Fiveable

🔒AP Cybersecurity Unit 4 Review

QR code for AP Cybersecurity practice questions

4.2 Authentication

4.2 Authentication

Written by the Fiveable Content Team • Last updated June 2026
Verified for the 2027 exam
Verified for the 2027 examWritten by the Fiveable Content Team • Last updated June 2026
🔒AP Cybersecurity
Unit & Topic Study Guides
Pep mascot

TLDR

Authentication is how a system verifies that you are who you claim to be, usually through passwords, physical objects, biometrics, or location. Secure systems never store passwords in plaintext. They store salted hashes, and attackers try to break those hashes or guess passwords through online and offline attacks. Knowing how authentication works, how it fails, and how to harden login settings is the core of this topic.

Pep mascot
more resources to help you study

Why This Matters for the AP Cybersecurity Exam

This topic gives you the core vocabulary and reasoning you need to answer questions about how systems verify identity and how adversaries try to defeat that verification. AP Cybersecurity expects you to connect a vulnerability to an attack to a mitigation, and authentication is a clean example of that chain: weak passwords lead to cracking attacks, which you stop with hashing, salting, MFA, and smart login settings. Expect to identify attack types from a scenario, explain why a defense works, and recommend the right login configuration for a situation.

Key Takeaways

  • Passwords should be stored as salted hashes, never in plaintext, so a stolen database does not instantly reveal everyone's password.
  • A cryptographic hash is one way, repeatable, fixed length, and collision resistant. MD5 and SHA-1 are deprecated because collisions can be forced.
  • Password attacks are either online (against a live login portal) or offline (against a captured hash database), and lockout settings only stop online attacks.
  • The four authentication factor types are knowledge, possession, biometric, and location. MFA combines two or more different types.
  • Login settings like complexity, minimum length, maximum age, password history, and lockout each target a specific weakness.

Why Passwords Are Stored as Hashes

Imagine a company saves every user's password in a giant spreadsheet that just says username: password. If an adversary steals that file, every single account is exposed instantly. That is why no secure system stores passwords in plaintext. Instead, they store hashes.

What a Hash Actually Is

A cryptographic hash function (also called a message digest function) is a math algorithm that takes any input (a word, a file, a whole movie) and outputs a fixed-length string of bits called the hash, checksum, or message digest. The input can be any size. The output is always the same length for a given function.

Some well-known hash functions you should recognize:

  • MD5
  • SHA-1, SHA-256, SHA-512 (SHA stands for Secure Hash Algorithm)
  • NTHash
  • RIPEMD-160

For example, running the word password through SHA-256 always gives you the same 256-bit output. Run Password (capital P) and you get something totally different. Even one tiny change flips the whole hash.

The Four Properties of a Good Hash

A solid cryptographic hash has four key properties:

  • Collision resistant: It is hard to find two different inputs that produce the same hash.
  • Pre-image resistant: Given a hash, you cannot reasonably figure out the original input. Hashes are one way.
  • Repeatable: The same input always produces the same hash. This is what makes password checks work.
  • Fixed length: No matter how big the input, the hash is always the same length for that function. SHA-256 always gives you 256 bits.

Collisions and Why MD5 Was Deprecated

An n-bit hash has 2n2^n possible outputs. Since there are infinite possible inputs but a limited number of outputs, two different inputs will eventually produce the same hash. That is called a collision.

A good hash function makes collisions extremely hard to find on purpose. But if researchers find an efficient way to force collisions, that hash function is deprecated, meaning it is no longer used in secure settings. MD5 and SHA-1 are both deprecated for this reason. You will still see them around, but nobody should use them to protect new systems.

How Hashed Password Login Works

Here is the flow when you log in:

  1. You type your password into the login box.
  2. The system runs your password through the hash function.
  3. It compares the new hash to the hash stored in the user database.
  4. If the hashes match, you are authenticated. If not, access is denied.

The system never has to store your actual password. Even an admin looking at the database just sees a string of random-looking characters.

Salt: Why Two Users with the Same Password Get Different Hashes

There is still a problem. If two users both pick password123, their stored hashes would be identical. An adversary who sees matching hashes in the database knows those users share a password, and could also pre-compute hashes for common passwords and instantly spot matches.

The fix is salt: a few random bits added to each user's password before hashing. Every user has their own unique salt, so even if two people pick the exact same password, their stored hashes look completely different. Salt also makes pre-computed attack tables much less useful, which matters when you get to rainbow tables below.

How Password Attacks Work

If an adversary steals a legitimate user's password, and that account does not have MFA or other protections, the adversary gets to act with all the same access and rights as the real user. That could mean reading emails, transferring money, or pivoting deeper into a network. So how do adversaries actually get passwords?

Online vs Offline Attacks

Password attacks split into two big categories:

  • Online password attacks: The adversary tries username and password combos against a live login portal, like the actual login page of a website. These are slower and noisier because the system can detect failed logins, lock accounts, or rate-limit.
  • Offline password attacks: The adversary has already stolen a user:password database (the hashes) and runs attacks against it on their own computer. No lockout protections apply here because they are not touching the real login system anymore.

Common Online Attacks

Credential reuse is very common. People reuse passwords across sites all the time, even though they should not. When one company gets breached and its user database leaks online, adversaries grab those leaked credentials and try them on other sites. If you used the same password on a random forum and your bank, you are in trouble.

Password spraying is when an adversary takes one common password (like Summer2024!) and tries it against many different accounts. Because they only try one or two passwords per account, they avoid triggering lockouts.

Credential stuffing is when an adversary uses default credentials or stolen credentials to try to break into services or devices. This works alarmingly well on things like switches, routers, and IoT devices that ship with default admin passwords like admin:admin that people never change.

Offline Attacks: Cracking Stolen Hashes

Once an adversary has a captured hash, they cannot reverse it, because hashes are pre-image resistant. But they can guess. Automated hash-cracking tools hash many potential passwords and compare each output to the target hash. If they find a match, they know the password that generated it.

  • Brute force attack: The tool tries every possible password combination, such as aaaa, aaab, aaac, and so on. It is guaranteed to work eventually, but takes a long time for long, complex passwords.
  • Dictionary attack: The tool tries a list of common passwords (password, qwerty, letmein, iloveyou) plus variations. This is much faster than brute force if the user picked something predictable.

Rainbow Tables

A rainbow table attack uses a precomputed rainbow table, which is basically a giant lookup table. Each row contains a potential password and its hash, sorted by hash value. The adversary takes the captured hash and searches the table for a match. If they find one, they instantly know a password that produces that hash.

Rainbow tables save time because the adversary does not have to recompute hashes during the attack. They did all that work ahead of time. This is exactly why salt matters so much: salted hashes break rainbow tables, because the adversary would need a separate rainbow table for every possible salt value.

Types of Authentication Factors

Authentication mechanisms are the technical controls that verify a user's identity. The actual proof a user provides is called a factor. There are four main types.

Knowledge Factor (Something You Know)

A knowledge factor is information only the user should know: passwords, PINs, or answers to preselected challenge questions like "What was the name of your first pet?"

The tradeoff is real: a password that is hard for an adversary to guess is often hard for the user to remember. Tr0ub4dor&3 is more secure than fluffy, but you are more likely to forget it.

Possession Factor (Something You Have)

A possession factor is a physical object unique to the user. Examples:

  • An access card to enter a building
  • A bank card
  • A cell phone (used to receive a code or run an authenticator app)
  • A hardware authentication token

The harder it is to steal or copy the object, the more secure the possession factor is.

Biometric Factor (Something You Are)

A biometric factor measures a feature of your body. Common examples:

  • Fingerprints
  • Palm prints
  • Facial recognition
  • Iris or retina scans
  • Voice identification

These are tough to duplicate because they are unique to you. One downside to keep in mind: if biometric data is leaked, you cannot change your fingerprints the way you change a password.

Location Factor (Somewhere You Are)

A location factor uses information like Wi-Fi signals, GPS data, time zone settings, or IP address info to make determinations about where you are. Rules can allow or deny access based on location, so a company might only allow logins from inside the office network.

Multifactor Authentication

Multifactor authentication (MFA) means using more than one factor to authenticate. Logging into an account with a password (knowledge) and then approving a push notification on your phone (possession) is MFA.

This is more secure than single-factor authentication because an adversary would need to compromise at least two separate factors. Stealing your password is not enough if they also need your physical phone.

Quick clarification: two passwords is not MFA. That is just two knowledge factors. Real MFA combines different types of factors.

Configuring Secure Login Settings

Admins can configure login policies to make systems harder to crack. Here are the main settings you should know.

Password Complexity

Requiring complexity means new passwords must include at least one character from each character set:

  • Uppercase letters (A through Z)
  • Lowercase letters (a through z)
  • Numeric digits (0 through 9)
  • Special characters such as !, @, #, $, %, &, *

A password drawn from all character sets is significantly harder to crack than one using only one or two sets. password is trivial. P@ssw0rd! is still weak but at least takes longer.

Minimum Password Length

Setting a minimum password length forces users to pick passwords of at least a certain number of characters. Length matters a lot for cracking time. Each extra character multiplies the number of possible combinations an adversary would have to test, so a 12-character password takes far longer to brute force than an 8-character one.

Maximum Password Age

A maximum password age policy prompts users to change their password a certain number of days after their last change, usually every 90 or 120 days. The idea is that if a password was secretly compromised, regular changes limit how long an adversary has access.

There is a catch. Some national standards actually recommend against forced rotation on predefined intervals, because users tend to develop predictable patterns like PasswordFall2028. An adversary who knows the pattern can guess the new password easily.

Password History

Systems can also be configured to store a certain number of previous password hashes, commonly the last 5 to 10. This prevents users from recycling the same password every time they are forced to change it. If you try to set your password back to a recent old one, the system rejects it.

Lockout Period

Setting a lockout period locks an account after a certain number of invalid login attempts, often 3 to 5. The length of the lockout varies.

This stops online brute force and password spraying because an adversary cannot keep guessing forever. After a handful of wrong guesses, the account locks. Lockout does not help against offline attacks, since those never touch the live login system. That is why hashing, salting, and strong passwords still matter even with good lockout policies in place.

How to Use This on the AP Cybersecurity Exam

MCQ

  • Read scenarios carefully to identify the attack type. One password tried against many accounts is password spraying. Many guesses against one captured hash file is an offline attack. Default credentials on a router is credential stuffing.
  • Watch for the online vs offline distinction. If a question mentions account lockout being bypassed, the attack is offline because it runs against a stolen hash database, not the live portal.
  • Match factor types to the four categories. Two passwords is single-factor; a password plus a phone code is MFA.

Scenario Reasoning

  • When asked to recommend a defense, connect it to the specific weakness. Salting defeats rainbow tables. MFA limits the damage of a stolen password. Lockout stops online guessing.
  • Be ready to explain why a hash function like MD5 or SHA-1 should not protect a new system. The reason is forced collisions, which is why they are deprecated.
  • If asked to harden a login policy, pair each setting with the problem it solves rather than listing settings randomly.

Common Trap

  • Do not claim hashes can be reversed. They are pre-image resistant. Cracking works by guessing inputs and comparing hashes, not by undoing the hash.

Common Misconceptions

  • "Hashing and encryption are the same thing." They are not. Encryption is meant to be reversed with a key. A cryptographic hash is one way and has no key to undo it.
  • "A hash collision means the hash function is broken right away." Collisions exist for every hash because inputs are infinite and outputs are finite. The problem is when collisions can be forced efficiently, which is what got MD5 and SHA-1 deprecated.
  • "Salt keeps your password secret." Salt is not secret and does not hide the password. Its job is to make every user's hash unique and to break precomputed rainbow tables.
  • "Lockout settings protect against all password attacks." Lockout only slows online attacks. Offline attacks run against a stolen hash database and ignore lockout entirely.
  • "Using two passwords counts as multifactor authentication." MFA requires two different factor types, such as something you know plus something you have. Two knowledge factors is still single-factor.
  • "Forcing frequent password changes always improves security." Forced rotation can backfire by pushing users toward predictable patterns, which is why some standards recommend against scheduled changes.

Vocabulary

The following words are mentioned explicitly in the AP® course framework for this topic.

Term

Definition

account lockout

A login setting that temporarily disables an account after a specified number of failed login attempts to prevent adversaries from conducting brute-force password attacks.

authentication mechanism

Technical controls that verify the identity of a user to ensure that only authorized users access a system.

biometric factor

An authentication factor that measures unique features of the human body, including fingerprints, palm prints, facial recognition, iris or retina scans, or voice identification.

brute force attacks

An attack method where an adversary attempts to guess an encryption key by trying many possible combinations until finding the correct one.

collision

An occurrence where two different inputs produce the same hash output from a cryptographic hash function.

collision resistant

A property of cryptographic hash functions where it is difficult to find two different inputs that produce the same output.

credential stuffing

An attack where default or previously compromised user:password combinations are attempted in rapid succession on a device, typically from the same IP address.

cryptographic hash function

A mathematical algorithm that takes binary data of arbitrary length and outputs a fixed-length binary string, used to securely process and verify data.

default credentials

Preconfigured usernames and passwords that come with services and devices such as switches, routers, and IoT devices.

deprecated hash function

A cryptographic hash function that is no longer used in secure settings because an efficient collision-forcing algorithm has been discovered.

dictionary attacks

Offline password attacks where an adversary uses automated tools to test a list of common passwords.

factor

The proof a user provides to identify themselves during the authentication process.

hash

A fixed-length binary string output produced by a cryptographic hash function from an input of arbitrary length.

hash-cracking tools

Automated tools used in offline attacks to hash potential passwords and compare them against captured hashes.

knowledge factor

An authentication factor based on something the user knows, such as passwords, PINs, or answers to preselected challenge questions.

leaked credentials

Usernames, emails, and passwords that have been stolen from an organization's database and made available to adversaries or posted online.

location factor

An authentication factor that uses information about Wi-Fi signals, GPS data, time zone settings, or IP address information to determine a user's location and allow or deny access accordingly.

maximum password age

A login setting that prompts users to change their password after a specified number of days (typically 90 or 120 days) to reduce the risk of compromised account access.

Message Digest 5

A cryptographic hash function that is now deprecated due to vulnerabilities in collision resistance.

minimum password length

A login setting that requires passwords to contain at least a specified number of characters to increase resistance to cracking attempts.

Multi-factor authentication

Multi-factor authentication; a security measure requiring multiple forms of verification beyond just a password to authenticate a user.

multi-factor authentication

A security method that requires users to provide multiple forms of verification to authenticate and access a system.

offline password attacks

Password attacks that occur on an attacker's own computer using stolen password hashes, making them undetectable through log file analysis.

online password attacks

Password attacks that attempt user:password combinations directly against an active authentication portal.

password attack

Adversarial techniques used to compromise user passwords and gain unauthorized access to accounts or systems.

password complexity

A login setting that requires passwords to include characters from multiple character sets (uppercase letters, lowercase letters, numeric digits, and special characters) to increase password strength.

password reuse prevention

A login setting that prevents users from reusing previous passwords by storing and checking against a history of past password hashes.

password spraying

An attack where many users are targeted with common passwords from one or a few IP addresses, often to avoid detection by spreading attempts across multiple accounts.

plaintext

The original, unencrypted information that is input into an encryption algorithm.

possession factor

An authentication factor based on something the user has, such as an access card, bank card, cell phone, or authentication token.

pre-image resistance

A property of cryptographic hash functions where it is infeasible to determine the input that generated a given hash output.

rainbow table

A precomputed table containing common passwords and their corresponding hashes, sorted by hash values for efficient lookup.

rainbow table attack

An attack that uses a precomputed table of common passwords and their hashes to quickly identify matching passwords from captured hashes.

salt

Random bits added to a password before hashing to ensure that identical passwords produce different hash outputs for different users.

Secure Hash Algorithm 1

A Secure Hash Algorithm that is now deprecated due to vulnerabilities in collision resistance.

Secure Hash Algorithm 256

A Secure Hash Algorithm that produces a 256-bit hash output and is currently considered secure for cryptographic applications.

Secure Hash Algorithm 512

A Secure Hash Algorithm that produces a 512-bit hash output and is currently considered secure for cryptographic applications.

single-factor authentication

An authentication system that uses only one factor to verify a user's identity.

Frequently Asked Questions

Why do systems store password hashes instead of the actual passwords?

Storing passwords in plaintext means a stolen database instantly exposes every user's credentials. Instead, systems hash each password and store only the hash, so even if an adversary accesses the database they cannot immediately read anyone's password. When a user logs in, the system hashes the entered password and compares it to the stored hash to verify identity.

What is the difference between online and offline password attacks?

Online password attacks target a live login portal, where account lockout settings can slow or stop the adversary. Offline password attacks work against a stolen hash database on the adversary's own computer, completely bypassing any lockout protections because the real authentication system is never contacted.

What are the four types of authentication factors in AP Cybersecurity?

The four authentication factor types are knowledge (something you know, like a password or PIN), possession (something you have, like a phone or access card), biometric (something you are, like a fingerprint or facial scan), and location (somewhere you are, based on GPS, Wi-Fi, or IP address data). Multifactor authentication (MFA) combines at least two different factor types, making it significantly harder for an adversary to gain access.

What is salting and why does it protect against rainbow table attacks?

Salt is a set of unique random bits added to each user's password before it is hashed, so two users with the same password end up with completely different stored hashes. This defeats rainbow table attacks because a rainbow table is built from pre-computed password-to-hash pairs, and unique salt values would require a separate table for every possible salt, making the approach impractical.

What login settings can be configured to make a system more secure?

Admins can require password complexity (characters from multiple character sets), a minimum password length, a maximum password age that prompts periodic changes, a password history that prevents reuse of recent passwords, and a lockout period after a set number of failed login attempts. Each setting targets a specific weakness, such as lockout periods stopping online guessing attacks and complexity requirements slowing brute force cracking.

Pep mascot
Upgrade your Fiveable account to print any study guide

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Click below to go to billing portal → update your plan → choose Yearly→ and select "Fiveable Share Plan". Only pay the difference

Plan is open to all students, teachers, parents, etc
Pep mascot
Upgrade your Fiveable account to export vocabulary

Download study guides as beautiful PDFs See example

Print or share PDFs with your students

Always prints our latest, updated content

Mark up and annotate as you study

Plan is open to all students, teachers, parents, etc
report an error
description

screenshots help us find and fix the issue faster (optional)

add screenshot