Authentication Factors & Password Hashing | AP Cybersecurity

AP Cybersecurity Topics › Authentication & Hashing
Unit 4 • Topic 4.2 • Authentication

Authentication Factors & Password Hashing Explained

Topic 4.2 covers how a device verifies who you are. It includes the authentication factors, why passwords are stored as hashes rather than plain text, and the login settings that make a device harder to break into.

Contents

  1. The four authentication factors
  2. Why passwords are hashed
  3. Real-world example
  4. Key terms
  5. Match it up
  6. Check for Understanding
  7. FAQ
4authentication factors (EK 4.2.C)
Hashhow passwords are stored
Lockoutlimits guessing
KnowpasswordHavedeviceArebiometric
Three of the four factors; the framework adds 'somewhere you are' (location).

The four authentication factors

The framework lists four factor categories: something you know (a password, PIN, or challenge answer), something you have (a device or token), something you are (a biometric), and somewhere you are (a location factor). Combining factors from different categories is multi-factor authentication.

A knowledge factor only works if it is hard to guess, which is why weak or reused passwords are a core vulnerability.

Scenario

A login requires a password and a fingerprint. Which factor categories are combined?

Reveal answer

Something you know (password) and something you are (fingerprint). Because they come from different categories, this is multi-factor authentication.

Exam tip

The framework names four factors, adding location (somewhere you are) to the usual three. Two items from the same category are not multi-factor.

Why passwords are hashed

Systems do not store your actual password. They store a hash of it (also called a checksum, message digest, or digest). A hash is a one-way transformation: the system hashes what you type and compares it to the stored hash, so the plain password is never kept.

If a database leaks, attackers get hashes, not passwords, which buys protection, especially for strong, unique passwords. Login settings like account-lockout policies further limit password guessing.

Scenario

Why is storing password hashes safer than storing the passwords themselves?

Reveal answer

A hash cannot be easily reversed to the original password, so if the database leaks, attackers get hashes rather than usable passwords, especially when the passwords are strong.

Real-world example

Why leaked databases expose hashes, not passwords

When a breached site has stored passwords as hashes, attackers get the hashes, not the plaintext. Strong, unique passwords resist being cracked from those hashes, which is the whole point of hashing.

Hashing protects passwords at rest.

Key Terms

Authentication factor A category of proof: know, have, are, or where.
Hash A one-way fingerprint used to store passwords.
Account lockout A setting that limits failed login attempts.
Biometric factor Something you are, like a fingerprint.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.
Term
Definition
All matched. Nice work.

Common Mistakes

!

Forgetting the fourth factor

The framework lists four factors, including location, not just three.

!

Thinking hashing is encryption

Hashing is one-way; you cannot decrypt a hash back to the password the way you can with encryption.

!

Assuming a hash makes weak passwords safe

Weak or common passwords can still be cracked from hashes; strength still matters.

!

Ignoring lockout policies

Account-lockout settings limit how many guesses an attacker gets.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.
Question 1
Which are authentication factor categories in the framework? I. Something you know. II. Something you are. III. Somewhere you are.
D. The framework lists knowledge, possession, biometric, and location factors.
Question 2 Predict first
Why are passwords stored as hashes?
B. A one-way hash means the system never stores the real password, so a leak exposes hashes rather than usable credentials.
Question 3
A password plus a fingerprint is multi-factor because it combines:
B. A password (know) and a fingerprint (are) come from different categories, so it is multi-factor.
Question 4 Predict first
How does hashing differ from encryption?
A. A hash is a one-way transformation; unlike encryption, it is not designed to be reversed.
Question 5
Which login setting most directly limits password guessing?
A. Account-lockout policies cap failed attempts, limiting brute-force guessing.
Question 6
A knowledge factor is effective only if it is:
C. A knowledge factor must be hard to guess to provide real protection.

Frequently Asked Questions

Something you know (password, PIN), something you have (a device or token), something you are (a biometric), and somewhere you are (a location factor).
Because a hash is a one-way transformation, the system never stores your real password. If the database leaks, attackers get hashes rather than usable passwords.
No. Hashing is one-way and is not meant to be reversed, while encryption is designed to be decrypted by someone with the right key.
← PreviousTypes of Malware
Keep studying
All TopicsUnit 4 Study GuidePractice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]