Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

Password reuse is the main problem, my girls mom lost her phone at home and i was trying to find out if it was stolen or somewhere in d house by checking it's location, she said she'd forgot the password for the mail. She gave me all sort of things to use and it wasn't untill she said i should use the name of the email as password and it opened....

emmy512:
Password reuse is the main problem, my girls mom lost her phone at home and i was trying to find out if it was stolen or somewhere in d house by checking it's location, she said she'd forgot the password for the mail. She gave me all sort of things to use and it wasn't untill she said i should use the name of the email as password and it opened....

Password = email address? This is an horror story o>_<o~

EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

I disagree with your write up. The blames should be shared between careless end-users who compromise their passwords as well as badly architected solution. If a software is badly designed, password can be easily hacked even if you don't compromise your password e g. Redirect vulnerability attack

MT:


I disagree with your write up. The blames should be shared between careless end-users who compromise their passwords as well as badly architected solution. If a software is badly designed, password can be easily hacked even if you don't compromise your password e g. Redirect vulnerability attack

1. Open redirects isn't a crit unless it exposes auth tokens.
2. Password security is 1% choosing a half-decent password and 99% not using it anywhere else, and also 2FA. Sites get pwned everytime.

EvilSec:

1. Open redirects isn't a crit unless it exposes auth tokens.
2. Password security is 1% choosing a half-decent password and 99% not using it anywhere else, and also 2FA. Sites get pwned everytime.

Then you don't know what open redirect is all about. You write using so much abbreviation, I don't seem to understand what you put in there. Let's talk practical and not theory

MT:


Then you don't know what open redirect is all about.

Talk is cheap. I found 3 open redirects on NL months back, if you can find at least one, and tell me the vulnerable parameter, then I'll assume you're not dumb and you know what you're talking about.

Your time starts now.

EvilSec:

Talk is cheap. I found 3 open redirects on NL months back, if you can find at least one, and tell me the vulnerable parameter, then I'll assume you're not dumb and you know what you're talking about.


Your time starts now.

If you want to have a conversation, don't be rude. You don't throw words around during conversation. Why would you use the word "dumb" loosely in a professional chat?. You feel you are better than everyone else, right? Don't be deceived

EvilSec and MT! Make una two calm down abeg.

The issue with using strong password is, you'll most likely forget.

As per password reuse, I think everyone does that. You don't expect me to use 10 different strong password for 10 different accounts. Writing down passwords is even not good.

I think sites owners should do their homework before validating a login/register request.

I was trying to login into my Gmail account the other day from another device and I got sent a OTP, even password reset on Twitter also requires OTP.


The best remedy is to have an account with sites like Lastpass and the likes, build one strong password you can remember for your Lastpass account and keep saving other passwords to Lastpass.

But this also comes with its own trust issues.

Karleb:
EvilSec and MT! Make una two calm down abeg.

The issue with using strong password is, you'll most likely forget.

As per password reuse, I think everyone does that. You don't expect me to use 10 different strong password for 10 different accounts. Writing down passwords is even not good.

I think sites owners should do their homework before validating a login/register request.

I was trying to login into my Gmail account the other day from another device and I got sent a OTP, even password reset on Twitter also requires OTP.


The best remedy is to have an account with sites like Lastpass and the likes, build one strong password you can remember for your Lastpass account and keep saving other passwords to Lastpass.

But this also comes with its own trust issues.

I no dey fight here. I love a civil conversation. As a professional, there is a need to be conscious of the language you use. I felt it was a thread we could all learn, didnt know it was a thread that insults and abusive words would be used at will. I am out of here.

Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

Bahat:
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

You're right

.

Bahat:
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc".

.

EvilSec:

Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc".

Oh yeah have been checking evilginx phishlet recently

Bahat:


Oh yeah have been checking evilginx phishlet recently

do you have any custom made evilginx phishlets

FreeMejoor1:
do you have any custom made evilginx phishlets

Yes I guess, talk to me on telegram if you serious @X_hammer

Reminds of how Lulzsec(an Anonymous group) pawned one CEO of a security firm. He was using one password for all his major online accounts. You would think a whole head of a cyber security would know better.

By the time they had taken control of his social media accounts, company website, leaked all of his emails and completely ruined his reputation he just had to resign lol. I don't think the company recovered either.

Najdorf:
Reminds of how Lulzsec(an Anonymous group) pawned one CEO of a security firm. He was using one password for all his major online accounts. You would think a whole head of a cyber security would know better.

By the time they had taken control of his social media accounts, company website, leaked all of his emails and completely ruined his reputation he just had to resign lol. I don't think the company recovered either.

Lol even if he's not caught with his password recyle its going to be a third party app that will do the infiltration. This internet is vulnerable, the major thing is make we no become a possible target.

Bahat:


Lol even if he's not caught with his password recyle its going to be a third party app that will do the infiltration. This internet is vulnerable, the major thing is make we no become a possible target.

Saw some of your replies under my posts getting deleted. Were you getting shadow banned or what?

EvilSec:

Saw some of your replies under my posts getting deleted. Were you getting shadow banned or what?

I might be. Didn't really notice it, but there was a time I couldn't quote or comment under threads for a period of time. I was thinking its due to site maintenance but I noticed its only me from my side.

FreeMejoor1:
do you have any custom made evilginx phishlets

I can help u create any phishlet for any site regardless of the MITM prevention techniques they are using... Ain't cheap though

The end is near

Today.. I am blank and everywhere seems to be void

A teenager at a funeral asks the priest for the wifi password.
The priest is shocked and asks the boy "Have you no respect for the dead?"

The boy hears the priests and responds, "Is that uppercase or lowercase?"

The most used password in the world is ; LOVE

Nah eh! No qualms
This is so
sophisticated

Damnnn niggarrrr
Isoright....

We way dey open face book like water...as them dey kill am we dey open another one
So you mean say make we dey go through stress of using different password