free diagnosticupgrade
Fiveable

🔒AP Cybersecurity Unit 1 Review

QR code for AP Cybersecurity practice questions

1.2 Suspicious Website Logins

🔒AP Cybersecurity
Unit 1 Review

1.2 Suspicious Website Logins

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides

Unit 1 – Introduction to Security

Unit 2 – Securing Spaces

Unit 3 – Securing Networks

Unit 4 – Securing Devices

Unit 5 – Securing Applications and Data

Pep mascot

Passwords are still one of the most common ways adversaries break into accounts, and most attacks aren't some Hollywood-style hacking scene. They're someone (or something) repeatedly guessing logins until one works. Understanding how password attacks look from the defender's side, why weak passwords keep failing people, and what actually makes authentication strong will help you spot trouble before it turns into a real breach.

Spotting a Password Attack

An online password attack is when an adversary tries to log in to a real, live account by submitting guesses to the actual login page or service. They aren't cracking a stolen password file offline. They're hitting the front door of your account over and over, hoping something works.

Where do their guesses come from? Usually three places:

  • Common passwords: Think password123, qwerty, letmein. These show up on every "worst passwords" list every year, and attackers know it.
  • Common password patterns: Predictable structures that lots of people use (more on this in the next section).
  • Stolen passwords: When a site gets breached, those passwords leak. Attackers then try them on other sites because people reuse passwords. This is called credential stuffing.
Pep mascot
more resources to help you study
practice questions

What an attack looks like

If you're watching login logs, or even just paying attention to your own account notifications, a password attack leaves fingerprints. The three big signs:

  • Many failed login attempts in a short time. A real human might fat-finger their password twice. An attacker's script might try 500 guesses in a minute. If you see a burst of failures, that's a red flag.
  • Login attempts at unusual times. If your account suddenly has login attempts at 3:47 AM when you're asleep, something's off. Same thing for a company account being hit during the middle of the night when the office is closed.
  • Login attempts from unknown devices or locations. Logging in from a phone you've never used, a country you've never visited, or an IP address that doesn't match your normal pattern is suspicious. This is why services like Google or Instagram send you "new device sign-in" alerts.

One failed login by itself doesn't mean anything. The pattern is what matters: lots of failures, weird timing, unfamiliar devices. Put together, those signs strongly suggest someone other than the account owner is trying to get in.

How Adversaries Exploit Weak Authentication

Here's the uncomfortable truth: most people pick passwords the same way. Attackers know this, and they build their guessing strategies around it.

The patterns people actually use

When researchers study leaked password databases, the same shapes keep showing up:

  • Word(s) + two-digit number + special character at the end. Stuff like Summer23!, Wildcats07!, or Chicago99?. The two-digit number is almost always a year (birth year, graduation year, current year). The special character at the end is usually ! because it's the easiest one to type.
  • Names of family or pets. Bella2019, Mason!, Buddy123. If you've ever posted about your golden retriever on Instagram, an attacker can find that.
  • Personally significant dates. Birthdays, anniversaries, the year you graduated. 0314Mike or Anna061522.

These feel personal and memorable, which is exactly why people pick them. But "memorable to me" usually means "guessable by someone who knows a little about me."

Building a dictionary

Adversaries don't sit there typing guesses one at a time. They use a dictionary attack, where an automated tool submits a long list of potential passwords to the login system. The "dictionary" can be:

  • Lists of the most common passwords ever leaked
  • Lists of words combined with common patterns (every English word + every year from 1950 to 2025 + !)
  • A custom list built specifically for one target

That last one is the scariest. If an attacker is going after a specific person, they'll do recon first. Your public social media tells them your dog's name, your birthday, your kid's name, your favorite sports team, your high school mascot. They feed all that personal info into a tool that generates thousands of likely password combinations: Buddy2008!, Buddy08, BuddyLakers!, and so on. Then the tool tries every one of them against your account.

This is why "but my password is personal, no one would guess it" doesn't hold up. The whole point of a dictionary attack is that the attacker doesn't need to guess. They just need to try enough plausible options, fast.

Making Authentication Stronger

The good news: defending against these attacks isn't complicated. It just requires breaking the habits that make passwords weak in the first place.

Build passwords that resist guessing

A strong password has three qualities. It's long, random, and unique.

  • Long: The more characters, the more possible combinations an attacker has to try. A 16-character password is exponentially harder to crack than an 8-character one.
  • Random: No words from the dictionary, no patterns, no personal info. Just an unpredictable mix of characters.
  • Unique: Different password for every account. If one site gets breached, your other accounts stay safe.

Two practical ways to pull this off:

Option 1: A password manager. Apps like 1Password, Bitwarden, or the built-in managers in browsers can generate passwords like xK9$mPq2!vL8nR4w and remember them for you. You only need to memorize one strong master password to unlock the manager. This is the easiest way to get long, random, and unique all at once.

Option 2: Long passphrases. If you can't use a manager, a passphrase is the next best thing. Pick four or five random, unrelated words and string them together: correct-horse-battery-staple or lamp-cactus-violin-thunder-pickle. These are long, easy to remember, and not based on personal info. The key word is random. Don't use song lyrics or famous quotes, since those are in attacker dictionaries too.

What to avoid

When you're picking a password, steer clear of:

  • Names (yours, family, pets, friends)
  • Dates (birthdays, anniversaries, graduations)
  • Any word or number that's personally meaningful to you
  • Anything you've shared on social media

If it's meaningful to you, it's findable by an attacker. That's the whole problem.

Add a second layer with MFA

Even the strongest password can leak. A site you use could get breached, you could fall for a phishing email, or malware on your computer could steal it. That's where multifactor authentication (MFA) comes in.

MFA requires you to provide extra proof of identity beyond just your password. The classic example: after you type your password, the site asks for a one-time code that's texted to your phone, generated by an app like Google Authenticator, or sent through a push notification. Some systems use a physical security key (like a YubiKey) or biometrics like a fingerprint.

The reason MFA is so powerful: even if an attacker steals your password, they still can't log in without that second factor. They'd need your physical phone, your fingerprint, or your security key, all of which are way harder to grab remotely.

The categories of factors are usually described as:

  • Something you know (a password or PIN)
  • Something you have (a phone, a security key)
  • Something you are (a fingerprint, face scan)

Real MFA uses at least two different categories. A password plus a security question doesn't count as true MFA, since both are "something you know."

Whenever a service offers MFA, turn it on. Bank, email, school accounts, social media, gaming, all of it. Email especially, because if an attacker gets into your email, they can reset the passwords on every other account linked to it.

Putting It All Together

Password attacks work because human habits are predictable. People reuse passwords, build them from personal info, and follow the same patterns over and over. Adversaries automate guessing at massive scale and watch for the weakest links.

Defending against this comes down to three moves. Recognize the warning signs of an attack in progress (failed login bursts, weird times, unknown devices). Stop using predictable, personal passwords. Layer on MFA so a single stolen password isn't enough to lose your account. None of these steps are technically hard. They just require breaking the habits that attackers count on you keeping.

Vocabulary

The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.

Term

Definition

adversary

An individual or entity that attempts to exploit vulnerabilities in systems, applications, or data to cause harm, steal information, or disrupt operations.

authentication

The process of verifying the identity of a user or system, typically through credentials such as passwords.

dictionary attack

An automated method where adversaries systematically submit a list of potential passwords (often constructed from personal information) to gain unauthorized access to an account.

failed login attempts

Unsuccessful tries to access a device or service, which when occurring frequently over a short period can indicate a password attack.

login attempts from unknown devices

Access attempts made from devices that are not typically associated with the account holder, which is a sign of a potential password attack.

multifactor authentication

A security method that requires two or more different forms of verification to authenticate a user's identity, preventing unauthorized access even if one authentication factor is compromised.

one-time password

A temporary, unique code generated for a single login attempt, used as an additional security factor in multifactor authentication.

passphrase

A long sequence of words or characters that serves as a password alternative, typically easier to remember than random passwords while maintaining security.

password

A secret string of characters used to verify a user's identity and grant access to an account or system.

password attack

Adversarial techniques used to compromise user passwords and gain unauthorized access to accounts or systems.

password manager

A software tool that generates, stores, and manages strong passwords for multiple accounts securely.

weak authentication

Authentication methods that are easily compromised, such as simple or predictable passwords that lack sufficient complexity or randomness.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot