I had an argument with an IT professor I know regarding passwords and security. I was mad about my in-laws having a weak WPA1 protected router and the stock password while I insist on having WPA3 and a very strong passphrase.

Well, the discussion continued and later he said something to the point of “everything tries to guess your password, so I don’t have any where it is possible, because the programs don’t know what to do if there isn’t one“

What are your opinions about this?

  • Hobo@lemmy.world
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    That’s a profound misunderstanding of how login brute force works. Also a profound misunderstanding of how credentials cracking/storage works. Basic CTF knowledge would get you that understanding.

    I’m not a security “expert” by any stretch, and I’m not a “hacker” either. I’m just a sysadmin that enjoys HTB/THM CTFs. So with that in mind I’m not super knowledgeable on the approach to attacking wifi specifically.

    However, generally the first thing we all, and by all I mean CTF players, try is blank passwords/anonymous login. For me I do those manually, but I assure you nessus/ZAP have no problems finding those either (I’ve seen those on reports professionally before). To add to that, the first line of my rockyou list is a blank line for the above “blank password” reason. Ffuf/burpe/gobuster/nmap script/my custom python script/whatever are all going to try blank passwords first to see what I get. The program itself doesn’t give a single shit if I pass it a blank string. Not only that but I’m analyzing the return code, and response length to figure out if I got in or not. At no point will any program be fooled by a blank password.

  • seaQueue@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    I’m surprised that dude hasn’t failed his way upward into a fortune 500 leadership position.

  • bless@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    Blank cred is like the first thing that is tried, right before 1234, admin, and password

  • orca@orcas.enjoying.yachts
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    This is a stupid take. “The programs don’t know what to do” - okay, but people do. This is like not locking your front door at all because you think the lock can be broken. Any lock is better than none. You can set a pass phrase, hide the WiFi SSID, and be done with it. No idea why on earth anyone would just not set any password on a router, or anything for that matter, if there is an option to set one.