change password after N days (typically 90 or 120). Note: some national standards advise against this to prevent predictable patterns (e.g., PasswordFall2028) | Limits damage from compromised passwords — adversary loses access when password changes |
| Password History | 4.2.D.4 | System stores N previous password hashes (typically 5–10) to prevent reuse | Password cycling (reusing old passwords when forced to change) |
| Account Lockout | 4.2.D.5 | Account locked after N invalid attempts (typically 3–5). Lockout period varies. | Online brute force and spraying — limits how many guesses an adversary gets. Does NOT protect against offline attacks. |
Account lockout (4.2.D.5) prevents an adversary from making unlimited guesses against a live authentication portal. But it has zero effect on offline attacks (4.2.B.2) — when the adversary runs hash-cracking tools on their own machine against a stolen database, there is no lockout mechanism. This is why stolen password databases are so dangerous and why salting + strong hashing are critical.
Fill in the correct term for each blank.
1. A hash function that makes it infeasible to determine the original input from the output is called .
2. A few random bits hashed with a user’s password to ensure different users have different stored hashes is called a .
3. An adversary who has stolen a password hash database and runs cracking tools on their own computer is conducting an password attack.
4. A precomputed table containing common passwords and their corresponding hashes, sorted by hash value for rapid lookup, is called a .
5. A login setting that locks a user’s account after a specified number of invalid attempts is called , and it does not protect against offline password attacks.
64.2.6 — Worked Scenarios
A security manager states: “Our account lockout policy after 5 failed attempts protects us against all password attacks, including scenarios where adversaries have captured our password database.” What is the error?
A security log shows: within a 10-second window, 847 different user accounts each had exactly one failed login attempt from the same IP address, all using the password “Welcome123”. Which attack type does this indicate, and why is account lockout ineffective against it?
Which of the following statements about authentication factors are TRUE per the CED?
I. Using a password and a PIN together constitutes MFA because two separate items are required.
II. Biometric factors are difficult for adversaries to duplicate because they are unique to an individual.
III. Location factors use Wi-Fi signals, GPS data, time zone settings, and IP address information to make access decisions.
A company’s security policy requires all passwords to be changed every 60 days. A security advisor states: “This policy is required by the CED and is universally recommended best practice for all organizations.” What is the error?
Which response is most accurate per the CED?
!Common AP Exam Mistakes — Topic 4.2
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Thinking account lockout stops offline attacks | Offline attacks run on the adversary’s machine against a stolen database. No authentication portal is involved, so no lockout can trigger. CED 4.2.B.2 is explicit: offline attacks bypass any account lockout protections. | Lockout = online attack defense only. Against offline: salting + strong hashing + database access controls. |
| Saying two knowledge factors = MFA | Password + PIN = two knowledge factors (something you know + something you know). MFA requires factors from different categories. Using two of the same category does not qualify as MFA per CED 4.2.C.6. | MFA = at least two different factor types (e.g., password + phone token = knowledge + possession). |
| Confusing credential stuffing with password spraying | Credential stuffing uses stolen credentials from one breach on other services (targets password reuse). Spraying uses one common password across many accounts in one system. Different targets, different mechanisms. | Stuffing = stolen credentials, different services. Spraying = one common password, many accounts, same portal. |
| Thinking salting makes hashes reversible | Salting makes identical passwords produce different hashes, defeating rainbow tables. It does not change the mathematical one-way nature of hashing. The hash is still not reversible. | Salting prevents rainbow table attacks. Pre-image resistance prevents hash reversal. These solve different problems. |
| Calling MD5 “weak” only because it’s old | MD5 is deprecated because efficient algorithms exist to force collisions — not simply because it’s old. SHA-1 is also deprecated for the same reason. Deprecation = a specific technical vulnerability, not age alone. | Deprecated = efficient collision-forcing algorithm exists. MD5 and SHA-1 are the CED examples. SHA-256/SHA-512 are currently secure. |
84.2.8 — Key Terms & FAQ
| Term | Definition | AP Exam Note |
|---|---|---|
| Hash / Digest / Checksum | Fixed-length output of a cryptographic hash function | All four names are synonyms per the CED |
| Collision | Two different inputs producing the same hash output | Mathematically inevitable; deprecated when efficiently forceable |
| Salt | Random bits added to a password before hashing to ensure unique hashes per user | Defeats rainbow table attacks; doesn’t change hash reversibility |
| Deprecated Hash | Hash function with known efficient collision-forcing algorithm; no longer used in secure settings | MD5 and SHA-1 = deprecated. SHA-256/SHA-512 = currently secure. |
| Online Password Attack | Attempts against a live authentication portal; subject to account lockout | Password spraying, credential stuffing |
| Offline Password Attack | Runs hash-cracking tools on adversary’s machine against captured database; bypasses lockout | Brute force, dictionary, rainbow table; cannot be detected |
| Password Spraying | One common password attempted against many different user accounts | Evades per-account lockout; IoC: many accounts, one password, same IP |
| Credential Stuffing | Using stolen credentials from one breach to access other accounts or default device credentials | Exploits password reuse; also applies to default IoT credentials |
| Rainbow Table | Precomputed table of passwords and hashes sorted by hash for rapid lookup | Defeated completely by salting |
| MFA | Multifactor authentication — more than one factor type required | Must be different factor types; two knowledge factors does not qualify |
-
If hashes can’t be reversed, how do offline hash-cracking tools work?
Pre-image resistance means you can’t mathematically reverse a hash to find its input. But that’s not what offline tools do. Instead, they hash millions of candidate passwords and compare those hashes to the captured hash. If the adversary hashes “password123” and gets the same result as the captured hash, they’ve found the original password — without ever reversing anything. This is why long, random, unique passwords still matter even with good hashing: more entropy makes the candidate space too large to exhaust.
-
What is the difference between a dictionary attack and credential stuffing?
A dictionary attack (offline) tests a list of common passwords against a captured hash. The adversary hashes each candidate and compares. Credential stuffing (online) takes stolen actual credentials (username + password pairs) from one breach and tries them against different services, targeting users who reuse passwords. Dictionary attacks target weak passwords; credential stuffing targets password reuse behavior. Both are covered in CED 4.2.B.
-
Why is maximum password age controversial per the CED?
The CED (4.2.D.3) explicitly acknowledges that some national standards recommend against mandatory periodic password changes. The concern: when users are forced to change passwords on a schedule, they often create predictable variations (PasswordSpring2026, PasswordFall2026) that are weaker than a stable strong password they’ve never shared. The CED presents maximum password age as a configurable option, not a universally required control, and notes this debate specifically.
Students submit before leaving.
- Name all four properties of cryptographic hash functions (CED 4.2.A.3) and explain in one sentence why each matters for password storage security. (AP Skill: Analyze Risk)
- Explain how a rainbow table attack works step by step, and explain exactly why salting defeats it. (AP Skill: Analyze Risk)
- Classify each authentication factor and determine whether each scenario uses MFA: (a) Password + SMS code sent to phone; (b) Fingerprint + retina scan; (c) PIN + security question. (AP Skill: Mitigate Risk)
- A security log shows 2,000 failed login attempts against one account from one IP address in 60 seconds. Which attack type is this, and why does account lockout help here but NOT in an offline attack scenario? (AP Skill: Analyze Risk)
- A company’s password policy requires: minimum 12 characters, at least one uppercase + lowercase + number + special character, password expiry every 90 days, lockout after 5 failed attempts, and stores last 8 password hashes. Map each requirement to its CED 4.2.D item number and the attack type each mitigates. (AP Skill: Mitigate Risk)
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.
+Continue Learning
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]