AP Cybersecurity 1.2: Suspicious Website Logins

Score0 / 10
Score 0 / 10
~60 min read Last Updated: March 2026 Lesson 2 of 5 — Unit 1
AP Cybersecurity — Unit 1: Introduction to Security

Topic 1.2: Suspicious Website Logins

How attackers systematically crack, steal, and reuse passwords — from exhaustive brute force to precomputed rainbow tables — and why password length, hashing algorithms, and salting determine whether a breached database becomes a catastrophe.

Lesson 2 of 5 Skill: Analyze Risk ~60 min Exam Weight: ~15–20% Unit 1 Week 1
Topic 1.2 — Lesson Slides
Password Attacks Slide Deck

Use these slides alongside the lesson or as a quick review before the quiz.

Slides Coming Soon ↗
Coming Soon
Password Attacks Slide Deck
Add your Google Slides embed ID to activate this panel.
★ AP Exam Focus — Topic 1.2

• Identify all three CED signs of an online password attack: many failed attempts in short duration, login at unusual times, login from unknown devices
• Explain the three common password patterns adversaries exploit and how a targeted dictionary is constructed
• Apply the three defenses: long/random/unique passwords or passphrases, avoiding personally meaningful words, enabling MFA
• Distinguish a targeted dictionary attack from a generic brute-force attack
• Recognize that MFA is the highest-value individual defense against password compromise

College Board Essential Knowledge Coverage

Topic 1.2 — What Is Testable

CED Ref Essential Knowledge Covered In
1.2.A.1 Online password attacks: adversaries try common passwords, common patterns, or stolen passwords How Password Attacks Work
1.2.A.2 Three signs: many failed attempts in short duration • login at unusual times • login from unknown devices Signs of an Attack
1.2.B.1 Three common patterns: word(s)+two-digit number+special char at end • pet/family names • personally significant dates Weak Password Patterns
1.2.B.2 Adversaries build a targeted dictionary from personal info gathered about the victim (OSINT) and submit via automated tool Dictionary Attacks
1.2.C.1 Strong passwords: long, random, unique. Password managers or passphrases recommended. Defenses
1.2.C.2 Avoid names, dates, or personally meaningful words when creating passwords Defenses
1.2.C.3 Enable MFA — requires extra proof of identity (e.g., one-time code) beyond the password Defenses

Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 1.A Identify threats • 2.A Identify security controls

♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. A log shows 847 failed login attempts in 3 minutes, then a successful login at 3:14 AM from an unknown IP. Name every CED sign of a password attack present in this scenario.
  2. Someone’s password is “Buddy2018!” — Buddy is their dog and 2018 is their graduation year. Why is this specifically vulnerable to a targeted dictionary attack?
  3. After stealing a password, an adversary is blocked by MFA. They call the user posing as bank support and ask for the authentication code. Which two Unit 1 topics does this combine?

Answers: (1) Many failed attempts in short duration + unusual login time + unknown device/location. (2) Uses pet name and personally significant date — both CED-specified patterns adversaries build targeted dictionaries from. (3) Topic 1.2 (password attack) + Topic 1.1 (vishing to steal the OTP — secure information impact 1.1.C.2).

11.2.1 — Learning Objectives

By the end of this lesson, you will be able to:

  • Define and precisely distinguish brute force, dictionary, credential stuffing, password spraying, and rainbow table attacks by their mechanism and starting conditions
  • Calculate and interpret keyspace size for a given password policy, and explain why length dominates complexity in determining resistance to brute force
  • Explain how passwords are stored using one-way hashing and why fast hash functions (MD5, SHA-1) are inappropriate for password storage
  • Describe what a salt is, how it is applied, and precisely why it defeats rainbow table precomputation
  • Apply NIST SP 800-63B guidance on password policy and explain why forced rotation and complexity requirements are counterproductive
  • Analyze a realistic breach scenario, identify the attack type in use, and select the control that would have specifically prevented it
  • Apply AP exam strategies — predict-first, slash the trash, keyword identification — to password attack MCQ scenarios

21.2.2 — Why Passwords Fail: The Root Causes

Every password attack exploits one or more of three fundamental, predictable weaknesses. Understanding the root cause is the prerequisite for understanding why each attack type works — and which specific defense defeats it.

The Three Root Causes of Password Failure
Root Cause 1 Passwords Are Predictable Human Psychology

People choose memorable words, names, and patterns — the same sequences attackers put in their dictionaries first. Complexity requirements are defeated by substitutions like p@ssw0rd.

Top 5 passwords globally in 2024: password, 123456, qwerty, abc123, 111111.
Defense: Enforce minimum entropy — passphrase length beats character complexity.
Root Cause 2 Passwords Are Reused Reuse Chains

The average user has 90+ accounts but fewer than 10 unique passwords. One breach at any site exposes credentials for every other site where the same password is used.

LinkedIn 2012 breach (117M hashes) was cracked and credential-stuffed against banks years later.
Defense: Password managers enable unique passwords per site at zero cognitive cost.
Root Cause 3 Passwords Are Stored Insecurely Storage Failures

Plaintext storage, weak hashing (MD5/SHA-1 unsalted), or reversible encryption means a database breach instantly exposes all credentials — no cracking needed.

RockYou 2009: 32M plaintext passwords stored with zero hashing. Cracked before the breach was discovered.
Defense: bcrypt/Argon2 with unique salt per account. Never MD5/SHA-1 alone.
AP Exam Tip — Match the Defense to the Root Cause: AP exam defense questions almost always have a specific correct answer. Salting defeats root cause 3 (rainbow tables). MFA defeats root causes 1 and 2. Rate limiting defeats root cause 4. A generic "use stronger passwords" answer is rarely the best choice when a more targeted control is available.
Check for UnderstandingSpot the Error
Q 2 of 10

✎ Predict first: Before reading the choices, identify what is wrong with the statement below.

A security consultant recommends: "To prevent credential stuffing, we should enforce a password complexity policy requiring uppercase letters, lowercase letters, numbers, and symbols. This makes reused passwords harder to guess."

A junior analyst flags this recommendation as flawed. Which of the following BEST identifies the error in the consultant's reasoning?

C is correct. Credential stuffing does not guess passwords — it uses real username-password pairs from a confirmed prior breach. Complexity requirements only raise the bar for guessing attacks; they do nothing against a validated credential pair. The root cause is password reuse, so the targeted defense is unique passwords per service plus MFA. Slash the trash: A is wrong because the mechanism of credential stuffing is reuse, not guessing. D incorrectly conflates credential stuffing with rainbow table attacks — these are completely different attack types.

31.2.3 — Essential Vocabulary & Exam Tips

8 Core Terms — Know All of These Cold
Brute Force
Exhaustive trial of all combinations
Dictionary Attack
Wordlist of probable passwords
Credential Stuffing
Breach data replayed elsewhere
Password Spraying
One password across many accounts
Rainbow Table
Precomputed hash-to-password map
Hash Function
One-way transformation of input
Salt
Random value added before hashing
Keyspace
Total number of possible passwords
Term Precise Definition What Makes It Distinct AP Exam Tip
Brute Force Attack Systematically trying every possible password combination until the correct one is found. Guaranteed to succeed eventually but computationally expensive against long passwords. Exhaustive enumeration. No wordlist. No prior data. Just systematic trial of all possibilities. Time is the only constraint. Key word: "every possible combination." When a scenario says the attacker has no special information and simply tries combinations, it is brute force.
Dictionary Attack Testing a curated wordlist of probable passwords — common words, names, keyboard patterns, sports teams, known breach passwords, and variations thereof. Uses a prepared wordlist of probable passwords. Faster than brute force because it exploits predictable human choices. Cannot crack truly random passwords. Key distinguisher: wordlist. "The attacker used a list of common passwords" = dictionary attack. Far faster than brute force against typical users.
Credential Stuffing Using validated username-password pairs obtained from a prior data breach to authenticate on entirely different websites, exploiting widespread password reuse. Uses confirmed credentials from a real breach. Does not guess — uses known-working pairs. Succeeds because ~65% of users reuse passwords across services. Key signal: "breach database," "stolen credentials," "testing on another site." The attacker already knows the password works somewhere.
Password Spraying Testing one or a few common passwords (e.g., "Summer2025!") across many different accounts to avoid triggering individual account lockout thresholds. Many accounts, one password — the inverse of traditional brute force. Explicitly designed to evade lockout policies by staying below the per-account threshold. Key phrase: "evades account lockout." If the attacker tries the same password on thousands of accounts instead of many passwords on one account, it is password spraying.
Rainbow Table Attack Using a precomputed lookup table mapping millions of known plaintext passwords to their hash values to instantly reverse stolen hashes without recalculating them. Precomputed time-memory tradeoff. Extremely fast once computed. Completely defeated by per-user salting. Requires an offline database of stolen hashes to be useful. Key condition: attack only works on unsalted hashes. If the scenario mentions a stolen hash database AND no salts, the rainbow table attack applies.
Password Hash The output of a one-way cryptographic function applied to a password. Servers store hashes, not plaintext. Verification is done by hashing the submitted password and comparing the result. One-way: you cannot reverse a hash to recover the original password (without precomputation or brute force). Deterministic: same input always produces same hash. MD5 and SHA-1 are fast — too fast for password storage. bcrypt, Argon2, scrypt are slow by design, making offline cracking impractical.
Salt A unique, randomly generated value appended to each user's password before hashing. The salt is stored alongside the hash in the database and is not secret. Makes every hash unique even for identical passwords. Defeats rainbow tables by making precomputed tables invalid — each password now hashes differently. Salts do NOT need to be secret. Their purpose is uniqueness, not secrecy. A salt defeats precomputation; it does not directly defeat offline brute force of a single password.
Keyspace The total number of possible passwords for a given character set and length. Calculated as: (number of possible characters)password length. Every character added multiplies the keyspace by the character set size. Length is exponentially more effective than character set expansion. An 8-character password with 95 printable ASCII characters has 958 ≈ 6.6 trillion combinations. Adding one character multiplies by 95. Adding complexity adds far less.
Check for UnderstandingMatching
Q 3 of 10

✎ Predict first: Before touching the dropdowns, mentally match each attack type to its mechanism.

Match each password attack type to its distinguishing mechanism. Select the correct definition from each dropdown.

Brute Force
Dictionary Attack
Password Spraying
Credential Stuffing
Rainbow Table
Correct matches: Brute Force → systematically tries every combination (E). Dictionary → curated wordlists with mangling rules (C). Password Spraying → one password across many accounts to avoid lockout (B). Credential Stuffing → replays breach credentials on different sites (A). Rainbow Table → precomputed hash-to-plaintext chains (D). The key distinctions: brute force has no wordlist (unlike dictionary), spraying avoids lockout by spreading attempts (unlike brute force or dictionary on one account), credential stuffing uses real stolen passwords (not guesses), and rainbow tables require offline access to a hash database.

41.2.4 — Attack Types In Depth

Surface definitions are necessary but insufficient. You need to understand the mechanics, the edge cases, and the conditions that determine which attack type is in use when a scenario deliberately obscures the classification.

Brute Force Attack ExhaustiveNo Prior Data Required
Brute force is mathematically guaranteed to succeed but practically constrained by time and computational cost. Modern GPUs can test billions of MD5 hashes per second offline. Against a properly implemented bcrypt hash, that same hardware may test only a few hundred per second — reducing a practical attack to centuries. Brute force has two modes: online (guessing against a live login form, limited by network speed and lockout) and offline (cracking against a stolen hash database, limited only by processing power).
Online brute force scenario: An attacker automates login attempts on a banking site, trying "password1", "password2", "password3"... at 5 attempts per second. Without lockout, an 8-character all-lowercase password has 268 = 208 billion combinations — still impractical online. With lockout after 5 tries, the attacker is stopped immediately.
Edge case: Offline brute force against a stolen MD5 hash of "abc123" takes under 1 millisecond on modern hardware. The same password stored with bcrypt (cost factor 12) takes approximately 300 milliseconds — and the attacker must repeat this per password. Hashing algorithm choice determines whether a breach is recoverable.
Dictionary Attack Wordlist-BasedProbability-Optimized
Dictionary attacks don't guess randomly — they guess intelligently. Modern wordlists like RockYou2024 contain over 10 billion real passwords from prior breaches, sorted by frequency. The attacker also applies "mangling rules" that transform base words: "password" → "P@ssw0rd!" → "P@ssw0rd1!" → "PASSWORD1". A dictionary attack with mangling rules can test hundreds of millions of high-probability candidates before ever touching truly random strings.
Real attack scenario: A password auditor runs Hashcat against a stolen hash database using the RockYou wordlist plus common mangling rules. Within 4 hours, 73% of hashes are cracked — not because the passwords were short, but because users chose predictable bases like names, seasons, and sports teams with substitutions.
Key distinction from brute force: A dictionary attack tries probable passwords in order of likelihood. It will fail against a truly random password like "zQm!7xPvR2kL" because that string does not appear in any wordlist. Brute force will eventually crack it. For the AP exam: if the scenario mentions a wordlist or "common passwords," classify as dictionary attack.
Password Spraying Low-and-SlowLockout Evasion
Password spraying is the tactically sophisticated cousin of brute force. Instead of hammering one account with many passwords (which triggers lockout), the attacker tests one or two common passwords against every account in the organization. Most corporate environments have an account lockout threshold of 5–10 attempts. If the attacker sends exactly 2 attempts per account and moves on, they never trigger a single lockout — and in a 10,000-employee organization, statistically several users will have "Summer2025!" as their password.
Enterprise scenario: An attacker obtains a list of all employee email addresses from LinkedIn (OSINT). They test "Welcome1!" against all 8,400 accounts over 3 days using an automated tool, sending one request per account per 2 hours. They compromise 23 accounts without triggering a single lockout alert. None of the compromised users had the most obvious passwords — but all used the organization's default "Welcome" onboarding password without changing it.
AP exam distinguisher: If the scenario describes an attacker testing the same password across many accounts to evade lockout — it is password spraying. If it is many passwords against one account — it is brute force or dictionary. The direction of the attack is the classification signal.
Credential Stuffing Breach Data RequiredExploits Reuse
Credential stuffing is not a guessing attack — it is a replay attack. The attacker uses validated credential pairs from a real prior breach and tests them against unrelated services. The only variable being tested is whether the user reused their password. Commercial tools like Sentry MBA and OpenBullet can test hundreds of millions of credential pairs per day, automatically handling CAPTCHAs and rotating IP addresses.
Cross-service attack: In 2020, an attacker obtains 500 million username-password pairs from the 2019 Facebook data exposure. They run automated testing against Netflix, bank login pages, and email providers. Because 62% of people reuse passwords, the attacker compromises over 300 million accounts on services that had no direct security vulnerability of their own.
Why MFA stops credential stuffing completely: Even with a valid username and password, the attacker cannot complete authentication if MFA is required. A breached password becomes worthless. This is why MFA is the single highest-ROI security control for organizations concerned about credential stuffing — it directly addresses root cause 2.
Rainbow Table Attack OfflinePrecomputed LookupDefeated by Salt
Rainbow tables exploit a time-memory tradeoff: computing hashes is expensive, but looking up values in a table is instantaneous. By precomputing the hash of every word in a massive dictionary and storing the password-hash pairs, an attacker can reverse any hash that appears in the table in milliseconds — regardless of what the original password was. The attack requires: (1) a stolen hash database, (2) that the hashes were computed without salts, and (3) that the original passwords appear in the precomputed table.
Breach scenario: An attacker steals a database of 8 million unsalted MD5 password hashes. They load the CrackStation lookup table (containing pre-hashed versions of over 1.5 billion words and phrases) and run a lookup. In 4 seconds, 6.1 million of the 8 million hashes return exact matches — 76% of the database compromised in seconds with zero computation.
Why salting defeats rainbow tables completely: If each password is stored as hash(password + uniqueSalt), then even if two users both used "password123", their stored hashes are completely different because their salts are different. The attacker would need to build a separate rainbow table for every possible salt value — computationally infeasible. The salt does not need to be secret; its purpose is uniqueness, not secrecy.
Scenario: I, II, and IIIMultiple Correct Answers
Q 4 of 10

✎ Predict first: Evaluate each statement independently before reading the answer choices.

A security team is analyzing three recent incidents at the same company:

I. An attacker used a list of 2 billion username-password pairs obtained from the 2022 Twitter breach and successfully logged in to 41 employee accounts on the company VPN.

II. An attacker tested the password "Welcome1" against all 12,000 employee accounts over 5 days, successfully authenticating 18 accounts without triggering any lockout alerts.

III. An attacker cracked all 9 million password hashes from the company's stolen database in under 1 minute using a precomputed lookup table. No errors were returned for hashes stored with the new bcrypt algorithm.

Which statements correctly identify an attack that is NOT defeated by account lockout policies?

D is correct. Evaluate each independently: Statement I (credential stuffing) — uses valid credentials, so each attempt is a "legitimate" single login from each account's perspective. Lockout does not trigger with one correct login per account. Statement II (password spraying) — explicitly designed to stay below lockout thresholds by testing one password per account. Statement III (rainbow table) — operates entirely offline against a stolen hash database; the live system's lockout mechanism is irrelevant because no login attempts are made against the live system at all. All three are unaffected by account lockout. Slash the trash: B is wrong because it excludes credential stuffing (I), which is also clearly lockout-immune. C is wrong because it excludes rainbow tables (III), which are entirely offline.

51.2.5 — How Password Hashing Works

Correct password storage is a foundational defense against offline cracking attacks. Understanding the mechanism — and the specific ways it can fail — is required knowledge for the AP exam.

Why Passwords Are Hashed, Not Encrypted

Encryption is reversible: if the decryption key is exposed, all passwords are exposed. Hashing is a one-way transformation: given the hash output, you cannot mathematically reverse it to recover the input. Servers never need to know your actual password — they only need to verify that what you typed, when hashed, matches the stored hash.

Login Verification Flow

User types "mypassword" → Server computes hash("mypassword") → Result compared to stored hash → Match = authenticated. The server never stores, transmits, or sees the original password after the hash is computed at account creation.

Why Fast Hash Functions (MD5, SHA-1) Are Dangerous for Passwords

MD5 and SHA-1 were designed to be fast — optimal for their actual purpose of verifying file integrity. For password storage, speed is the enemy. A modern GPU can compute approximately 10 billion MD5 hashes per second offline. Against a stolen database of unsalted MD5 hashes, an attacker can test every entry in the RockYou wordlist in milliseconds.

bcrypt, Argon2, and scrypt solve this by being intentionally slow. They are configurable: you can increase the "work factor" as hardware improves. At bcrypt cost factor 12, the same GPU can test approximately 300 hashes per second — 33 million times slower than MD5. An attacker who steals a bcrypt hash database faces a fundamentally different (and impractical) cracking problem.

Salting: The Defense Against Precomputation

A salt is a randomly generated string (typically 16–32 bytes) that is generated uniquely for each user at account creation, appended to the password before hashing, and stored alongside the resulting hash in the database.

Salt Demo: Same Password, Completely Different Hashes
No Salt
User A: hash("password123") = 5f4dcc3b5aa765d61d8327de
User B: hash("password123") = 5f4dcc3b5aa765d61d8327de
Identical hashes reveal identical passwords. Rainbow table lookup: instant.
With Salt
User A: hash("password123" + "a7f3c9b2") = 8d4e1f92ab30c7...
User B: hash("password123" + "q2x8m5k1") = 2c9f47e63ba81d...
Different salts produce completely different hashes. Precomputed tables are useless.

NIST SP 800-63B: The Password Policy That Changes Everything

The National Institute of Standards and Technology's digital identity guidelines issued in 2017 reversed decades of counterproductive password advice. The key counterintuitive recommendations:

NIST Rule 1
Do NOT Force Periodic Rotation

Forced monthly or quarterly password changes cause users to make predictable incremental changes: "Summer2025!" becomes "Fall2025!" becomes "Winter2026!". These are trivially guessable. Rotation should only be required when a breach is confirmed or suspected.

Old advice: Change every 90 days. NIST 800-63B: Change only when compromised. The old policy actively reduced security.
NIST Rule 2
Length Beats Complexity

A 16-character passphrase "purple-horse-lamp-cup" is dramatically more resistant to brute force than "P@ss!234" despite containing no special characters. Keyspace grows exponentially with length but only linearly with character variety.

Math: 2616 = 4.4 x 1022 possible 16-char lowercase strings. 958 = 6.6 x 1015 possible 8-char "complex" passwords. The passphrase wins by 7 million-to-one.
NIST Rule 3
Block Compromised Passwords

New passwords should be checked against a database of known-breached passwords at creation time. If a user tries to set "password123", it should be rejected — not because it lacks complexity, but because it appears in every attacker wordlist ever compiled.

Tools: Have I Been Pwned API allows services to check new passwords against 10+ billion breached credentials without sending the actual password.
NIST Rule 4
Support Long Passwords

NIST recommends supporting passwords up to 64 characters minimum. Truncating passwords at 16 or 20 characters prevents passphrases from achieving their full security benefit. Password managers generate 40+ character random strings — systems must accept them.

Implication: A policy that enforces complexity but caps at 12 characters is actively less secure than a policy allowing 40-character passphrases with minimal complexity requirements.
Check for UnderstandingFill in the Blank
Q 5 of 10

✎ Predict first: Before placing any words, trace the full salting process in your head from plaintext to stored hash.

Complete the description of the salting process by placing each word chip into the correct blank. Click a word chip to select it, then click the blank where it belongs. Click a filled blank to return the chip to the bank.

Word Bank random salt plaintext password slow hash function unique hash encryption key MD5 checksum
A is generated uniquely for each user and combined with the before being passed to a like bcrypt. The result is a stored alongside the salt — making precomputed rainbow table lookups useless.
The correct sequence: random salt → combined with plaintext password → passed to a slow hash function (bcrypt/Argon2) → produces a unique hash. The two distractors reveal common misconceptions: (1) encryption key — passwords should be hashed, not encrypted; encryption is reversible, hashing is not; (2) MD5 checksum — MD5 is a fast hash, the exact opposite of what you want for passwords. A slow function like bcrypt makes each guess computationally expensive. The salt does not need to be secret — its job is uniqueness, not secrecy.

61.2.6 — Real-World Case Studies

These three breaches demonstrate the difference between theoretical attack mechanics and catastrophic real-world outcomes. Each illustrates a specific, testable AP exam concept.

2012 LinkedIn BreachUnsalted SHA-1 Hashes — Rainbow Table Attack at Scale

In 2012, attackers stole approximately 6.5 million LinkedIn password hashes. LinkedIn had stored passwords using SHA-1 — a fast hashing algorithm — without per-user salts. Immediately after the breach, the hashes were posted to online forums. Within 24 hours, security researchers had cracked approximately 90% of the hashes using precomputed lookup tables. The 2016 reanalysis revealed the breach was actually 117 million accounts.

Because SHA-1 is fast (approximately 5 billion hashes per second on a modern GPU) and the hashes had no salts, recovering the original passwords was essentially free computation. Passwords that took years to appear in breach lists — because they were slightly unusual — were cracked within days as attackers worked through progressively less common wordlist entries.

AP Lesson

Textbook rainbow table / fast hash attack enabled by missing salts. The defense was not a stronger hash algorithm alone — it was per-user random salts plus a slow algorithm (bcrypt). LinkedIn's 2012 failure became the definitive real-world example of what NIST SP 800-63B addressed in its storage guidance.

2019 Collection #1 Mega-BreachCredential Stuffing at 770 Million Accounts

In January 2019, security researcher Troy Hunt published findings on "Collection #1" — a compilation of 772 million email addresses and 21 million unique passwords aggregated from thousands of prior breaches. This was not a single breach of one company; it was a curated database assembled specifically for credential stuffing operations.

Within weeks of its exposure, credential stuffing tool traffic against banking and e-commerce sites spiked by 200%. The data provided attackers with pre-validated credential pairs at scale: for every 10 million pairs tested, approximately 1–2% successfully authenticated on unrelated sites — yielding 100,000–200,000 compromised accounts per 10 million attempts, with zero guessing required.

AP Lesson

Credential stuffing succeeds even when the target site has perfect security, because it exploits password reuse on the user side. The defense is MFA and unique-per-site passwords enforced by password managers — not stronger login page security.

2021 SolarWinds-Adjacent AttacksPassword Spraying Against Microsoft 365

In the aftermath of the 2020 SolarWinds compromise, investigators discovered that several affected organizations had been separately compromised via password spraying attacks targeting Microsoft 365 accounts. Attackers tested a small number of common passwords — including vendor defaults and seasonal patterns — against large lists of valid corporate email addresses obtained from OSINT and phishing kit logs. Organizations without MFA saw mass account compromises without any lockout alerts triggering.

Because each account received at most 2–3 login attempts, the attack was invisible to threshold-based monitoring. Only behavioral analysis — detecting logins from unusual geographies or devices — flagged the campaign after damage had already occurred.

AP Lesson

Password spraying exploits the statistical certainty that some employees will use default or common passwords, combined with the architectural limitation that account lockout cannot detect cross-account low-frequency attacks. The defense is MFA plus behavioral analytics — not lockout policy alone.

Case Study: Classify and DefendScenario — Classify
Q 6 of 10
A hospital IT team discovers that an attacker accessed 34 employee VPN accounts over the previous two weeks. Security logs show that each of the 34 accounts had exactly one failed login attempt followed by one successful login, both from the same external IP. The successful logins used the password "Hospital2025!" — which matched the organization's default onboarding password that employees were supposed to change within 30 days.

Which attack and defense pairing is MOST accurate for this scenario?

B is correct. The defining features: one password ("Hospital2025!") tested against many accounts, with only 1–2 attempts per account — the textbook signature of password spraying designed to stay below lockout thresholds. The specific default password made this trivially successful. Defenses: MFA prevents authentication even with the correct password; forcing password change at first login eliminates the default credential attack surface. Slash the trash: A is wrong — bcrypt defends offline hash cracking, irrelevant here since no hash database was mentioned. C is wrong — credential stuffing uses breach data from other sites, not one shared default password. D is actively counterproductive — a higher lockout threshold makes spraying easier, not harder.

71.2.7 — Defense Strategies

Password attack defense requires matching the right control to the specific attack type. A control that defeats rainbow tables does nothing against credential stuffing. Understanding the mechanism is the prerequisite for selecting the correct defense on the AP exam.

Technical Controls

  • Per-user random salts before hashing (defeats rainbow tables entirely)
  • bcrypt, Argon2, or scrypt for password storage — not MD5 or SHA-1 (defeats offline brute force by making each guess computationally expensive)
  • Multi-Factor Authentication (MFA) on all accounts (defeats credential stuffing and password spraying even when passwords are correct)
  • Account lockout after 5–10 failed attempts (defeats online brute force and naïve dictionary attacks)
  • Rate limiting login endpoints (slows automated online attacks)
  • Breached-password check at account creation using Have I Been Pwned API (blocks the use of known-compromised passwords)
  • CAPTCHA challenges after repeated failures (deters automated attacks)
  • Phishing-resistant hardware security keys (FIDO2) for high-value accounts

Policy and Human Controls

  • Require minimum 16-character passphrases rather than 8-character complex passwords (NIST 800-63B guidance)
  • Eliminate default passwords — force unique credentials at first login (defeats spraying using default patterns)
  • Mandate password manager use to enforce unique passwords per site (defeats credential stuffing at root)
  • Do NOT require periodic rotation unless breach is confirmed (NIST 800-63B — prevents predictable incremental changes)
  • Security awareness training on password reuse, credential theft, and phishing
  • Out-of-band verification for high-stakes actions even when login succeeds
  • Behavioral analytics to detect low-frequency, cross-account spraying patterns invisible to lockout thresholds
Attack Type Root Cause Lockout Stops It? Primary Defense
Brute Force (Online)
Unlimited attempts allowed ✓ Yes — directly Account lockout + rate limiting
Brute Force (Offline)
Weak hashing — hash stolen from DB ✗ No — offline, no server bcrypt/Argon2 + salt Exam Trap
Dictionary Attack
Predictable password choices △ Only if online Strong passphrase policy + lockout
Rainbow Table
Unsalted hashes in storage ✗ No — precomputed Salt (random, unique per account) Exam Trap
Credential Stuffing
Password reuse across sites △ Only high-frequency Unique passwords + breach monitoring
Password Spraying
Common passwords still in use ✗ Low frequency evades lockout Block common passwords + MFA Exam Trap
Why Complexity Requirements Fail — The NIST Finding

Mandatory complexity (uppercase + lowercase + number + symbol) at 8 characters has a keyspace of 958 ≈ 6.6 trillion. A 16-character all-lowercase passphrase has a keyspace of 2616 ≈ 4.4 x 1022 — over 6.6 billion times larger. Complexity theater makes passwords harder to remember without proportionally improving security. NIST now explicitly recommends against arbitrary complexity rules in favor of length minimums and breach-password screening.

Check for UnderstandingOrdering
Q 7 of 10

✎ Predict first: Before moving any steps, trace the password spraying attack from start to finish in your head.

These five steps describe how a password spraying attack avoids detection. Use the arrows to place them in the correct chronological order, then click Check Order.

Use ▲ ▼ to move steps up or down. The number on the left shows current position.

1
Exactly one login attempt is made per account — never exceeding the lockout threshold for any single account
2
Approximately 0.5–2% of accounts are compromised — yielding hundreds of valid credentials against a large enterprise
3
Attacker harvests a list of valid employee usernames from LinkedIn, company website, and email format guessing
4
Attacker waits 30–60 minutes before attempting the next password — timing designed to stay under detection thresholds
5
Attacker selects one widely used password (e.g., "Company2024!") known to meet common complexity requirements
Correct order: (1) Harvest usernames via OSINT → (2) Select one common password meeting complexity rules → (3) One attempt per account, never triggering lockout → (4) Wait 30–60 minutes before the next password cycle → (5) Collect compromised accounts. The key insight is steps 3 and 4 working together: low volume per account plus timing delays defeat both account lockout and anomaly detection. The attack is slow but virtually undetectable with standard controls. Defense: MFA, login anomaly detection across accounts (not just per-account), and blocking known weak passwords at creation.

!Common AP Exam Mistakes — Topic 1.2

Mistake Why It’s Wrong What to Do Instead
Thinking complex-looking passwords are automatically strong “P@ssw0rd” follows known substitution patterns adversary tools include. Complexity ≠ strength. Strong = long + random + unique. Avoid substitutions of dictionary words.
Confusing dictionary attack with brute-force Brute-force tries every combination. Dictionary attack uses a targeted list from personal info. The CED describes dictionary attacks specifically. Dictionary = targeted list from OSINT. Brute-force = exhaustive enumeration of all possibilities.
Saying MFA makes password strength irrelevant MFA adds a second factor but a compromised password remains a risk — especially if MFA is bypassed via social engineering (1.1 OTP theft). Both strong passwords and MFA are needed together.
Missing “unusual login times” as a sign of attack Students remember failed attempts and unknown devices but forget unusual times. The CED lists all three. Memorize all three: many failed attempts • unusual times • unknown devices.
Recommending short complex passwords over long simple ones Length matters more than complexity for resisting brute-force. A long passphrase beats a short complex password by orders of magnitude. CED says: long, random, unique. Passphrases are an explicitly listed valid approach.
Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

Learn About Expert Sessions →

81.2.8 — Worked Examples: Predict First, Then Classify

Apply the predict-first approach to every scenario question: form your own classification before reading the answer choices. This prevents convincing distractors from swaying you away from a correct prediction.

1
The Breach-Driven Login Surge
Scenario: Three weeks after a major retail chain reports a breach of 80 million customer records including email addresses and passwords, Spotify reports an unusual spike in login failures across millions of accounts. In each case, exactly one login attempt is made per account using the email address from the retail breach. Approximately 1.2 million Spotify accounts are successfully accessed, despite Spotify itself having no security vulnerability.
1

Predict Before Looking at Options

The attacker has credentials from a prior breach (retail chain). Testing them against a completely different service (Spotify). One attempt per account. No guessing involved. Prediction: credential stuffing.

2

Slash the Trash

Brute force? Would be many attempts per account — eliminate. Dictionary attack? Would test multiple passwords per account from a wordlist — eliminate. Rainbow table? Requires a stolen hash database, not a login endpoint — eliminate. Password spraying? Would test the same password across many accounts — eliminate. Credential stuffing is the only match: uses prior breach data, one attempt per account, targets a different site.

3

Identify the Key Defense

  • MFA on Spotify — would have stopped all 1.2M logins even with the correct password
  • Password manager use — would have prevented reuse between retail and Spotify accounts
  • Better retail security — would have prevented the original breach, but Spotify itself had no vulnerability to fix
Classification

Credential stuffing. Spotify had no security failure — they were an innocent victim of another company's breach combined with users' password reuse habit. The defense for Spotify is MFA. The defense for users is unique passwords per service managed by a password manager.

2
The Instant Crack — What Went Wrong?
Scenario: A startup's database is breached and 4 million password hashes are stolen. A security researcher analyzes the breach and reports that the attacker recovered 3.8 million plaintext passwords within 8 minutes using nothing but a laptop and a publicly downloadable lookup table. The remaining 200,000 hashes returned no matches. The startup's engineering team is bewildered: "We used a hash function — how was this possible?"
1

Diagnose the Storage Failure

The attacker used a "publicly downloadable lookup table" (rainbow table) and recovered 95% of hashes in 8 minutes. The 200,000 that resisted were likely either unique long passphrases not in any wordlist, or — more likely — the accounts that had been migrated to bcrypt during a later security update. Prediction: unsalted fast hash (MD5 or SHA-1 most likely).

2

Identify Every Failure Present

  • No per-user salts: Identical passwords produced identical hashes, and precomputed tables mapped them instantly
  • Fast hash algorithm: The attack required no brute force — but if it had, MD5's speed would still have made cracking practical
  • Predictable passwords: 95% of users chose passwords that appear in a general wordlist
Classification & Root Cause

Rainbow table attack enabled by missing salts and a fast hash function. The engineering team's error: using a hash function does not mean using the right hash function correctly. The fix is bcrypt or Argon2 with per-user randomly generated salts — which explains why the 200,000 bcrypt-hashed accounts were not cracked.

Worked Example CheckScenario — Evaluate
Q 8 of 10
A password auditor tests a company's resilience by running an automated tool that sends login requests to the company's Office 365 portal. The tool tests the password "Welcome123!" against 15,000 employee accounts over a 6-day period, sending requests from rotating IP addresses and limiting attempts to one per account per 12 hours. Zero lockouts are triggered. The auditor successfully authenticates 72 accounts.

Consider the following two statements about this scenario:
I. The attack is password spraying because one password is tested against many accounts, explicitly designed to avoid triggering per-account lockout thresholds.
II. Deploying account lockout with a threshold of 3 attempts would have completely prevented this attack.

Which evaluation of Statements I and II is MOST accurate?

B is correct. Statement I is correct — one password, many accounts, designed to stay below lockout thresholds is the definition of password spraying. Statement II is incorrect — account lockout triggers after N failed attempts per account. If the attacker sends exactly one attempt per account, even a threshold of 1 would not trigger a lockout (since there are no repeated failures on any single account). The correct defense is MFA, behavioral analytics detecting the pattern across accounts, and eliminating the predictable default password. Slash the trash: C incorrectly classifies the attack as credential stuffing — credential stuffing uses breach data with known valid credentials, not one untested common password.

91.2.9 — AP Exam Strategy: Password Attack Questions

Tip 1

Identify What the Attacker Starts With

Before classifying the attack, ask: what raw material does the attacker have? Nothing — just a username = brute force or dictionary. A list of common passwords = dictionary. Breach database of validated credentials = credential stuffing. Stolen hash database = rainbow table or offline brute force. The starting material determines the attack type before you even read the answer choices.

Tip 2

Identify the Direction: One Account vs. Many Accounts

Many passwords tested against one account = brute force or dictionary attack (vulnerable to lockout). One password tested against many accounts = password spraying (explicitly lockout-immune). This single axis eliminates two wrong answers on almost every password attack classification question.

Tip 3

Highlight Keywords: NEVER / ALWAYS / NOT / EXCEPT

Flag these words before reading answer choices. Common AP question patterns: "Which of the following is NOT protected by account lockout?" (answer: credential stuffing, password spraying, rainbow table attacks — all offline or lockout-immune) and "Which password storage design ALWAYS defeats rainbow table attacks?" (answer: per-user random salts, regardless of algorithm speed).

Tip 4

Match the Defense Precisely to the Attack

The AP exam frequently gives you a scenario and asks for the "most effective" or "specifically prevents" defense. Generic answers ("use stronger passwords") are almost never correct when a targeted control is available. Salting → defeats rainbow tables. MFA → defeats credential stuffing and spraying. bcrypt/Argon2 → defeats offline brute force. Rate limiting → defeats online brute force. Match the mechanism of the attack to the mechanism of the defense.

Tip 5

NIST Counterintuitive Facts Are Exam Favorites

Questions that test NIST 800-63B guidance are common because the answers are counterintuitive: forced rotation reduces security (not increases it). Complexity requirements do not meaningfully increase security against real-world attacks. Length dominates complexity in keyspace calculation. A 20-character passphrase with no special characters is stronger than an 8-character complex password. Predict these before reading choices by knowing the NIST guidance cold.

Tip 6

Salts Are Not Secret — Know This Precisely

AP exam distractors frequently suggest that "salts must be kept secret" or that "a secret salt is more secure than a public one." Both are wrong. A salt's security property is uniqueness, not secrecy. The salt is stored alongside the hash in plain sight. Its purpose is to ensure that identical passwords hash differently, making precomputed tables useless — even if the attacker knows every salt value. If an answer choice mentions "keeping the salt secret," it is always wrong.

High-Frequency AP Cyber Password Attack Patterns

Expect scenario questions that: (1) describe one attempt per account against many accounts — password spraying, defense is MFA; (2) describe instant hash reversal from a stolen database — rainbow table attack, cause is missing salts, defense is per-user random salts; (3) describe login success using credentials from a different breach — credential stuffing, defense is MFA and unique passwords; (4) ask whether bcrypt or MD5 is appropriate — bcrypt is always correct for password storage; (5) ask about NIST rotation policy — rotation is NOT recommended unless compromised.

AP Exam Strategy CheckConstructed Response
Q 9 of 10

✎ Predict first: Recall the two specific NIST SP 800-63B guidelines most relevant to this policy before writing.

A school district IT director announces: "Effective immediately, all employee passwords must be reset every 90 days and must contain at least two special characters and one number."

In exactly two sentences: (1) identify which specific NIST SP 800-63B guideline this policy violates, and (2) explain the security reasoning behind NIST’s position. Write in your own words — the model answer will appear after you submit.

0 characters
Model Answer

NIST SP 800-63B explicitly recommends against mandatory periodic password rotation unless there is confirmed evidence of compromise, because forced rotation causes users to make predictable incremental changes — such as changing "Summer2024!" to "Summer2025!" — that reduce effective entropy without improving security. NIST also recommends prioritizing password length over complexity requirements, since a 20-character passphrase provides significantly more resistance to brute force than an 8-character password with special characters, and complexity rules lead users to write passwords down or reuse them across accounts.

Key concepts to include: mandatory rotation → predictable incremental changes. Length > complexity. NIST recommends blocking known compromised passwords instead of forcing rotation. Only require reset when compromise is confirmed. If your response covered both the rotation guideline and the reasoning, you have a strong answer.

101.2.10 — Frequently Asked Questions

  • What is the difference between a dictionary attack and a brute force attack?

    A brute force attack tries every possible character combination systematically. A dictionary attack tests a curated wordlist of probable passwords — common words, names, keyboard patterns, and known breach passwords. Dictionary attacks are far faster against typical human-chosen passwords because most people select predictable, word-based passwords. Brute force is guaranteed to succeed eventually but is impractical against long passwords. The key distinguisher for the AP exam: if the scenario mentions a wordlist, it is a dictionary attack. If it mentions systematic enumeration of all combinations, it is brute force.

  • What is credential stuffing and how does it differ from other password attacks?

    Credential stuffing uses username-password pairs harvested from a previous data breach and tests them against entirely different websites. Unlike dictionary or brute force attacks, it does not guess passwords — it uses passwords that real users actually chose. It succeeds because approximately 65% of people reuse passwords across multiple services. The AP exam signal: "breach database," "stolen credentials from another site," or "tested against a different service." The defense is unique passwords per site enforced by a password manager, plus MFA on all accounts.

  • What is password salting and why does it prevent rainbow table attacks?

    A salt is a unique, randomly generated string added to each password before hashing. Without salt, two users with the same password produce identical hashes — and precomputed rainbow tables that map millions of common passwords to their hashes can instantly look up the plaintext. With salt, each identical password produces a completely different hash because the salt is different for each user. This makes precomputed tables useless: the attacker would need to rebuild the table from scratch for every possible salt, which is computationally infeasible. Critically, the salt does not need to be secret — its purpose is uniqueness, not secrecy.

  • What does NIST SP 800-63B say about mandatory password rotation and complexity requirements?

    NIST SP 800-63B states that organizations should NOT force periodic password rotation unless there is evidence of compromise. Forced rotation causes users to make predictable incremental changes (Password1 to Password2) that reduce effective security. NIST also states that length matters far more than complexity — a 16-character passphrase is dramatically more resistant to brute force than an 8-character complex password. Organizations should block known compromised passwords at creation, support passwords up to 64 characters, and only require rotation when a breach is confirmed or suspected.

  • How do password attacks appear on the AP Cybersecurity exam?

    AP Cybersecurity exam questions on password attacks typically present a scenario and ask you to classify the attack type, identify a vulnerability in a password storage design, or select the most effective defense. Common scenario patterns: one attempt per account across many accounts (password spraying), instant hash reversal from a stolen database (rainbow table, cause is missing salts), login using credentials from a different breach (credential stuffing). Defense questions test whether you understand which specific control prevents which specific attack — salting defeats rainbow tables, MFA defeats credential stuffing and password spraying, bcrypt defeats offline brute force, rate limiting defeats online brute force.

End of Lesson — CumulativeIntegrative
Q 10 of 10
A security audit of a healthcare company reveals the following facts:

• Passwords are stored as SHA-1(username + password) — no per-user random salt, username used as a deterministic salt
• Account lockout triggers after 10 failed attempts per account
• MFA is not deployed on any employee accounts
• 65% of employees reuse passwords from personal accounts
• The onboarding default password is "Hospital2026!"

An attacker has the following resources: (a) a stolen copy of the company's hash database, (b) a list of all 9,000 employee email addresses from LinkedIn, (c) a list of 500 million credential pairs from the 2024 Health Network breach affecting a different company.

Which of the following MOST completely and accurately identifies the attack types available to this attacker AND the single control that would have the broadest impact across all three?

D is correct. All three attacks are viable: (a) the stolen hash database is SHA-1 with a deterministic "salt" (username), enabling rainbow table or fast offline dictionary attack; (b) the default password "Hospital2026!" plus 9,000 LinkedIn addresses enables password spraying under the 10-attempt lockout threshold; (c) the 65% password reuse rate plus the 500M Health Network breach credentials enables credential stuffing. MFA defeats all three: even a cracked hash (a) is useless if the attacker cannot complete the second factor; spraying (b) succeeds at authentication but fails at MFA; stuffed credentials (c) cannot authenticate past MFA. C is a strong distractor but bcrypt only fixes the offline hash cracking — it does nothing against spraying or stuffing, which do not require cracking hashes. A is wrong: NIST explicitly states rotation is counterproductive and does not address offline or stuffing attacks. B incorrectly states credential stuffing requires hashes from the same company — it requires only that employees reused passwords from the other breach.
📋 Exit Ticket — Topic 1.2 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. List all three CED-specified signs of an online password attack and explain why each indicates an attack rather than normal user behavior. (AP Skill: Analyze Risk)
  2. An adversary learns a target has a cat named “Mochi,” was born in 1994, and graduated in 2016. How would the CED describe what the adversary does next? (AP Skill: Analyze Risk)
  3. A user proposes “Mochi1994!” for their bank password. Explain why it fails the CED criteria and suggest a better approach. (AP Skill: Mitigate Risk)
  4. True or False: enabling MFA makes password strength irrelevant. Explain with a specific scenario where a weak password still causes harm. (AP Skill: Mitigate Risk)
  5. A team sees 1,200 login attempts in 4 minutes from overseas IPs, then a successful login at 2:47 AM. What happened? Map it to CED concepts. (AP Skill: Analyze Risk)
Answer Key: (1) Many failed attempts (normal users don’t fail hundreds of times); unusual times (users have consistent patterns); unknown devices (users log in from known devices). (2) CED 1.2.B.2: construct a targeted dictionary from personal info and submit via automated tool. (3) Fails: pet name + personally significant date — both CED patterns to avoid. Better: password manager or passphrase. (4) False. If MFA is bypassed via OTP theft (social engineering), a weak password leaves the account exposed. Both are needed. (5) Dictionary attack using OSINT-built list. Signs: many failed attempts + unusual time + automated volume.
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews. His AP CSA students score 5s at more than double the national average.

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 54.5% of Students Score 5s 5.0 Rating on Wyzant
Content last reviewed and updated: March 2026
← Lesson 1: Social Engineering Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]