1.2 Quiz: Password Attacks | AP Cybersecurity

AP Cyber Hub Unit 1 1.1 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.2 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.3 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.4 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.5 ▼ Lesson Ex 1 Ex 2 Lab Quiz

AP Cybersecurity / Course Home / Unit 1 / 1.2 Lesson / Quiz

Unit 1 • Lesson 1.2 • Quiz

Password Attacks — Quiz

5 questions • Predict first • Instant per-question feedback

Skills: 1.A, 1.B, 2.A Format: 4 MCQ • 1 Scenario (I, II, III) Time: ~12 min

✓ Lesson ✓ Exercise 1 ✓ Exercise 2 ▶ Quiz

Score 0 / 5

Question 1 of 5

✎ Predict first: Identify the attack type before reading the choices.

An attacker obtains a text file containing 300 million email-and-password pairs leaked in the 2023 breach of a fitness-tracking app. Over the next 72 hours, the attacker submits one login attempt per account to a major online bank, using the exact credentials from the leak. The bank’s security team notices no lockout events and no unusual failed-login spikes — only a steady stream of successful logins from new devices.

Which attack type is described, and why does the bank’s account lockout policy NOT prevent it?

ADictionary attack, because the attacker is using a wordlist of probable passwords that bypasses lockout by staying below the threshold BPassword spraying, because only one password is tested per account, making it architecturally immune to per-account lockout CCredential stuffing, because the attacker submits one confirmed-working credential pair per account — never triggering lockout — and exploits password reuse rather than guessing DBrute force, because the attacker is testing every possible combination of credentials from the leaked dataset at one attempt per account

AP Exam Tip

The signal for credential stuffing is always prior breach data + a different target site. The attacker is not guessing — they are replaying. Lockout cannot stop an attack that sends exactly one correct attempt per account. Slash the trash: brute force would require many attempts per account; password spraying uses one shared common password across accounts (not unique pairs from a breach); dictionary attack uses a wordlist of probable guesses, not confirmed credentials.

Question 2 of 5

✎ Predict first: Identify the error in the developer’s statement before reading the choices.

A startup’s lead developer announces: “We store all passwords by hashing them with SHA-256 before saving to the database. Because we also prepend the user’s username to the password before hashing — for example, hash(‘jsmith’ + ‘mypassword’) — our system is fully protected against both rainbow table attacks and offline brute force cracking.”

A security auditor flags this implementation as flawed. Which of the following BEST identifies the weakness?

AThe implementation is correct — prepending the username creates a unique value for each user, which is functionally equivalent to a salt and fully protects against precomputed attacks BUsernames are deterministic and publicly known, so an attacker can precompute a rainbow table for each specific username — and SHA-256’s speed makes offline brute force against the stolen hashes practical; a random per-user salt and a slow algorithm like bcrypt are both required CThe flaw is that SHA-256 should be replaced with MD5, which is a more modern and secure hashing algorithm designed specifically for password storage DThe username prepend is insecure only because usernames contain special characters that corrupt the hash function input

AP Exam Tip

Two separate flaws exist here: (1) deterministic “salt” — the username is public and predictable, so an attacker who knows the username can precompute a targeted rainbow table for that user; and (2) fast algorithm — SHA-256 is optimized for speed, allowing billions of guesses per second offline. A proper implementation requires a randomly generated per-user salt (unpredictable, even if the attacker knows usernames) plus bcrypt/Argon2 (slow by design). MD5 (option C) is worse than SHA-256 for password storage, not better.

Question 3 of 5

✎ Predict first: Which specific NIST SP 800-63B guideline is violated here?

A corporate IT policy requires all employees to change passwords every 60 days. Employees must use at least 10 characters including one uppercase letter, one number, and one special symbol. New passwords cannot match the previous five passwords. After implementing this policy, the IT team discovers that 78% of employees are cycling through patterns like “Company1!”, “Company2!”, “Company3!”.

Which statement MOST accurately identifies the policy flaw and its security consequence?

AThe policy is sound; the employees are failing to comply, so the solution is stricter enforcement and disciplinary action for predictable passwords BThe flaw is the 10-character minimum; NIST recommends exactly 8 characters with maximum complexity requirements to prevent guessing CThe policy is flawed only because it permits special symbols, which actually reduce keyspace by narrowing what characters users choose DThe forced 60-day rotation violates NIST SP 800-63B, which recommends against periodic rotation because it predictably causes users to make minimal incremental changes that an attacker who knows the pattern can easily enumerate

AP Exam Tip

NIST SP 800-63B counterintuitive facts are high-frequency exam targets: forced rotation reduces security rather than increasing it, because it drives predictable incremental patterns. The employees are not “failing to comply” — they are responding rationally to an unworkable policy. The correct approach is: no forced rotation unless compromised, minimum 15–16 character length, block known-breached passwords at creation, and support passphrases up to 64 characters.

Question 4 of 5

✎ Predict first: Evaluate each statement independently before reading the choices.

A security engineer proposes the following changes to a company’s authentication system after a breach:

I. Replace MD5 password hashing with bcrypt at cost factor 12, which will reduce offline cracking speed from approximately 10 billion guesses per second to approximately 300 per second on the same hardware.

II. Add a mandatory 90-day password rotation policy so that even if a password is cracked from the stolen hash database, the cracked credential will only be valid for a maximum of 90 days.

III. Deploy per-user randomly generated salts so that two users with identical passwords produce completely different stored hashes, defeating precomputed lookup table attacks.

Which statements describe changes that would genuinely improve resistance to the attacks they claim to address?

AI only — bcrypt is the only meaningful improvement; salting and rotation have no impact on offline cracking BI and II only — bcrypt slows offline cracking and rotation limits credential validity windows CI and III only — bcrypt genuinely slows offline brute force and random salts genuinely defeat rainbow table precomputation; forced rotation is counterproductive per NIST SP 800-63B because it drives predictable incremental passwords DI, II, and III — all three changes provide independent layers of defense against offline cracking attacks

AP Exam Tip

I and III are both genuine, targeted improvements: bcrypt directly defeats offline brute force by making each hash guess expensive; random salts directly defeat precomputed rainbow tables by ensuring every hash is unique. Statement II sounds reasonable but contradicts NIST — forced rotation causes users to cycle through predictable patterns, producing passwords like “Company60!” that an attacker who recovered “Company59!” could trivially guess. The validity window argument fails in practice because the pattern is crackable before expiration.

Question 5 of 5

✎ Predict first: For each attack resource listed, name the attack type and the single control that stops it.

A penetration tester is hired to assess a mid-sized hospital’s authentication posture. The tester discovers the following:

• Passwords are stored as bcrypt hashes with unique per-user salts (cost factor 10)
• Employee accounts have no MFA
• The default onboarding password is “Welcome2026!” and 23% of accounts have never changed it
• 61% of employees reuse their hospital password for personal email, based on a voluntary survey
• Account lockout triggers after 8 failed attempts per account

The tester has access to: (a) a LinkedIn scrape of all 1,400 employee emails, and (b) 400 million credential pairs from the 2024 breach of a national pharmacy chain.

Which of the following MOST accurately identifies the attacks available to the tester AND the single control with the broadest impact across all viable attacks?

ARainbow table attack against the bcrypt hashes and credential stuffing using the pharmacy breach data; switching to Argon2 would defend against both BBrute force against the bcrypt hashes and password spraying using the default credential; increasing the lockout threshold from 8 to 3 attempts would defend against both CPassword spraying using the default credential and dictionary attack against weak passwords; deploying bcrypt would defend against both since it slows all password-based attacks DPassword spraying using “Welcome2026!” against all 1,400 accounts and credential stuffing using the pharmacy breach data; MFA is the broadest single defense because it stops both attacks even when the attacker has the correct password

AP Exam Tip

Slash the trash systematically: (A) Rainbow table is defeated by the bcrypt + salt already in place — eliminate. (B) Brute force against bcrypt at cost factor 10 is impractical; and lowering lockout to 3 would not stop spraying at 1 attempt/account — eliminate. (C) Deploying bcrypt is already done; it does not stop spraying or stuffing, which never touch the hash database — eliminate. (D) is correct: the LinkedIn email list enables password spraying using the default “Welcome2026!” credential (1 attempt per account, 23% success rate = ~322 accounts). The pharmacy breach enables credential stuffing (61% reuse = ~854 employees at risk). MFA stops both: even with a valid or default password, the attacker cannot authenticate past the second factor.

0/5

Quiz Complete — 1.2 Password Attacks

Next Lesson: 1.3 AI-Driven Threats →

← Exercise 2 Next Lesson: 1.3 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

Send me free AP CS exam tips — daily practice questions, study resources, and exam strategies. + 20% OFF TUTORING
Unsubscribe anytime.

✉

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com