Practice the core ideas behind password authentication, including hashing, salting, password verification, and common security risks.
Read each problem carefully. Show your thinking in the space provided. Do not write real passwords that you use in your own life.
Protecting passwords with hashing, salting, and secure login design
Computer Science - Grade 9-12
- 1
In a secure authentication system, why should a website avoid storing users' passwords in plain text?
- 2
Define a cryptographic hash function in the context of password storage.
- 3
A user creates the password Tiger77!. The system stores the hash value 9f4a... instead of the original password. During login, what should the system do to check whether the user typed the correct password?
- 4
Explain the difference between encryption and hashing.
- 5
What is a salt in password hashing, and why is it useful?
- 6
Two users choose the same password, Sunshine2025. User A has salt K81 and User B has salt Z44. Explain why their stored hashes should be different.
- 7
A student says, 'If a database stores password hashes, attackers cannot guess any passwords.' Explain why this statement is not fully correct.
- 8
What is a brute-force attack on passwords?
- 9
What is a dictionary attack on passwords, and how is it different from a full brute-force attack?
- 10
A login system stores passwords using SHA-256 with no salt. Identify one weakness of this design for password storage.
- 11
Name one password hashing algorithm designed specifically for storing passwords, and explain why such algorithms are preferred over fast general-purpose hashes.
- 12
A website limits users to 8-character passwords and does not allow symbols. Explain why this may reduce security.
- 13
Put these authentication steps in a secure order: compare hashes, receive password from login form, hash the submitted password with the stored salt, allow or deny access.
- 14
Explain why multi-factor authentication can improve security even when password hashing is used.
- 15
A company discovers that its password database was stolen. The database contains salted password hashes, not plain text passwords. List two actions the company should take and explain why.