PLTW Cybersecurity · Unit 1 · Activity 1.1.2 — Deep Dive
A well-built system never keeps your actual password on file. Instead, it runs your password through a cryptographic hash function — a one-way mathematical process that turns input of any length into a fixed-length output called a hash (or digest, or checksum). Well-known hash functions include MD5, SHA-1, and SHA-256 — though MD5 and SHA-1 are now considered deprecated because adversaries found efficient ways to force collisions in their output.
Hashes have four defining properties: they're repeatable (same input always gives the same output), fixed-length (regardless of input size), collision-resistant (hard to find two inputs that produce the same hash), and pre-image resistant (given a hash, you can't work backward to the input).
Password attacks split into two categories, and the distinction matters more than the attack names themselves. Online attacks happen live, against a real authentication portal — which means they show up in login logs. Offline attacks happen after an adversary has already stolen a hash database — the cracking runs on their own hardware, completely invisible to the system being targeted.
A security analyst notices 40 different user accounts each received exactly one failed login attempt within a 10-minute window, all using the password 'Winter2026!'. Separately, an unrelated incident report shows an adversary successfully logged into three IoT cameras using the factory-default admin credentials.
Every authentication method relies on a factor — a category of proof that verifies identity. There are four:
This is the hands-on skill for this activity — configuring the settings that make authentication harder to break, directly on the PLTW virtual server.
| Setting | What it does |
|---|---|
| Complexity | Requires characters from multiple sets (upper, lower, digit, special) |
| Minimum length | Requires a certain number of characters — longer takes exponentially longer to crack |
| Maximum age | Forces a password change after a set number of days (often 90–120) |
| Password history | Stores prior password hashes so users can't immediately reuse an old one |
| Lockout threshold | Locks the account after 3–5 failed attempts, stopping online brute-force attempts |
Your school's IT team wants to reduce the risk of both password spraying and offline brute-force attacks against the student portal. They can enable: (1) a 5-attempt lockout, (2) a 12-character minimum with complexity requirements, (3) MFA via a text code.