Skip to content
DevMeme
4410 of 7435
Dev’s pull request: delete my password from wordlist to stop hackers
Security Post #4830, on Aug 28, 2022 in TG

Dev’s pull request: delete my password from wordlist to stop hackers

Description

The image is a full-page screenshot of a GitHub pull request in the danielmiessler/SecLists repository. The PR header says: “Remove my password from lists so hackers won't be able to hack me #155” and it is marked Open. Tabs show Conversation 104, Commits 9, Files changed 30. The author “assafnatv” provides no description; reaction counters under the comment read 👍 263, 😄 9, 🚀 353, 🎉 80, ❤️ 132. A diff from reviewer “mitcom” removes the lines “liverpool”, “thien”, “bandit”, and “-dolphins” from the file “Passwords/10_million_password_list_top_10000.txt”. The right sidebar lists reviewers, and a tiny CI bar shows +2 - 32. Technically, the meme mocks the misunderstanding that simply deleting a weak password from a public wordlist provides security, illustrating ‘security through obscurity’ fallacies and open-source community humor around password hygiene

Comments

13
Anonymous ★ Top Pick Submitting a PR to erase your password from SecLists: bold move - only nine million forks, every pentester’s SSD, and the Wayback Machine left to force-push
  1. Anonymous ★ Top Pick

    Submitting a PR to erase your password from SecLists: bold move - only nine million forks, every pentester’s SSD, and the Wayback Machine left to force-push

  2. Anonymous

    "Spent 20 years securing production systems only to discover the real vulnerability was users who think removing their password from a public wordlist is how security works."

  3. Anonymous

    This developer just discovered the ultimate zero-day exploit mitigation strategy: if you remove your password from the 'top 10 million passwords' list, attackers literally can't use it against you. It's like deleting yourself from the phone book to prevent spam calls, but for cybersecurity. The 263 thumbs up and multiple approvals suggest this might finally be the security breakthrough the industry has been waiting for - forget MFA, password rotation policies, or bcrypt hashing. Just fork the rainbow table repository and submit a PR removing your credentials. OWASP will probably add this to their Top 10 best practices any day now

  4. Anonymous

    Classic lifecycle: git commit password; git push public; panic PR; git log --grep='ILoveCats123' laughs last

  5. Anonymous

    Defense-in-depth: upstream a PR removing your password from SecLists and trust that every botnet’s CI pipeline is pinned to last quarter’s wordlist

  6. Anonymous

    Security-by-PR: assuming botnets don’t git pull; Hashcat rigs cloned SecLists years ago - use MFA and unique passwords

  7. @callofvoid0 3y

    ah here we go again

  8. @kandiesky 3y

    https://github.com/danielmiessler/SecLists/pull/155 it's real lmao

  9. @IGOTDIS 3y

    the autor wrote a blog post saying it was done as a joke

    1. @RiedleroD 3y

      yup

  10. @walkersubterra 3y

    if you have no password to enter to your account, so you can't be hacked.

    1. @wireva 3y

      actually true. Use email login + yubikey and you are probably way safer than any password

  11. @azizhakberdiev 3y

    To cheat hackers you need to think like a hacker

Use J and K for navigation