PLTW Cybersecurity  ·  Unit 1: Introduction to Cybersecurity  ·  Activity 1.1.2

Password Protection and Authentication

Hashing, password attacks, and configuring real login defenses  ·  Approx. 2 class days

StarringPassword → Hash Function → DigestOnline attacks log. Offline attacks don't.

Use this as a quick reference for the five password attack types, online vs. offline, hashing, and the four authentication factors.

Password Attacks and Authentication Defenses infographic

🧭 Plot Summary

A password is only as strong as the system storing it. Well-designed systems never store your actual password — they store a hash, a one-way scrambled version created by feeding your password through a cryptographic hash function. Even a tiny change to the input completely changes the output, and there's no way to reverse a hash back into the original password.

But hashing alone isn't enough. Adversaries have built an entire toolkit for attacking passwords anyway — and knowing the difference between an online attack (happening live, against a real login page) and an offline attack (happening on the adversary's own machine, against a stolen hash database) is one of the most exam-relevant distinctions in this whole unit.

Five password attacks to know

Brute Force
Tries every possible password — offline
Dictionary
Tries a list of common passwords — offline
Rainbow Table
Looks up precomputed hashes — offline
Password Spraying
One common password, many accounts — online
Credential Stuffing
Stolen or default credentials, many accounts — online

What you will do in this lesson

  • Read a login log and identify the signs of an in-progress password attack.
  • Understand why hashing and salting keep stored passwords safe even in a data breach.
  • Tell apart the five major password attack types — and which ones are online vs. offline.
  • Learn the four authentication factors and why multifactor authentication matters.
  • Configure real login and lockout settings on a virtual server.

Why it matters

Authentication is the front door to every system you'll ever secure. This is the first activity where you're not just discussing concepts — you're configuring real login settings on the PLTW virtual server, the same skill tested directly in AP FRQ Scenario 4B.

Self-Check Before You Roll On

Check off each item as you get there. These are not grades — they are your own signal.

Built with v0