Six tickets on your queue. Code reviews, incidents, and architecture reviews covering password hashing, HMAC, reset tokens, timing attacks, distribution integrity, and the low-entropy trap.
6 Tickets~20 minApplied · Scored
Triage Rules
For each ticket: Identify the failure category (algorithm / salt / comparison / entropy / storage), then pick the action that fixes the root cause.
Trap answers to watch: "switch SHA-256 to SHA-512" (same category), "add salt" when the algorithm is wrong, "use encryption" when hashing is the right operation.
Score0 / 6
Question 1
Ticket #H-3001 — Priority: Urgent
Code review catches this Python in a new authentication service: import hashlib; stored = hashlib.sha256(password.encode()).hexdigest(). Junior dev argues: 'SHA-256 is a strong hash, we're using the standard library.' Your response?
✎ Predict before reading options. Commit to your answer first.
Exam TipSHA-family for passwords in code review = REJECT. Require bcrypt or Argon2id. No exceptions.
Question 2
Ticket #H-3002 — Priority: High
Security audit finds the API authentication system validates incoming requests by comparing a user-supplied HMAC with the server's computed HMAC using Python's == operator. Why is this flagged, and how do you fix it?
✎ Predict before reading options. Commit to your answer first.
Exam TipCompare HMACs/tokens/digests with constant-time functions. hmac.compare_digest() or platform equivalent.
Question 3
Ticket #H-3003 — Priority: Medium
Pentest finding: the password reset email link contains a token generated as MD5(user_id + timestamp). Reset links are valid for 24 hours and there is no rate limiting. Triage?
✎ Predict before reading options. Commit to your answer first.
Exam TipReset tokens must be: cryptographically random + short-lived + rate-limited + single-use. MD5-of-predictable-input is a broken design.
Question 4
Ticket #H-3004 — Priority: Urgent
Incident: a previously-employed contractor accessed the production database. Passwords are stored with bcrypt (cost 12) and per-user random salts. Leadership asks: 'Can the contractor recover passwords?' Your assessment?
✎ Predict before reading options. Commit to your answer first.
Exam Tipbcrypt protects strong passwords against leaked databases for years. Weak passwords fall in days. Always force reset on breach, regardless.
Question 5
Ticket #H-3005 — Priority: High
Software release team asks: how should they distribute and verify the company's new installer? They want users to be able to verify the download hasn't been tampered with. Recommend a complete scheme.
✎ Predict before reading options. Commit to your answer first.
Exam TipDistribution integrity: SHA-256 via HTTPS + code signing. Two mechanisms, each providing a complementary guarantee.
Question 6
Ticket #H-3006 — Priority: Critical
Security engineer proposes: 'Let's store a SHA-256 hash of each user's credit card number in the database. That way we can search for duplicates without storing the actual number.' What's the critical flaw?
✎ Predict before reading options. Commit to your answer first.
Exam TipHashing protects HIGH-entropy data (strong passwords, files). Hashing does NOT protect LOW-entropy data (card numbers, SSNs, phone numbers). Use tokenization or encryption there.
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.