AP Cybersecurity 1.2: Suspicious Website Logins
Topic 1.2: Suspicious Website Logins
How attackers systematically crack, steal, and reuse passwords — from exhaustive brute force to precomputed rainbow tables — and why password length, hashing algorithms, and salting determine whether a breached database becomes a catastrophe.
- Slides — Full Lesson Slide Deck(browse)
- 1.2.1 — Learning Objectives(3 min)
- 1.2.2 — Why Passwords Fail: Root Causes(8 min)
- 1.2.3 — Essential Vocabulary & Exam Tips(10 min)
- 1.2.4 — Attack Types In Depth(12 min)
- 1.2.5 — How Password Hashing Works(8 min)
- 1.2.6 — Real-World Case Studies(7 min)
- 1.2.7 — Defense Strategies(6 min)
- 1.2.8 — Worked Examples(5 min)
- 1.2.9 — AP Exam Strategy(5 min)
- 1.2.10 — Frequently Asked Questions(3 min)
Use these slides alongside the lesson or as a quick review before the quiz.
• Identify all three CED signs of an online password attack: many failed attempts in short duration, login at unusual times, login from unknown devices
• Explain the three common password patterns adversaries exploit and how a targeted dictionary is constructed
• Apply the three defenses: long/random/unique passwords or passphrases, avoiding personally meaningful words, enabling MFA
• Distinguish a targeted dictionary attack from a generic brute-force attack
• Recognize that MFA is the highest-value individual defense against password compromise
Topic 1.2 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 1.2.A.1 | Online password attacks: adversaries try common passwords, common patterns, or stolen passwords | How Password Attacks Work |
| 1.2.A.2 | Three signs: many failed attempts in short duration • login at unusual times • login from unknown devices | Signs of an Attack |
| 1.2.B.1 | Three common patterns: word(s)+two-digit number+special char at end • pet/family names • personally significant dates | Weak Password Patterns |
| 1.2.B.2 | Adversaries build a targeted dictionary from personal info gathered about the victim (OSINT) and submit via automated tool | Dictionary Attacks |
| 1.2.C.1 | Strong passwords: long, random, unique. Password managers or passphrases recommended. | Defenses |
| 1.2.C.2 | Avoid names, dates, or personally meaningful words when creating passwords | Defenses |
| 1.2.C.3 | Enable MFA — requires extra proof of identity (e.g., one-time code) beyond the password | Defenses |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 1.A Identify threats • 2.A Identify security controls
Answer independently. No notes.
- A log shows 847 failed login attempts in 3 minutes, then a successful login at 3:14 AM from an unknown IP. Name every CED sign of a password attack present in this scenario.
- Someone’s password is “Buddy2018!” — Buddy is their dog and 2018 is their graduation year. Why is this specifically vulnerable to a targeted dictionary attack?
- After stealing a password, an adversary is blocked by MFA. They call the user posing as bank support and ask for the authentication code. Which two Unit 1 topics does this combine?
Answers: (1) Many failed attempts in short duration + unusual login time + unknown device/location. (2) Uses pet name and personally significant date — both CED-specified patterns adversaries build targeted dictionaries from. (3) Topic 1.2 (password attack) + Topic 1.1 (vishing to steal the OTP — secure information impact 1.1.C.2).
11.2.1 — Learning Objectives
By the end of this lesson, you will be able to:
- Define and precisely distinguish brute force, dictionary, credential stuffing, password spraying, and rainbow table attacks by their mechanism and starting conditions
- Calculate and interpret keyspace size for a given password policy, and explain why length dominates complexity in determining resistance to brute force
- Explain how passwords are stored using one-way hashing and why fast hash functions (MD5, SHA-1) are inappropriate for password storage
- Describe what a salt is, how it is applied, and precisely why it defeats rainbow table precomputation
- Apply NIST SP 800-63B guidance on password policy and explain why forced rotation and complexity requirements are counterproductive
- Analyze a realistic breach scenario, identify the attack type in use, and select the control that would have specifically prevented it
- Apply AP exam strategies — predict-first, slash the trash, keyword identification — to password attack MCQ scenarios
21.2.2 — Why Passwords Fail: The Root Causes
Every password attack exploits one or more of three fundamental, predictable weaknesses. Understanding the root cause is the prerequisite for understanding why each attack type works — and which specific defense defeats it.
People choose memorable words, names, and patterns — the same sequences attackers put in their dictionaries first. Complexity requirements are defeated by substitutions like p@ssw0rd.
The average user has 90+ accounts but fewer than 10 unique passwords. One breach at any site exposes credentials for every other site where the same password is used.
Plaintext storage, weak hashing (MD5/SHA-1 unsalted), or reversible encryption means a database breach instantly exposes all credentials — no cracking needed.
✎ Predict first: Before reading the choices, identify what is wrong with the statement below.
A junior analyst flags this recommendation as flawed. Which of the following BEST identifies the error in the consultant's reasoning?
31.2.3 — Essential Vocabulary & Exam Tips
- Brute Force
- Exhaustive trial of all combinations
- Dictionary Attack
- Wordlist of probable passwords
- Credential Stuffing
- Breach data replayed elsewhere
- Password Spraying
- One password across many accounts
- Rainbow Table
- Precomputed hash-to-password map
- Hash Function
- One-way transformation of input
- Salt
- Random value added before hashing
- Keyspace
- Total number of possible passwords
| Term | Precise Definition | What Makes It Distinct | AP Exam Tip |
|---|---|---|---|
| Brute Force Attack | Systematically trying every possible password combination until the correct one is found. Guaranteed to succeed eventually but computationally expensive against long passwords. | Exhaustive enumeration. No wordlist. No prior data. Just systematic trial of all possibilities. Time is the only constraint. | Key word: "every possible combination." When a scenario says the attacker has no special information and simply tries combinations, it is brute force. |
| Dictionary Attack | Testing a curated wordlist of probable passwords — common words, names, keyboard patterns, sports teams, known breach passwords, and variations thereof. | Uses a prepared wordlist of probable passwords. Faster than brute force because it exploits predictable human choices. Cannot crack truly random passwords. | Key distinguisher: wordlist. "The attacker used a list of common passwords" = dictionary attack. Far faster than brute force against typical users. |
| Credential Stuffing | Using validated username-password pairs obtained from a prior data breach to authenticate on entirely different websites, exploiting widespread password reuse. | Uses confirmed credentials from a real breach. Does not guess — uses known-working pairs. Succeeds because ~65% of users reuse passwords across services. | Key signal: "breach database," "stolen credentials," "testing on another site." The attacker already knows the password works somewhere. |
| Password Spraying | Testing one or a few common passwords (e.g., "Summer2025!") across many different accounts to avoid triggering individual account lockout thresholds. | Many accounts, one password — the inverse of traditional brute force. Explicitly designed to evade lockout policies by staying below the per-account threshold. | Key phrase: "evades account lockout." If the attacker tries the same password on thousands of accounts instead of many passwords on one account, it is password spraying. |
| Rainbow Table Attack | Using a precomputed lookup table mapping millions of known plaintext passwords to their hash values to instantly reverse stolen hashes without recalculating them. | Precomputed time-memory tradeoff. Extremely fast once computed. Completely defeated by per-user salting. Requires an offline database of stolen hashes to be useful. | Key condition: attack only works on unsalted hashes. If the scenario mentions a stolen hash database AND no salts, the rainbow table attack applies. |
| Password Hash | The output of a one-way cryptographic function applied to a password. Servers store hashes, not plaintext. Verification is done by hashing the submitted password and comparing the result. | One-way: you cannot reverse a hash to recover the original password (without precomputation or brute force). Deterministic: same input always produces same hash. | MD5 and SHA-1 are fast — too fast for password storage. bcrypt, Argon2, scrypt are slow by design, making offline cracking impractical. |
| Salt | A unique, randomly generated value appended to each user's password before hashing. The salt is stored alongside the hash in the database and is not secret. | Makes every hash unique even for identical passwords. Defeats rainbow tables by making precomputed tables invalid — each password now hashes differently. | Salts do NOT need to be secret. Their purpose is uniqueness, not secrecy. A salt defeats precomputation; it does not directly defeat offline brute force of a single password. |
| Keyspace | The total number of possible passwords for a given character set and length. Calculated as: (number of possible characters)password length. | Every character added multiplies the keyspace by the character set size. Length is exponentially more effective than character set expansion. | An 8-character password with 95 printable ASCII characters has 958 ≈ 6.6 trillion combinations. Adding one character multiplies by 95. Adding complexity adds far less. |
✎ Predict first: Before touching the dropdowns, mentally match each attack type to its mechanism.
Match each password attack type to its distinguishing mechanism. Select the correct definition from each dropdown.
41.2.4 — Attack Types In Depth
Surface definitions are necessary but insufficient. You need to understand the mechanics, the edge cases, and the conditions that determine which attack type is in use when a scenario deliberately obscures the classification.
✎ Predict first: Evaluate each statement independently before reading the answer choices.
I. An attacker used a list of 2 billion username-password pairs obtained from the 2022 Twitter breach and successfully logged in to 41 employee accounts on the company VPN.
II. An attacker tested the password "Welcome1" against all 12,000 employee accounts over 5 days, successfully authenticating 18 accounts without triggering any lockout alerts.
III. An attacker cracked all 9 million password hashes from the company's stolen database in under 1 minute using a precomputed lookup table. No errors were returned for hashes stored with the new bcrypt algorithm.
Which statements correctly identify an attack that is NOT defeated by account lockout policies?
51.2.5 — How Password Hashing Works
Correct password storage is a foundational defense against offline cracking attacks. Understanding the mechanism — and the specific ways it can fail — is required knowledge for the AP exam.
Why Passwords Are Hashed, Not Encrypted
Encryption is reversible: if the decryption key is exposed, all passwords are exposed. Hashing is a one-way transformation: given the hash output, you cannot mathematically reverse it to recover the input. Servers never need to know your actual password — they only need to verify that what you typed, when hashed, matches the stored hash.
User types "mypassword" → Server computes hash("mypassword") → Result compared to stored hash → Match = authenticated. The server never stores, transmits, or sees the original password after the hash is computed at account creation.
Why Fast Hash Functions (MD5, SHA-1) Are Dangerous for Passwords
MD5 and SHA-1 were designed to be fast — optimal for their actual purpose of verifying file integrity. For password storage, speed is the enemy. A modern GPU can compute approximately 10 billion MD5 hashes per second offline. Against a stolen database of unsalted MD5 hashes, an attacker can test every entry in the RockYou wordlist in milliseconds.
bcrypt, Argon2, and scrypt solve this by being intentionally slow. They are configurable: you can increase the "work factor" as hardware improves. At bcrypt cost factor 12, the same GPU can test approximately 300 hashes per second — 33 million times slower than MD5. An attacker who steals a bcrypt hash database faces a fundamentally different (and impractical) cracking problem.
Salting: The Defense Against Precomputation
A salt is a randomly generated string (typically 16–32 bytes) that is generated uniquely for each user at account creation, appended to the password before hashing, and stored alongside the resulting hash in the database.
User B: hash("password123") = 5f4dcc3b5aa765d61d8327de
Identical hashes reveal identical passwords. Rainbow table lookup: instant.
User B: hash("password123" + "q2x8m5k1") = 2c9f47e63ba81d...
Different salts produce completely different hashes. Precomputed tables are useless.
NIST SP 800-63B: The Password Policy That Changes Everything
The National Institute of Standards and Technology's digital identity guidelines issued in 2017 reversed decades of counterproductive password advice. The key counterintuitive recommendations:
Forced monthly or quarterly password changes cause users to make predictable incremental changes: "Summer2025!" becomes "Fall2025!" becomes "Winter2026!". These are trivially guessable. Rotation should only be required when a breach is confirmed or suspected.
A 16-character passphrase "purple-horse-lamp-cup" is dramatically more resistant to brute force than "P@ss!234" despite containing no special characters. Keyspace grows exponentially with length but only linearly with character variety.
New passwords should be checked against a database of known-breached passwords at creation time. If a user tries to set "password123", it should be rejected — not because it lacks complexity, but because it appears in every attacker wordlist ever compiled.
NIST recommends supporting passwords up to 64 characters minimum. Truncating passwords at 16 or 20 characters prevents passphrases from achieving their full security benefit. Password managers generate 40+ character random strings — systems must accept them.
✎ Predict first: Before placing any words, trace the full salting process in your head from plaintext to stored hash.
Complete the description of the salting process by placing each word chip into the correct blank. Click a word chip to select it, then click the blank where it belongs. Click a filled blank to return the chip to the bank.
61.2.6 — Real-World Case Studies
These three breaches demonstrate the difference between theoretical attack mechanics and catastrophic real-world outcomes. Each illustrates a specific, testable AP exam concept.
In 2012, attackers stole approximately 6.5 million LinkedIn password hashes. LinkedIn had stored passwords using SHA-1 — a fast hashing algorithm — without per-user salts. Immediately after the breach, the hashes were posted to online forums. Within 24 hours, security researchers had cracked approximately 90% of the hashes using precomputed lookup tables. The 2016 reanalysis revealed the breach was actually 117 million accounts.
Because SHA-1 is fast (approximately 5 billion hashes per second on a modern GPU) and the hashes had no salts, recovering the original passwords was essentially free computation. Passwords that took years to appear in breach lists — because they were slightly unusual — were cracked within days as attackers worked through progressively less common wordlist entries.
Textbook rainbow table / fast hash attack enabled by missing salts. The defense was not a stronger hash algorithm alone — it was per-user random salts plus a slow algorithm (bcrypt). LinkedIn's 2012 failure became the definitive real-world example of what NIST SP 800-63B addressed in its storage guidance.
In January 2019, security researcher Troy Hunt published findings on "Collection #1" — a compilation of 772 million email addresses and 21 million unique passwords aggregated from thousands of prior breaches. This was not a single breach of one company; it was a curated database assembled specifically for credential stuffing operations.
Within weeks of its exposure, credential stuffing tool traffic against banking and e-commerce sites spiked by 200%. The data provided attackers with pre-validated credential pairs at scale: for every 10 million pairs tested, approximately 1–2% successfully authenticated on unrelated sites — yielding 100,000–200,000 compromised accounts per 10 million attempts, with zero guessing required.
Credential stuffing succeeds even when the target site has perfect security, because it exploits password reuse on the user side. The defense is MFA and unique-per-site passwords enforced by password managers — not stronger login page security.
In the aftermath of the 2020 SolarWinds compromise, investigators discovered that several affected organizations had been separately compromised via password spraying attacks targeting Microsoft 365 accounts. Attackers tested a small number of common passwords — including vendor defaults and seasonal patterns — against large lists of valid corporate email addresses obtained from OSINT and phishing kit logs. Organizations without MFA saw mass account compromises without any lockout alerts triggering.
Because each account received at most 2–3 login attempts, the attack was invisible to threshold-based monitoring. Only behavioral analysis — detecting logins from unusual geographies or devices — flagged the campaign after damage had already occurred.
Password spraying exploits the statistical certainty that some employees will use default or common passwords, combined with the architectural limitation that account lockout cannot detect cross-account low-frequency attacks. The defense is MFA plus behavioral analytics — not lockout policy alone.
Which attack and defense pairing is MOST accurate for this scenario?
71.2.7 — Defense Strategies
Password attack defense requires matching the right control to the specific attack type. A control that defeats rainbow tables does nothing against credential stuffing. Understanding the mechanism is the prerequisite for selecting the correct defense on the AP exam.
Technical Controls
- Per-user random salts before hashing (defeats rainbow tables entirely)
- bcrypt, Argon2, or scrypt for password storage — not MD5 or SHA-1 (defeats offline brute force by making each guess computationally expensive)
- Multi-Factor Authentication (MFA) on all accounts (defeats credential stuffing and password spraying even when passwords are correct)
- Account lockout after 5–10 failed attempts (defeats online brute force and naïve dictionary attacks)
- Rate limiting login endpoints (slows automated online attacks)
- Breached-password check at account creation using Have I Been Pwned API (blocks the use of known-compromised passwords)
- CAPTCHA challenges after repeated failures (deters automated attacks)
- Phishing-resistant hardware security keys (FIDO2) for high-value accounts
Policy and Human Controls
- Require minimum 16-character passphrases rather than 8-character complex passwords (NIST 800-63B guidance)
- Eliminate default passwords — force unique credentials at first login (defeats spraying using default patterns)
- Mandate password manager use to enforce unique passwords per site (defeats credential stuffing at root)
- Do NOT require periodic rotation unless breach is confirmed (NIST 800-63B — prevents predictable incremental changes)
- Security awareness training on password reuse, credential theft, and phishing
- Out-of-band verification for high-stakes actions even when login succeeds
- Behavioral analytics to detect low-frequency, cross-account spraying patterns invisible to lockout thresholds
| Attack Type | Root Cause | Lockout Stops It? | Primary Defense |
|---|---|---|---|
Brute Force (Online) |
Unlimited attempts allowed | ✓ Yes — directly | Account lockout + rate limiting |
Brute Force (Offline) |
Weak hashing — hash stolen from DB | ✗ No — offline, no server | bcrypt/Argon2 + salt Exam Trap |
Dictionary Attack |
Predictable password choices | △ Only if online | Strong passphrase policy + lockout |
Rainbow Table |
Unsalted hashes in storage | ✗ No — precomputed | Salt (random, unique per account) Exam Trap |
Credential Stuffing |
Password reuse across sites | △ Only high-frequency | Unique passwords + breach monitoring |
Password Spraying |
Common passwords still in use | ✗ Low frequency evades lockout | Block common passwords + MFA Exam Trap |
Mandatory complexity (uppercase + lowercase + number + symbol) at 8 characters has a keyspace of 958 ≈ 6.6 trillion. A 16-character all-lowercase passphrase has a keyspace of 2616 ≈ 4.4 x 1022 — over 6.6 billion times larger. Complexity theater makes passwords harder to remember without proportionally improving security. NIST now explicitly recommends against arbitrary complexity rules in favor of length minimums and breach-password screening.
✎ Predict first: Before moving any steps, trace the password spraying attack from start to finish in your head.
These five steps describe how a password spraying attack avoids detection. Use the arrows to place them in the correct chronological order, then click Check Order.
Use ▲ ▼ to move steps up or down. The number on the left shows current position.
!Common AP Exam Mistakes — Topic 1.2
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Thinking complex-looking passwords are automatically strong | “P@ssw0rd” follows known substitution patterns adversary tools include. Complexity ≠ strength. | Strong = long + random + unique. Avoid substitutions of dictionary words. |
| Confusing dictionary attack with brute-force | Brute-force tries every combination. Dictionary attack uses a targeted list from personal info. The CED describes dictionary attacks specifically. | Dictionary = targeted list from OSINT. Brute-force = exhaustive enumeration of all possibilities. |
| Saying MFA makes password strength irrelevant | MFA adds a second factor but a compromised password remains a risk — especially if MFA is bypassed via social engineering (1.1 OTP theft). | Both strong passwords and MFA are needed together. |
| Missing “unusual login times” as a sign of attack | Students remember failed attempts and unknown devices but forget unusual times. The CED lists all three. | Memorize all three: many failed attempts • unusual times • unknown devices. |
| Recommending short complex passwords over long simple ones | Length matters more than complexity for resisting brute-force. A long passphrase beats a short complex password by orders of magnitude. | CED says: long, random, unique. Passphrases are an explicitly listed valid approach. |
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Learn About Expert Sessions →81.2.8 — Worked Examples: Predict First, Then Classify
Apply the predict-first approach to every scenario question: form your own classification before reading the answer choices. This prevents convincing distractors from swaying you away from a correct prediction.
Predict Before Looking at Options
The attacker has credentials from a prior breach (retail chain). Testing them against a completely different service (Spotify). One attempt per account. No guessing involved. Prediction: credential stuffing.
Slash the Trash
Brute force? Would be many attempts per account — eliminate. Dictionary attack? Would test multiple passwords per account from a wordlist — eliminate. Rainbow table? Requires a stolen hash database, not a login endpoint — eliminate. Password spraying? Would test the same password across many accounts — eliminate. Credential stuffing is the only match: uses prior breach data, one attempt per account, targets a different site.
Identify the Key Defense
- MFA on Spotify — would have stopped all 1.2M logins even with the correct password
- Password manager use — would have prevented reuse between retail and Spotify accounts
- Better retail security — would have prevented the original breach, but Spotify itself had no vulnerability to fix
Credential stuffing. Spotify had no security failure — they were an innocent victim of another company's breach combined with users' password reuse habit. The defense for Spotify is MFA. The defense for users is unique passwords per service managed by a password manager.
Diagnose the Storage Failure
The attacker used a "publicly downloadable lookup table" (rainbow table) and recovered 95% of hashes in 8 minutes. The 200,000 that resisted were likely either unique long passphrases not in any wordlist, or — more likely — the accounts that had been migrated to bcrypt during a later security update. Prediction: unsalted fast hash (MD5 or SHA-1 most likely).
Identify Every Failure Present
- No per-user salts: Identical passwords produced identical hashes, and precomputed tables mapped them instantly
- Fast hash algorithm: The attack required no brute force — but if it had, MD5's speed would still have made cracking practical
- Predictable passwords: 95% of users chose passwords that appear in a general wordlist
Rainbow table attack enabled by missing salts and a fast hash function. The engineering team's error: using a hash function does not mean using the right hash function correctly. The fix is bcrypt or Argon2 with per-user randomly generated salts — which explains why the 200,000 bcrypt-hashed accounts were not cracked.
Consider the following two statements about this scenario:
I. The attack is password spraying because one password is tested against many accounts, explicitly designed to avoid triggering per-account lockout thresholds.
II. Deploying account lockout with a threshold of 3 attempts would have completely prevented this attack.
Which evaluation of Statements I and II is MOST accurate?
91.2.9 — AP Exam Strategy: Password Attack Questions
Identify What the Attacker Starts With
Before classifying the attack, ask: what raw material does the attacker have? Nothing — just a username = brute force or dictionary. A list of common passwords = dictionary. Breach database of validated credentials = credential stuffing. Stolen hash database = rainbow table or offline brute force. The starting material determines the attack type before you even read the answer choices.
Identify the Direction: One Account vs. Many Accounts
Many passwords tested against one account = brute force or dictionary attack (vulnerable to lockout). One password tested against many accounts = password spraying (explicitly lockout-immune). This single axis eliminates two wrong answers on almost every password attack classification question.
Highlight Keywords: NEVER / ALWAYS / NOT / EXCEPT
Flag these words before reading answer choices. Common AP question patterns: "Which of the following is NOT protected by account lockout?" (answer: credential stuffing, password spraying, rainbow table attacks — all offline or lockout-immune) and "Which password storage design ALWAYS defeats rainbow table attacks?" (answer: per-user random salts, regardless of algorithm speed).
Match the Defense Precisely to the Attack
The AP exam frequently gives you a scenario and asks for the "most effective" or "specifically prevents" defense. Generic answers ("use stronger passwords") are almost never correct when a targeted control is available. Salting → defeats rainbow tables. MFA → defeats credential stuffing and spraying. bcrypt/Argon2 → defeats offline brute force. Rate limiting → defeats online brute force. Match the mechanism of the attack to the mechanism of the defense.
NIST Counterintuitive Facts Are Exam Favorites
Questions that test NIST 800-63B guidance are common because the answers are counterintuitive: forced rotation reduces security (not increases it). Complexity requirements do not meaningfully increase security against real-world attacks. Length dominates complexity in keyspace calculation. A 20-character passphrase with no special characters is stronger than an 8-character complex password. Predict these before reading choices by knowing the NIST guidance cold.
Salts Are Not Secret — Know This Precisely
AP exam distractors frequently suggest that "salts must be kept secret" or that "a secret salt is more secure than a public one." Both are wrong. A salt's security property is uniqueness, not secrecy. The salt is stored alongside the hash in plain sight. Its purpose is to ensure that identical passwords hash differently, making precomputed tables useless — even if the attacker knows every salt value. If an answer choice mentions "keeping the salt secret," it is always wrong.
Expect scenario questions that: (1) describe one attempt per account against many accounts — password spraying, defense is MFA; (2) describe instant hash reversal from a stolen database — rainbow table attack, cause is missing salts, defense is per-user random salts; (3) describe login success using credentials from a different breach — credential stuffing, defense is MFA and unique passwords; (4) ask whether bcrypt or MD5 is appropriate — bcrypt is always correct for password storage; (5) ask about NIST rotation policy — rotation is NOT recommended unless compromised.
✎ Predict first: Recall the two specific NIST SP 800-63B guidelines most relevant to this policy before writing.
A school district IT director announces: "Effective immediately, all employee passwords must be reset every 90 days and must contain at least two special characters and one number."
In exactly two sentences: (1) identify which specific NIST SP 800-63B guideline this policy violates, and (2) explain the security reasoning behind NIST’s position. Write in your own words — the model answer will appear after you submit.
NIST SP 800-63B explicitly recommends against mandatory periodic password rotation unless there is confirmed evidence of compromise, because forced rotation causes users to make predictable incremental changes — such as changing "Summer2024!" to "Summer2025!" — that reduce effective entropy without improving security. NIST also recommends prioritizing password length over complexity requirements, since a 20-character passphrase provides significantly more resistance to brute force than an 8-character password with special characters, and complexity rules lead users to write passwords down or reuse them across accounts.
101.2.10 — Frequently Asked Questions
-
What is the difference between a dictionary attack and a brute force attack?
A brute force attack tries every possible character combination systematically. A dictionary attack tests a curated wordlist of probable passwords — common words, names, keyboard patterns, and known breach passwords. Dictionary attacks are far faster against typical human-chosen passwords because most people select predictable, word-based passwords. Brute force is guaranteed to succeed eventually but is impractical against long passwords. The key distinguisher for the AP exam: if the scenario mentions a wordlist, it is a dictionary attack. If it mentions systematic enumeration of all combinations, it is brute force.
-
What is credential stuffing and how does it differ from other password attacks?
Credential stuffing uses username-password pairs harvested from a previous data breach and tests them against entirely different websites. Unlike dictionary or brute force attacks, it does not guess passwords — it uses passwords that real users actually chose. It succeeds because approximately 65% of people reuse passwords across multiple services. The AP exam signal: "breach database," "stolen credentials from another site," or "tested against a different service." The defense is unique passwords per site enforced by a password manager, plus MFA on all accounts.
-
What is password salting and why does it prevent rainbow table attacks?
A salt is a unique, randomly generated string added to each password before hashing. Without salt, two users with the same password produce identical hashes — and precomputed rainbow tables that map millions of common passwords to their hashes can instantly look up the plaintext. With salt, each identical password produces a completely different hash because the salt is different for each user. This makes precomputed tables useless: the attacker would need to rebuild the table from scratch for every possible salt, which is computationally infeasible. Critically, the salt does not need to be secret — its purpose is uniqueness, not secrecy.
-
What does NIST SP 800-63B say about mandatory password rotation and complexity requirements?
NIST SP 800-63B states that organizations should NOT force periodic password rotation unless there is evidence of compromise. Forced rotation causes users to make predictable incremental changes (Password1 to Password2) that reduce effective security. NIST also states that length matters far more than complexity — a 16-character passphrase is dramatically more resistant to brute force than an 8-character complex password. Organizations should block known compromised passwords at creation, support passwords up to 64 characters, and only require rotation when a breach is confirmed or suspected.
-
How do password attacks appear on the AP Cybersecurity exam?
AP Cybersecurity exam questions on password attacks typically present a scenario and ask you to classify the attack type, identify a vulnerability in a password storage design, or select the most effective defense. Common scenario patterns: one attempt per account across many accounts (password spraying), instant hash reversal from a stolen database (rainbow table, cause is missing salts), login using credentials from a different breach (credential stuffing). Defense questions test whether you understand which specific control prevents which specific attack — salting defeats rainbow tables, MFA defeats credential stuffing and password spraying, bcrypt defeats offline brute force, rate limiting defeats online brute force.
• Passwords are stored as SHA-1(username + password) — no per-user random salt, username used as a deterministic salt
• Account lockout triggers after 10 failed attempts per account
• MFA is not deployed on any employee accounts
• 65% of employees reuse passwords from personal accounts
• The onboarding default password is "Hospital2026!"
An attacker has the following resources: (a) a stolen copy of the company's hash database, (b) a list of all 9,000 employee email addresses from LinkedIn, (c) a list of 500 million credential pairs from the 2024 Health Network breach affecting a different company.
Which of the following MOST completely and accurately identifies the attack types available to this attacker AND the single control that would have the broadest impact across all three?
Students submit before leaving.
- List all three CED-specified signs of an online password attack and explain why each indicates an attack rather than normal user behavior. (AP Skill: Analyze Risk)
- An adversary learns a target has a cat named “Mochi,” was born in 1994, and graduated in 2016. How would the CED describe what the adversary does next? (AP Skill: Analyze Risk)
- A user proposes “Mochi1994!” for their bank password. Explain why it fails the CED criteria and suggest a better approach. (AP Skill: Mitigate Risk)
- True or False: enabling MFA makes password strength irrelevant. Explain with a specific scenario where a weak password still causes harm. (AP Skill: Mitigate Risk)
- A team sees 1,200 login attempts in 4 minutes from overseas IPs, then a successful login at 2:47 AM. What happened? Map it to CED concepts. (AP Skill: Analyze Risk)
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews. His AP CSA students score 5s at more than double the national average.
+Continue Learning
Practice what you learned, then move to the next topic in Unit 1:
Unit 1: Introduction to Security — AP Cybersecurity
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]