Five exam-style questions. Each tests a distinction the AP exam loves: hash vs encrypt, fast hash vs slow hash, plain hash vs HMAC, high-entropy vs low-entropy data, collision resistance vs pre-image resistance.
5 Questions~10 minScored · Exam-style
How to Approach
Predict-first: For each scenario, categorize the use case (file integrity / password storage / API authentication / signature / low-entropy data).
Remember: SHA-256 is fast (good for files, bad for passwords). bcrypt/Argon2 is slow (good for passwords). HMAC adds authenticity. Encryption reverses; hashing does not. MD5 and SHA-1 are broken.
Score0 / 5
Question 1
A developer asks: 'We need to store user passwords. Which of these is correct for a 2026 deployment?'
✎ Predict before reading options. Commit to your answer first.
Exam TipPasswords: Argon2id (or bcrypt) + auto salt. Never SHA-family. Never encryption. Never MD5.
Question 2
Which of the following statements about cryptographic hash functions is TRUE?
I. A good cryptographic hash is both fast and one-way. II. MD5 is still acceptable for digital signatures if messages are short. III. SHA-256 is appropriate for storing passwords if combined with a strong salt.
✎ Predict before reading options. Commit to your answer first.
Exam TipFast hash = good for integrity, bad for passwords. Slow hash (bcrypt/Argon2) = good for passwords.
Question 3
A web application wants to ensure that incoming API requests from partner services have not been tampered with AND originate from partners who hold the shared secret. Which cryptographic primitive is appropriate?
✎ Predict before reading options. Commit to your answer first.
Exam Tip'Integrity + authenticity with a shared secret' = HMAC. Plain hash = integrity only.
Question 4
A company hashes customer Social Security numbers with SHA-256 before storing them, claiming this 'anonymizes' the data. A security consultant says this is inadequate. Why?
✎ Predict before reading options. Commit to your answer first.
Exam TipHashing does NOT protect low-entropy data (SSNs, CC numbers, phone numbers, birthdates). Use tokenization or encryption.
Question 5
A team is reviewing their code signing pipeline. Binaries are currently signed with SHA-1 digests. Sales wants to know: 'Is there any reason to migrate to SHA-256? It's extra work.' Which statement best captures the security case?
✎ Predict before reading options. Commit to your answer first.
Exam TipSHA-1 collision resistance broken (SHAttered 2017) + signatures depend on collision resistance = signature forgery path. Migration to SHA-256 is required.
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.