Weak authentication is any login protection that's easy for an attacker to defeat, usually because passwords are short, predictable, reused, or built from personal info, and because no extra verification (like MFA) backs them up.
Weak authentication means the thing standing between an attacker and your account isn't actually that strong. Most of the time that "thing" is a password, and the password is the problem. People love patterns: a word or two, a two-digit year, a special character at the end. Or they use a pet's name, a birthday, an anniversary. Those feel personal and memorable, but that's exactly what makes them weak. Anything personal can be researched, and anything predictable can be guessed.
Adversaries take full advantage of this (that's the whole point of AP Cybersecurity 1.2.B). They gather personal details about a target, build a custom dictionary of likely passwords, and then run an automated tool that fires off guesses fast. Weak authentication also includes having only one factor, just a password and nothing else. No one-time code, no second device. So if that single password falls, the attacker is in. Strong authentication flips all of this: long, random, unique passwords plus multifactor authentication (MFA) as a backup layer.
This sits in Unit 1: Introduction to Security, topic 1.2 (Suspicious Website Logins), and it's the heart of three connected learning objectives. AP Cybersecurity 1.2.A has you identify the signs of a password attack (lots of failed logins fast, logins at weird times, logins from unknown devices). AP Cybersecurity 1.2.B has you explain how adversaries exploit weak authentication using those predictable patterns and personal-info dictionaries. AP Cybersecurity 1.2.C has you explain how to fix it with long, random, unique passwords and MFA. Weak authentication is the problem the entire topic is built to attack, so understanding it is how you tie the whole login-security story together.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryDictionary attack (Unit 1)
A dictionary attack is weak authentication's natural predator. Because people build passwords from real words and personal facts, an attacker can load a list of likely guesses and let an automated tool try them all. Weak authentication is the door; the dictionary attack is the key ring.
Multifactor authentication / MFA (Unit 1)
MFA is the direct fix for weak authentication. Even if your password is guessed, the attacker still needs a second proof of identity like a one-time code. It turns a one-lock door into a two-lock door, which is why 1.2.C pushes it so hard.
Authentication log (Unit 1)
Authentication logs are how you spot weak authentication being exploited in real time. The 1.2.A warning signs (many failed logins fast, odd hours, unknown devices) all show up as entries in the log, so the log is where the abstract "signs of an attack" become something you can actually see.
Expect this as multiple-choice. Stems often hand you a scenario and ask you to label the vulnerability, like "A user creates a password combining their birthday and spouse's name. Which term describes this authentication vulnerability?" The answer there is weak authentication, because both pieces are personal and guessable. You may also be asked to pick which example IS weak authentication out of a list, or to match a defense (MFA, a password manager, long passphrases) to the weakness it fixes. Be ready to do three things: recognize a weak password when you see one, explain WHY adversaries exploit it (predictable patterns plus personal-info dictionaries run by automated tools), and name the concrete fixes from 1.2.C.
Weak authentication is the vulnerability (a guessable or single-factor login). A brute force attack is one method an adversary uses to exploit it, trying many password combinations until one works. A dictionary attack is a smarter, targeted version of that. So weak authentication is the open door; brute force is one way of barging through it.
Weak authentication is any login that's easy to defeat, usually because the password is short, predictable, reused, or built from personal information.
Common weak patterns include a word plus a two-digit year plus a special character, or using pet names, family names, birthdays, and anniversaries (EK 1.2.B.1).
Adversaries build a custom dictionary from a target's personal info and use automated tools to submit guesses quickly (EK 1.2.B.2).
Signs that weak authentication is being attacked include many failed logins in a short time, logins at unusual hours, and logins from unknown devices (EK 1.2.A.2).
You strengthen authentication with long, random, unique passwords (a password manager helps) and by turning on multifactor authentication (MFA) for an extra layer (EK 1.2.C).
It's any login protection that's easy for an attacker to break, typically a password that's short, reused, or built from guessable personal details, with no second factor like MFA backing it up. It's the core vulnerability in topic 1.2.
Yes. Personal info is exactly what attackers research and load into a custom dictionary, so a birthday-plus-pet-name password is a textbook example of weak authentication (EK 1.2.B.1) and shows up directly in practice questions.
Weak authentication is the vulnerability, the easy-to-crack login itself. A brute force attack is a method an adversary uses to exploit it by trying many password guesses. One is the open door, the other is a way of walking through it.
Use long, random, unique passwords (a password manager can generate and store them, or use a long passphrase), avoid personal words and dates, and enable multifactor authentication so a second proof of identity is required beyond the password (EK 1.2.C).
Watch for many failed login attempts in a short period, logins at unusual times, and login attempts from unknown devices. Those are the three signs called out in EK 1.2.A.2, and they typically show up in an authentication log.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.