HACKUP
Sign up

Create a free account to save your progress

Earn XP, track streaks, and sync your dashboard across devices.

Sign up free
Tech Vocabulary/
Lesson

AuthenticationWhat is authentication?Verifying who a user is, typically through credentials like a password or token. vs authorizationWhat is authorization?Checking what an authenticated user is allowed to do, like whether they can delete records or access admin pages.: know the difference

Authentication: proving who you are

Authentication answers: "Who are you?" When you enter your password, scan your fingerprint, or use Face ID, you're authenticating.

Authorization: what you're allowed to do

Authorization answers: "What can you do?" Once the system knows who you are, authorization decides what you can access. An admin can delete users. A regular user can only edit their own profile.

You can be authenticated but not authorized, you log in successfully but get "access denied" when trying to view sensitive data.

02

Passwords: your first line of defense

What makes a password strong

A strong password is:

  • Long: at least 12 characters, ideally 16+
  • Random: not based on dictionary words, names, or patterns
  • Unique: never reused across sites

A 12-character random password takes centuries to brute force. An 8-character password? Hours or days.

Password managers: you need one

You cannot remember strong, unique passwords for every service. A password manager generates and stores them for you. You remember one master password.

Popular options:

  • 1Password: paid, business-friendly
  • Bitwarden: free tier, open source
  • Proton Pass: privacy-focused
  • iCloud Keychain: if you're all-in on Apple

Two-factor authenticationWhat is 2fa?Two-factor authentication - requiring a second verification step (like a phone code) on top of your password to prove it's really you. (2FA): your safety net

Passwords can be stolen via phishing or data breaches. 2FA adds a second verification step, even if someone has your password, they need the second factor too.

Types of 2FA:

TypeHow it worksSecurity level
SMS codeText message with 6-digit codeOkay, SIM swapping attacks exist
Authenticator appTime-based codes (Google Authenticator, Authy)Better, no phone number involved
Hardware keyPhysical USB device (YubiKey)Best, requires physical possession
Push notificationTap "yes" on your phoneGood, but can be annoying

Enable 2FA everywhere you can, especially email, banking, and work accounts.

AI pitfall
AI-generated code often hardcodes API keys and secrets directly in source files. This means credentials end up in version control where anyone with repo access can see them. Always use environment variables or a secrets manager instead.
03

HTTPSWhat is https?HTTP with encryption added, so data traveling between your browser and a server can't be read or tampered with by anyone in between.: the lock icon explained

HTTPS (HTTPWhat is http?The protocol browsers and servers use to exchange web pages, API data, and other resources, defining how requests and responses are formatted. Secure) encrypts data between your browser and the website. It prevents:

  • Snooping: someone on the same WiFi can't read your data
  • Tampering: no one can modify the data in transit
  • Impersonation: you know you're talking to the real website

How it works (simplified)

When you visit an HTTPS site, your browser and the server perform a "handshakeWhat is handshake?The initial exchange between a client and server that establishes a connection and agrees on communication rules before data starts flowing.":

  1. Browser asks for the server's public certificate
  2. Server sends certificate (verified by a trusted authority)
  3. Browser and server agree on encryptionWhat is encryption?Scrambling data so only someone with the right key can read it, protecting information from being intercepted or stolen. keys
  4. All communication is encrypted

Under the hood
This uses public-key cryptography. The server has a public key (shared with everyone) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key.

If your browser shows a "Not Secure" warning or certificate error, stop. Don't enter passwords or credit card numbers.

04

Common threats you should recognize

Phishing

Phishing tricks you into giving up credentials or clicking malicious links via email, text messages (smishing), or phone calls (vishing).

Red flags:

  • Urgent language ("Your account will be suspended!")
  • Generic greetings ("Dear Customer" instead of your name)
  • Suspicious sender addresses
  • Links that don't match the real domain

The rule: When in doubt, go directly to the website by typing the URL. Don't click links in emails.

Malware

Malware (malicious software) includes viruses, ransomware, and spyware. You get infected by downloading pirated software, opening suspicious email attachments, or clicking malicious ads. Prevent it by keeping software updated, using antivirus, and backing up data regularly.

Social engineering

Social engineering manipulates people into breaking security procedures. Common tactics include pretexting (fake scenarios), baiting (infected USB drives), and tailgating (following someone into a secure building).

The defense: Verify identity before sharing sensitive information. A real IT person won't mind if you call them back through the official number.

05

Quick reference: security fundamentals

ConceptWhat it meansReal-world example
AuthenticationProving who you areEntering your password
AuthorizationWhat you're allowed to doAdmin can delete accounts, users can't
2FASecond verification stepEntering a code from your phone
HTTPSEncrypted connectionLock icon in your browser
PhishingFake emails to steal credentials"Your account is locked, click here"
MalwareMalicious softwareRansomware that encrypts your files
Done