Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,207,162 members, 7,998,019 topics. Date: Saturday, 09 November 2024 at 02:12 AM |
Nairaland Forum / Science/Technology / Programming / Let's Stop Talking About Password Strength (20430 Views)
How To Create Mysql Database/python Tkinter Gui To Change Password/Validation En / Easy Way To Create A Random Password Generator In Python / Help: I Need Help On How To Get D Password Or Any App For What App And FB Accoun (2) (3) (4)
Let's Stop Talking About Password Strength by EvilSec: 2:01pm On Jul 09, 2020 |
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this. Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice. On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password. Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters). To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user. But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure. We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on. What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong. So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things. 28 Likes 6 Shares
|
Re: Let's Stop Talking About Password Strength by emmy512(m): 6:36pm On Jul 09, 2020 |
Password reuse is the main problem, my girls mom lost her phone at home and i was trying to find out if it was stolen or somewhere in d house by checking it's location, she said she'd forgot the password for the mail. She gave me all sort of things to use and it wasn't untill she said i should use the name of the email as password and it opened.... 12 Likes |
Re: Let's Stop Talking About Password Strength by EvilSec: 5:15pm On Jul 10, 2020 |
emmy512:Password = email address? This is an horror story o>_<o~ 22 Likes |
Re: Let's Stop Talking About Password Strength by MT: 5:29pm On Jul 10, 2020 |
EvilSec: I disagree with your write up. The blames should be shared between careless end-users who compromise their passwords as well as badly architected solution. If a software is badly designed, password can be easily hacked even if you don't compromise your password e g. Redirect vulnerability attack 7 Likes |
Re: Let's Stop Talking About Password Strength by EvilSec: 6:10pm On Jul 10, 2020 |
MT:1. Open redirects isn't a crit unless it exposes auth tokens. 2. Password security is 1% choosing a half-decent password and 99% not using it anywhere else, and also 2FA. Sites get pwned everytime. 1 Like 2 Shares |
Re: Let's Stop Talking About Password Strength by MT: 6:12pm On Jul 10, 2020 |
EvilSec: Then you don't know what open redirect is all about. You write using so much abbreviation, I don't seem to understand what you put in there. Let's talk practical and not theory 2 Likes |
Re: Let's Stop Talking About Password Strength by EvilSec: 6:15pm On Jul 10, 2020 |
MT:Talk is cheap. I found 3 open redirects on NL months back, if you can find at least one, and tell me the vulnerable parameter, then I'll assume you're not dumb and you know what you're talking about. Your time starts now. |
Re: Let's Stop Talking About Password Strength by MT: 6:17pm On Jul 10, 2020 |
EvilSec: If you want to have a conversation, don't be rude. You don't throw words around during conversation. Why would you use the word "dumb" loosely in a professional chat?. You feel you are better than everyone else, right? Don't be deceived 55 Likes 2 Shares |
Re: Let's Stop Talking About Password Strength by Karleb(m): 8:29pm On Jul 10, 2020 |
EvilSec and MT! Make una two calm down abeg. The issue with using strong password is, you'll most likely forget. As per password reuse, I think everyone does that. You don't expect me to use 10 different strong password for 10 different accounts. Writing down passwords is even not good. I think sites owners should do their homework before validating a login/register request. I was trying to login into my Gmail account the other day from another device and I got sent a OTP, even password reset on Twitter also requires OTP. The best remedy is to have an account with sites like Lastpass and the likes, build one strong password you can remember for your Lastpass account and keep saving other passwords to Lastpass. But this also comes with its own trust issues. 9 Likes |
Re: Let's Stop Talking About Password Strength by MT: 8:36pm On Jul 10, 2020 |
Karleb: I no dey fight here. I love a civil conversation. As a professional, there is a need to be conscious of the language you use. I felt it was a thread we could all learn, didnt know it was a thread that insults and abusive words would be used at will. I am out of here. 4 Likes |
Re: Let's Stop Talking About Password Strength by Bahat: 4:25pm On Jul 17, 2020 |
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle. Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt. Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head. I remember 2fa is not the best mechanism as its been bypassed on different occasions EvilSec: |
Re: Let's Stop Talking About Password Strength by EvilSec: 6:47pm On Jul 17, 2020 |
Bahat:You're right |
Re: Let's Stop Talking About Password Strength by EvilSec: 6:47pm On Jul 17, 2020 |
. 2 Likes |
Re: Let's Stop Talking About Password Strength by EvilSec: 6:47pm On Jul 17, 2020 |
Bahat:Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc". 5 Likes |
Re: Let's Stop Talking About Password Strength by EvilSec: 6:57pm On Jul 17, 2020 |
. 1 Like |
Re: Let's Stop Talking About Password Strength by Bahat: 8:27pm On Jul 17, 2020 |
EvilSec: Oh yeah have been checking evilginx phishlet recently |
Re: Let's Stop Talking About Password Strength by FreeMejoor1(m): 4:06pm On Nov 08, 2020 |
Bahat:do you have any custom made evilginx phishlets |
Re: Let's Stop Talking About Password Strength by Bahat: 9:58pm On Nov 08, 2020 |
FreeMejoor1: Yes I guess, talk to me on telegram if you serious @X_hammer |
Re: Let's Stop Talking About Password Strength by Najdorf: 7:12am On Nov 09, 2020 |
Reminds of how Lulzsec(an Anonymous group) pawned one CEO of a security firm. He was using one password for all his major online accounts. You would think a whole head of a cyber security would know better. By the time they had taken control of his social media accounts, company website, leaked all of his emails and completely ruined his reputation he just had to resign lol. I don't think the company recovered either. |
Re: Let's Stop Talking About Password Strength by Bahat: 6:01pm On Nov 09, 2020 |
Najdorf: Lol even if he's not caught with his password recyle its going to be a third party app that will do the infiltration. This internet is vulnerable, the major thing is make we no become a possible target. 2 Likes |
Re: Let's Stop Talking About Password Strength by EvilSec: 10:50pm On Nov 10, 2020 |
Bahat:Saw some of your replies under my posts getting deleted. Were you getting shadow banned or what? |
Re: Let's Stop Talking About Password Strength by Bahat: 9:24pm On Nov 11, 2020 |
EvilSec: I might be. Didn't really notice it, but there was a time I couldn't quote or comment under threads for a period of time. I was thinking its due to site maintenance but I noticed its only me from my side. |
Re: Let's Stop Talking About Password Strength by Abrahamdgreat(m): 3:01am On Nov 18, 2020 |
FreeMejoor1:I can help u create any phishlet for any site regardless of the MITM prevention techniques they are using... Ain't cheap though |
Re: Let's Stop Talking About Password Strength by YorubaKinging: 11:21am On Nov 18, 2020 |
The end is near 1 Like 2 Shares |
Re: Let's Stop Talking About Password Strength by starbuck(f): 11:21am On Nov 18, 2020 |
Today.. I am blank and everywhere seems to be void |
Re: Let's Stop Talking About Password Strength by BigDawsNet: 11:21am On Nov 18, 2020 |
A teenager at a funeral asks the priest for the wifi password. The priest is shocked and asks the boy "Have you no respect for the dead?" The boy hears the priests and responds, "Is that uppercase or lowercase?" 5 Likes |
Re: Let's Stop Talking About Password Strength by NotNairalandi(m): 11:22am On Nov 18, 2020 |
Re: Let's Stop Talking About Password Strength by LightAunt(f): 11:22am On Nov 18, 2020 |
The most used password in the world is ; LOVE |
Re: Let's Stop Talking About Password Strength by Enudapan: 11:22am On Nov 18, 2020 |
Nah eh! No qualms This is so sophisticated |
Re: Let's Stop Talking About Password Strength by slawormiir: 11:22am On Nov 18, 2020 |
Damnnn niggarrrr Isoright.... We way dey open face book like water...as them dey kill am we dey open another one So you mean say make we dey go through stress of using different password 4 Likes 1 Share |
Who Says Nigerians/africans Cannot Be Creative And Build From Scratch / Can You Please Recommend A Digital Skill For Me? / [Career Post] "What Are My Chances Of Getting A Job As A Web Developer?"
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 59 |