How to use the hash & cryptography quiz
- Pick a category or leave it on All categories.
- Click Start Quiz. Each correct answer is explained inline.
- Use the Security+ / CISSP topic coverage as a study checklist.
Hash & Cryptography Quiz
Security+ / CISSP / CySA+ practice on hashing, salting, HMAC, password storage and crypto pitfalls.
Click Start to begin.
Topic coverage
- Hashing basics — one-way function vs encryption, digest length, collision resistance.
- Password storage — salt vs pepper, why MD5 + salt is still dangerous, Argon2id and bcrypt.
- HMAC & MACs — keyed integrity, why HMAC differs from a plain hash.
- Algorithms — SHA-256 vs SHA-3, MD5 / SHA-1 deprecation status, BLAKE3.
Useful reading before the exam
- NIST FIPS 180-4 — SHA family specification.
- OWASP Password Storage Cheat Sheet — Argon2id, bcrypt, scrypt recommendations.
- NIST SP 800-63B — password and authenticator guidance.
- RFC 2104 — HMAC construction.
Frequently asked questions
Which hash algorithms are still safe in 2026?
SHA-256 and SHA-512 from the SHA-2 family, plus SHA-3 and BLAKE3. Avoid MD5 and SHA-1 for any security context.
What is the difference between hashing and encryption?
Hashing is one-way and produces a fixed-length digest. Encryption is reversible with a key and preserves the input data. Hashes verify integrity; encryption protects confidentiality.
Why do passwords need salt and pepper?
Salt is per-user and stops precomputed rainbow-table attacks. Pepper is a server-side secret added to all hashes, kept outside the database, so a DB theft alone does not crack hashes.
What does HMAC give that a plain hash does not?
Authentication. HMAC binds the hash to a shared secret key, so a receiver can verify both integrity and origin — a plain hash proves only that data is unchanged.