The correct option is State explicit security requirements in comments such as salted hashing with a trusted library and constant time comparison and no plaintext storage. This directs GitHub Copilot with clear constraints so it generates code that aligns with security best practices.

Copilot responds well to precise requirements in inline comments and docstrings. When you specify salted hashing using a trusted library and require a constant time comparison to avoid timing attacks and forbid plaintext storage then the model has concrete acceptance criteria to follow. You can also include the desired function signature and sample inputs and outputs so the generated code is safer and easier to test.

The option Give only a brief prompt to avoid steering Copilot and rely on its general best practices is incorrect because vague prompts tend to produce generic code that can miss critical protections such as salting and constant time comparison. You need to guide the model with explicit requirements.

The option Encrypt raw passwords with Cloud KMS before storing them and ask Copilot to implement that approach is incorrect because passwords should be stored as salted nonreversible hashes rather than encrypted values that can be decrypted. A key management service is useful for managing encryption keys and protecting secrets but it is not the correct method for password verification workflows.

The option Use a very short phrase like validate password and let Copilot infer the rest from its training data is incorrect because very short prompts encourage Copilot to make assumptions and it can reproduce insecure patterns. Being specific about the security controls you require leads to safer output.

Full AWS Practitioner Certification Question