Afam4eva:
I think we need to to back to when people could choose whatever password they deem please whether it's easy to guess or not. It's their freaking choice. These days, people forget their passwords like everyday. What's the point of using complicated passwords if you won't remember them.

EvilSec:

Password = email address? This is an horror story o>_<o~

EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

slawormiir:
Damnnn niggarrrr
Isoright....

We way dey open face book like water...as them dey kill am we dey open another one
So you mean say make we dey go through stress of using different password

EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

EvilSec:

Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc".

zeemahn:


What course did you take to learn all these stuffs about cyber security?

Kobicove:
Using a different password for every website you know only makes your life more complicated...there is no way you will be able to remember all of them

BigDawsNet:
A teenager at a funeral asks the priest for the wifi password.
The priest is shocked and asks the boy "Have you no respect for the dead?"

The boy hears the priests and responds, "Is that uppercase or lowercase?"

Bahat:
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

Abrahamdgreat:

I can help u create any phishlet for any site regardless of the MITM prevention techniques they are using... Ain't cheap though