Index · Interview talking points
1 min readRapid overview
Interview talking points
- A02 is about misuse, not broken math — the algorithms are usually fine; the failures are weak/missing encryption, bad key management, and predictable randomness.
- Cleanly separate hashing vs encryption vs encoding, and general hashing vs password hashing — these two distinctions catch most candidates.
- For passwords, say Argon2id (or bcrypt/scrypt) with a salt, and explain why a fast hash like SHA-256 is wrong.
- For transport, lead with TLS 1.2/1.3, HTTPS everywhere, HSTS, real certificate validation, and be able to explain a downgrade/SSL-stripping attack.
- For data at rest, distinguish disk vs database vs field-level encryption and what each does and does not protect against; recommend AES-256-GCM (authenticated encryption).
- Frame symmetric vs asymmetric as "asymmetric to establish trust/exchange keys, symmetric to move data," and cite envelope encryption and TLS as the canonical hybrids.
- Treat key management as the hard part: KMS/HSM/Vault, rotation, separate keys per purpose, least privilege, and never hardcoding keys or secrets.
- Name the classic mistakes crisply — ECB mode, reused nonce,
Math.random()for tokens, MD5/SHA-1, disabled cert validation, and rolling your own crypto — and the correct alternative for each.