Practice & Assessment
Test your understanding of Authentication Fundamentals
Multiple Choice Questions
5A user logs in successfully, then tries to access an admin dashboard they are not allowed to see. The server blocks them. Which concept does this blocking represent?
Why should you use bcrypt instead of SHA-256 to hash user passwords?
What is a salt in the context of password hashing?
Which cookie flag prevents a session cookie from being sent over a plain HTTP connection?
Credential stuffing differs from a brute force attack because it:
Coding Challenges
1Build a password hashing utility
Write a Node.js script that accepts a plaintext password as a command-line argument, hashes it with bcrypt at a work factor of 12, and prints the hash. Then write a second command that accepts a plaintext password and a stored hash, compares them with bcrypt.compare, and prints 'MATCH' or 'NO MATCH'. Input: string from process.argv. Output: bcrypt hash string or MATCH/NO MATCH. Constraint: no web server needed, pure Node.js script. Estimated time: 15โ20 minutes.
Mini Project
Auth Threat Model Document + Hardened Express Boilerplate
Produce two deliverables. First, write a short threat model (plain text or markdown) that lists the top 4 attack types covered in this module, the specific asset each attack targets, and the primary defense for each. Second, extend the Express boilerplate from lesson 1.5 to: enforce HTTPS redirect in production, add an express-rate-limit middleware on all routes, configure a /register route skeleton that accepts email and password, validates both are present, hashes the password with bcrypt, and returns the hash (no database yet). All secrets must come from .env. The server must start without errors.