Welcome, Guest: Join Nairaland / LOGIN! / Trending / Recent / New
Stats: 2,597,969 members, 6,029,141 topics. Date: Thursday, 03 December 2020 at 05:07 AM

Let's Stop Talking About Password Strength - Programming - Nairaland

Nairaland Forum / Science/Technology / Programming / Let's Stop Talking About Password Strength (18240 Views)

How Can I Reset ATT Email Password? / A Cheat-sheet For Password Crackers / Secure User Password In Login And Registration Page (2) (3) (4)

(1) (2) (3) (Reply) (Go Down)

Let's Stop Talking About Password Strength by EvilSec: 2:01pm On Jul 09
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

28 Likes 6 Shares

Re: Let's Stop Talking About Password Strength by emmy512(m): 6:36pm On Jul 09
Password reuse is the main problem, my girls mom lost her phone at home and i was trying to find out if it was stolen or somewhere in d house by checking it's location, she said she'd forgot the password for the mail. She gave me all sort of things to use and it wasn't untill she said i should use the name of the email as password and it opened....

12 Likes

Re: Let's Stop Talking About Password Strength by EvilSec: 5:15pm On Jul 10
emmy512:
Password reuse is the main problem, my girls mom lost her phone at home and i was trying to find out if it was stolen or somewhere in d house by checking it's location, she said she'd forgot the password for the mail. She gave me all sort of things to use and it wasn't untill she said i should use the name of the email as password and it opened....
Password = email address? This is an horror story o>_<o~

22 Likes

Re: Let's Stop Talking About Password Strength by MT: 5:29pm On Jul 10
EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

I disagree with your write up. The blames should be shared between careless end-users who compromise their passwords as well as badly architected solution. If a software is badly designed, password can be easily hacked even if you don't compromise your password e g. Redirect vulnerability attack

7 Likes

Re: Let's Stop Talking About Password Strength by EvilSec: 6:10pm On Jul 10
MT:


I disagree with your write up. The blames should be shared between careless end-users who compromise their passwords as well as badly architected solution. If a software is badly designed, password can be easily hacked even if you don't compromise your password e g. Redirect vulnerability attack
1. Open redirects isn't a crit unless it exposes auth tokens.
2. Password security is 1% choosing a half-decent password and 99% not using it anywhere else, and also 2FA. Sites get pwned everytime.

1 Like 2 Shares

Re: Let's Stop Talking About Password Strength by MT: 6:12pm On Jul 10
EvilSec:

1. Open redirects isn't a crit unless it exposes auth tokens.
2. Password security is 1% choosing a half-decent password and 99% not using it anywhere else, and also 2FA. Sites get pwned everytime.

Then you don't know what open redirect is all about. You write using so much abbreviation, I don't seem to understand what you put in there. Let's talk practical and not theory

2 Likes

Re: Let's Stop Talking About Password Strength by EvilSec: 6:15pm On Jul 10
MT:


Then you don't know what open redirect is all about.
Talk is cheap. I found 3 open redirects on NL months back, if you can find at least one, and tell me the vulnerable parameter, then I'll assume you're not dumb and you know what you're talking about.

Your time starts now.
Re: Let's Stop Talking About Password Strength by MT: 6:17pm On Jul 10
EvilSec:

Talk is cheap. I found 3 open redirects on NL months back, if you can find at least one, and tell me the vulnerable parameter, then I'll assume you're not dumb and you know what you're talking about.


Your time starts now.

If you want to have a conversation, don't be rude. You don't throw words around during conversation. Why would you use the word "dumb" loosely in a professional chat?. You feel you are better than everyone else, right? Don't be deceived

55 Likes 2 Shares

Re: Let's Stop Talking About Password Strength by Karleb(m): 8:29pm On Jul 10
EvilSec and MT! Make una two calm down abeg. grin

The issue with using strong password is, you'll most likely forget.

As per password reuse, I think everyone does that. You don't expect me to use 10 different strong password for 10 different accounts. Writing down passwords is even not good.

I think sites owners should do their homework before validating a login/register request.

I was trying to login into my Gmail account the other day from another device and I got sent a OTP, even password reset on Twitter also requires OTP.


The best remedy is to have an account with sites like Lastpass and the likes, build one strong password you can remember for your Lastpass account and keep saving other passwords to Lastpass.

But this also comes with its own trust issues.

9 Likes

Re: Let's Stop Talking About Password Strength by MT: 8:36pm On Jul 10
Karleb:
EvilSec and MT! Make una two calm down abeg. grin

The issue with using strong password is, you'll most likely forget.

As per password reuse, I think everyone does that. You don't expect me to use 10 different strong password for 10 different accounts. Writing down passwords is even not good.

I think sites owners should do their homework before validating a login/register request.

I was trying to login into my Gmail account the other day from another device and I got sent a OTP, even password reset on Twitter also requires OTP.


The best remedy is to have an account with sites like Lastpass and the likes, build one strong password you can remember for your Lastpass account and keep saving other passwords to Lastpass.

But this also comes with its own trust issues.

I no dey fight here. I love a civil conversation. As a professional, there is a need to be conscious of the language you use. I felt it was a thread we could all learn, didnt know it was a thread that insults and abusive words would be used at will. I am out of here.

4 Likes

Re: Let's Stop Talking About Password Strength by Bahat(m): 4:25pm On Jul 17
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.
Re: Let's Stop Talking About Password Strength by EvilSec: 6:47pm On Jul 17
Bahat:
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

You're right
Re: Let's Stop Talking About Password Strength by EvilSec: 6:47pm On Jul 17
.

2 Likes

Re: Let's Stop Talking About Password Strength by EvilSec: 6:47pm On Jul 17
Bahat:
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc".

5 Likes

Re: Let's Stop Talking About Password Strength by EvilSec: 6:57pm On Jul 17
.

1 Like

Re: Let's Stop Talking About Password Strength by Bahat(m): 8:27pm On Jul 17
EvilSec:

Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc".

Oh yeah have been checking evilginx phishlet recently
Re: Let's Stop Talking About Password Strength by FreeMejoor1(m): 4:06pm On Nov 08
Bahat:


Oh yeah have been checking evilginx phishlet recently
do you have any custom made evilginx phishlets
Re: Let's Stop Talking About Password Strength by Bahat(m): 9:58pm On Nov 08
FreeMejoor1:
do you have any custom made evilginx phishlets

Yes I guess, talk to me on telegram if you serious @X_hammer
Re: Let's Stop Talking About Password Strength by Najdorf: 7:12am On Nov 09
Reminds of how Lulzsec(an Anonymous group) pawned one CEO of a security firm. He was using one password for all his major online accounts. You would think a whole head of a cyber security would know better.

By the time they had taken control of his social media accounts, company website, leaked all of his emails and completely ruined his reputation he just had to resign lol. I don't think the company recovered either.
Re: Let's Stop Talking About Password Strength by Bahat(m): 6:01pm On Nov 09
Najdorf:
Reminds of how Lulzsec(an Anonymous group) pawned one CEO of a security firm. He was using one password for all his major online accounts. You would think a whole head of a cyber security would know better.

By the time they had taken control of his social media accounts, company website, leaked all of his emails and completely ruined his reputation he just had to resign lol. I don't think the company recovered either.

Lol even if he's not caught with his password recyle its going to be a third party app that will do the infiltration. This internet is vulnerable, the major thing is make we no become a possible target.

2 Likes

Re: Let's Stop Talking About Password Strength by EvilSec: 10:50pm On Nov 10
Bahat:


Lol even if he's not caught with his password recyle its going to be a third party app that will do the infiltration. This internet is vulnerable, the major thing is make we no become a possible target.
Saw some of your replies under my posts getting deleted. Were you getting shadow banned or what?
Re: Let's Stop Talking About Password Strength by Bahat(m): 9:24pm On Nov 11
EvilSec:

Saw some of your replies under my posts getting deleted. Were you getting shadow banned or what?

I might be. Didn't really notice it, but there was a time I couldn't quote or comment under threads for a period of time. I was thinking its due to site maintenance but I noticed its only me from my side.
Re: Let's Stop Talking About Password Strength by Abrahamdgreat(m): 3:01am On Nov 18
FreeMejoor1:
do you have any custom made evilginx phishlets
I can help u create any phishlet for any site regardless of the MITM prevention techniques they are using... Ain't cheap though
Re: Let's Stop Talking About Password Strength by YorubaKinging: 11:21am On Nov 18
The end is near

1 Like 2 Shares

Re: Let's Stop Talking About Password Strength by starbuck(f): 11:21am On Nov 18
Today.. I am blank and everywhere seems to be void cry cry
Re: Let's Stop Talking About Password Strength by BigDawsNet: 11:21am On Nov 18
A teenager at a funeral asks the priest for the wifi password.
The priest is shocked and asks the boy "Have you no respect for the dead?"

The boy hears the priests and responds, "Is that uppercase or lowercase?"

5 Likes

Re: Let's Stop Talking About Password Strength by NotNairalandi(m): 11:22am On Nov 18
Re: Let's Stop Talking About Password Strength by LightAunt(f): 11:22am On Nov 18
The most used password in the world is ; LOVE grin
Re: Let's Stop Talking About Password Strength by Enudapan: 11:22am On Nov 18
Nah eh! No qualms
This is so
sophisticated
Re: Let's Stop Talking About Password Strength by slawormiir: 11:22am On Nov 18
Damnnn niggarrrr
Isoright....

We way dey open face book like water...as them dey kill am we dey open another one
So you mean say make we dey go through stress of using different password

4 Likes 1 Share

(1) (2) (3) (Reply)

Pros And Cons Of Dating A Programmer Or Just A Geek / C# - Capturing File Name From A FileUpload Control In Asp.net / What Was The First Programming Language You Learned And Why?

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2020 Oluwaseun Osewa. All rights reserved. See How To Advertise. 161
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.