Index · Interview talking points

1 min read
20 min read
Rapid overview

Interview talking points

  • A02 is about misuse, not broken math — the algorithms are usually fine; the failures are weak/missing encryption, bad key management, and predictable randomness.
  • Cleanly separate hashing vs encryption vs encoding, and general hashing vs password hashing — these two distinctions catch most candidates.
  • For passwords, say Argon2id (or bcrypt/scrypt) with a salt, and explain why a fast hash like SHA-256 is wrong.
  • For transport, lead with TLS 1.2/1.3, HTTPS everywhere, HSTS, real certificate validation, and be able to explain a downgrade/SSL-stripping attack.
  • For data at rest, distinguish disk vs database vs field-level encryption and what each does and does not protect against; recommend AES-256-GCM (authenticated encryption).
  • Frame symmetric vs asymmetric as "asymmetric to establish trust/exchange keys, symmetric to move data," and cite envelope encryption and TLS as the canonical hybrids.
  • Treat key management as the hard part: KMS/HSM/Vault, rotation, separate keys per purpose, least privilege, and never hardcoding keys or secrets.
  • Name the classic mistakes crisply — ECB mode, reused nonce, Math.random() for tokens, MD5/SHA-1, disabled cert validation, and rolling your own crypto — and the correct alternative for each.

See also