5.3 Lab: The Auth Triage Desk

AP Cybersecurity · Unit 5 · Topic 5.3 · Lab

The Auth Triage Desk

Six tickets on your queue. Code reviews, incidents, and architecture reviews covering password hashing, HMAC, reset tokens, timing attacks, distribution integrity, and the low-entropy trap.

6 Tickets~20 minApplied · Scored

Triage Rules

For each ticket: Identify the failure category (algorithm / salt / comparison / entropy / storage), then pick the action that fixes the root cause.

Trap answers to watch: "switch SHA-256 to SHA-512" (same category), "add salt" when the algorithm is wrong, "use encryption" when hashing is the right operation.

Score0 / 6
Question 1
Ticket #H-3001 — Priority: Urgent

Code review catches this Python in a new authentication service: import hashlib; stored = hashlib.sha256(password.encode()).hexdigest(). Junior dev argues: 'SHA-256 is a strong hash, we're using the standard library.' Your response?
✎ Predict before reading options. Commit to your answer first.
Exam TipSHA-family for passwords in code review = REJECT. Require bcrypt or Argon2id. No exceptions.
Question 2
Ticket #H-3002 — Priority: High

Security audit finds the API authentication system validates incoming requests by comparing a user-supplied HMAC with the server's computed HMAC using Python's == operator. Why is this flagged, and how do you fix it?
✎ Predict before reading options. Commit to your answer first.
Exam TipCompare HMACs/tokens/digests with constant-time functions. hmac.compare_digest() or platform equivalent.
Question 3
Ticket #H-3003 — Priority: Medium

Pentest finding: the password reset email link contains a token generated as MD5(user_id + timestamp). Reset links are valid for 24 hours and there is no rate limiting. Triage?
✎ Predict before reading options. Commit to your answer first.
Exam TipReset tokens must be: cryptographically random + short-lived + rate-limited + single-use. MD5-of-predictable-input is a broken design.
Question 4
Ticket #H-3004 — Priority: Urgent

Incident: a previously-employed contractor accessed the production database. Passwords are stored with bcrypt (cost 12) and per-user random salts. Leadership asks: 'Can the contractor recover passwords?' Your assessment?
✎ Predict before reading options. Commit to your answer first.
Exam Tipbcrypt protects strong passwords against leaked databases for years. Weak passwords fall in days. Always force reset on breach, regardless.
Question 5
Ticket #H-3005 — Priority: High

Software release team asks: how should they distribute and verify the company's new installer? They want users to be able to verify the download hasn't been tampered with. Recommend a complete scheme.
✎ Predict before reading options. Commit to your answer first.
Exam TipDistribution integrity: SHA-256 via HTTPS + code signing. Two mechanisms, each providing a complementary guarantee.
Question 6
Ticket #H-3006 — Priority: Critical

Security engineer proposes: 'Let's store a SHA-256 hash of each user's credit card number in the database. That way we can search for duplicates without storing the actual number.' What's the critical flaw?
✎ Predict before reading options. Commit to your answer first.
Exam TipHashing protects HIGH-entropy data (strong passwords, files). Hashing does NOT protect LOW-entropy data (card numbers, SSNs, phone numbers). Use tokenization or encryption there.

Lab Complete

— / 6

AP Cybersecurity · Unit 5 · Lesson 5.3 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]