How to use the hash & cryptography quiz
- Pick a category or leave it on All categories.
- Click Start Quiz. Each correct answer is explained inline.
- Use the Security+ / CISSP topic coverage as a study checklist.
Hash & Cryptography Quiz
Security+ / CISSP / CySA+ practice on hashing, salting, HMAC, password storage and crypto pitfalls.
Click Start to begin.
Topic coverage
- Hashing basics — one-way function vs encryption, digest length, collision resistance.
- Password storage — salt vs pepper, why MD5 + salt is still dangerous, Argon2id and bcrypt.
- HMAC & MACs — keyed integrity, why HMAC differs from a plain hash.
- Algorithms — SHA-256 vs SHA-3, MD5 / SHA-1 deprecation status, BLAKE3.
Useful reading before the exam
- NIST FIPS 180-4 — SHA family specification.
- OWASP Password Storage Cheat Sheet — Argon2id, bcrypt, scrypt recommendations.
- NIST SP 800-63B — password and authenticator guidance.
- RFC 2104 — HMAC construction.
Frequently asked questions
Which hash algorithms are still safe in 2026?
SHA-256 and SHA-512 from the SHA-2 family, plus SHA-3 and BLAKE3. Avoid MD5 and SHA-1 for any security context.
What is the difference between hashing and encryption?
Hashing locks data into a fixed-length fingerprint. You can't reverse it—that's the point. Encryption works the opposite way: it scrambles your data but leaves a key to unscramble it later. Use hashing when you need to prove something hasn't changed. Use encryption when you need to hide it.
Why do passwords need salt and pepper?
Salt is per-user and stops precomputed rainbow-table attacks. Pepper is a server-side secret added to all hashes, kept outside the database, so a DB theft alone doesn't crack hashes.
What does HMAC give that a plain hash does not?
Authentication. HMAC binds the hash to a shared secret key, so a receiver can verify both integrity and origin — a plain hash proves only that data is unchanged.