PLTW Cybersecurity · Unit 1 · Activity 1.1.2 — Deep Dive

Hashing, Password Attacks, and Authentication

4.2.AConcept

Why Passwords Are Hashed, Not Stored

A well-built system never keeps your actual password on file. Instead, it runs your password through a cryptographic hash function — a one-way mathematical process that turns input of any length into a fixed-length output called a hash (or digest, or checksum). Well-known hash functions include MD5, SHA-1, and SHA-256 — though MD5 and SHA-1 are now considered deprecated because adversaries found efficient ways to force collisions in their output.

MyPassword1!→ hash function →a94f...9d2c

Hashes have four defining properties: they're repeatable (same input always gives the same output), fixed-length (regardless of input size), collision-resistant (hard to find two inputs that produce the same hash), and pre-image resistant (given a hash, you can't work backward to the input).

🔑Salting solves a specific problem: if two users pick the exact same password, they'd get identical hashes — which leaks information. Adding a few random bits (the "salt"), unique per user, before hashing means identical passwords produce completely different stored hashes.
4.2.BAttack

Five Ways Adversaries Attack Passwords

Password attacks split into two categories, and the distinction matters more than the attack names themselves. Online attacks happen live, against a real authentication portal — which means they show up in login logs. Offline attacks happen after an adversary has already stolen a hash database — the cracking runs on their own hardware, completely invisible to the system being targeted.

🕵️ Password Attack Classifier — click each type
OFFLINE
An automated tool systematically tries every possible password combination against a stolen hash until one matches. Slow but exhaustive — given enough time, it works against anything.
⚠️This is the single most tested distinction in this activity: offline attacks leave no authentication log entries, because the login portal is never touched during the actual cracking process. An adversary might steal a hash database today and crack it undetected for weeks.
ExampleWorked Example — Classify the Attack

A security analyst notices 40 different user accounts each received exactly one failed login attempt within a 10-minute window, all using the password 'Winter2026!'. Separately, an unrelated incident report shows an adversary successfully logged into three IoT cameras using the factory-default admin credentials.

4.2.CConcept

Authentication Factors and MFA

Every authentication method relies on a factor — a category of proof that verifies identity. There are four:

Knowledge
Something you know — password, PIN, challenge question.
Possession
Something you have — phone, access card, hardware token.
Biometric
Something you are — fingerprint, face, iris, voice.
Location
Somewhere you are — GPS, Wi-Fi network, IP address.
💡Multifactor authentication (MFA) simply means combining two or more of these factors. A password (knowledge) plus a text code (possession) is MFA. A password plus a security question is not — both are knowledge factors, so it's still single-factor in practice, even though it feels like "two steps."
4.2.DConcept

Configuring Login Settings

This is the hands-on skill for this activity — configuring the settings that make authentication harder to break, directly on the PLTW virtual server.

SettingWhat it does
ComplexityRequires characters from multiple sets (upper, lower, digit, special)
Minimum lengthRequires a certain number of characters — longer takes exponentially longer to crack
Maximum ageForces a password change after a set number of days (often 90–120)
Password historyStores prior password hashes so users can't immediately reuse an old one
Lockout thresholdLocks the account after 3–5 failed attempts, stopping online brute-force attempts
🔑Notice that lockout thresholds only stop online attacks — they rely on the real login portal enforcing the lockout. An adversary running an offline attack against a stolen hash database never interacts with your lockout policy at all. Complexity and length are what actually slow down offline cracking.
ExampleGuided Example — Picking the Right Defense

Your school's IT team wants to reduce the risk of both password spraying and offline brute-force attacks against the student portal. They can enable: (1) a 5-attempt lockout, (2) a 12-character minimum with complexity requirements, (3) MFA via a text code.

Step 1Address the online threat
The lockout threshold directly stops password spraying — after 5 failed attempts, that account stops accepting new attempts, regardless of who's trying.
← Back to Activity 1.1.2Next: Activity 1.1.3 →Email and Social Media Security Risks.
Built with v0