5.3 Exercise 2: Password Storage Archaeology

AP Cybersecurity · Unit 5 · Topic 5.3 · Exercise 2

Password Storage Archaeology

Five of the largest password-storage disasters in history. Walk through each breach, extract the lesson, and build the principles a 2026 authentication system must get right.

6 Questions~18 minApplied · Scored

How This Exercise Works

Each scenario is a real breach. For each one, identify the primary failure mode, then apply the lesson to modern design.

Pattern to watch for: breaches stack failures. Yahoo had MD5 AND weak salting. Adobe encrypted AND used ECB. Ashley Madison had bcrypt BUT also MD5. Identify each failure independently.

Score0 / 6
Question 1
Breach 1: Yahoo (2013). 3 billion accounts. Passwords stored with MD5, minimal salting. Attackers cracked roughly 90% of passwords using GPU clusters within weeks. Which TWO failures combined to produce this outcome?
✎ Predict before reading options. Commit to your answer first.
Exam TipYahoo = MD5 + weak salting. Two compounding failures. bcrypt/Argon2 + per-user random salt would have prevented most cracking.
Question 2
Breach 2: LinkedIn (2012). 6.5 million passwords leaked as unsalted SHA-1 hashes. Within hours, over 60% of passwords were cracked via rainbow tables. Which single failure was most responsible for the speed of the cracking?
✎ Predict before reading options. Commit to your answer first.
Exam TipLinkedIn = no salt + rainbow tables = instant crack. Salts are non-negotiable.
Question 3
Breach 3: Adobe (2013). 153 million records. Passwords were 'encrypted' with 3DES in ECB mode with a single key. The key was recoverable from leaked code. Every password was immediately readable. Identify the fundamental design error.
✎ Predict before reading options. Commit to your answer first.
Exam TipAdobe = encrypted passwords = one key leak away from total disclosure. Hash, do not encrypt.
Question 4
Breach 4: Ashley Madison (2015). 30 million user accounts. Passwords were stored as bcrypt hashes with strong cost factors, but the site ALSO stored a secondary 'quick login' token that was MD5-based. Within days, attackers cracked millions of passwords — not from the bcrypt hashes, but from the MD5 tokens. Which principle does this illustrate?
✎ Predict before reading options. Commit to your answer first.
Exam TipWeakest link dominates. Parallel weak auth path = strong hash is bypassed.
Question 5
Breach 5: RockYou (2009). 32 million passwords leaked as plaintext. The list is still used today as the standard dictionary for password-cracking attacks. What does this tell us about password hashing best practices?
✎ Predict before reading options. Commit to your answer first.
Exam TipPlaintext storage = instant exposure. RockYou effect = weak passwords from one breach compromise thousands of other sites via reuse.
Question 6
Synthesis question. Given the lessons from Yahoo, LinkedIn, Adobe, Ashley Madison, and RockYou, which of the following represents the correct 2026 password storage design?
✎ Predict before reading options. Commit to your answer first.
Exam Tip2026 design: Argon2id (or bcrypt if Argon2 unavailable) + auto salt + cost tuned to 250ms + consistent across all auth paths. No parallel weak paths.

Exercise Complete

— / 6

← Exercise 1 Next: Lab →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]