Dev’s pull request: delete my password from wordlist to stop hackers
Description
The image is a full-page screenshot of a GitHub pull request in the danielmiessler/SecLists repository. The PR header says: “Remove my password from lists so hackers won't be able to hack me #155” and it is marked Open. Tabs show Conversation 104, Commits 9, Files changed 30. The author “assafnatv” provides no description; reaction counters under the comment read 👍 263, 😄 9, 🚀 353, 🎉 80, ❤️ 132. A diff from reviewer “mitcom” removes the lines “liverpool”, “thien”, “bandit”, and “-dolphins” from the file “Passwords/10_million_password_list_top_10000.txt”. The right sidebar lists reviewers, and a tiny CI bar shows +2 - 32. Technically, the meme mocks the misunderstanding that simply deleting a weak password from a public wordlist provides security, illustrating ‘security through obscurity’ fallacies and open-source community humor around password hygiene
Comments
13Comment deleted
Submitting a PR to erase your password from SecLists: bold move - only nine million forks, every pentester’s SSD, and the Wayback Machine left to force-push
"Spent 20 years securing production systems only to discover the real vulnerability was users who think removing their password from a public wordlist is how security works."
This developer just discovered the ultimate zero-day exploit mitigation strategy: if you remove your password from the 'top 10 million passwords' list, attackers literally can't use it against you. It's like deleting yourself from the phone book to prevent spam calls, but for cybersecurity. The 263 thumbs up and multiple approvals suggest this might finally be the security breakthrough the industry has been waiting for - forget MFA, password rotation policies, or bcrypt hashing. Just fork the rainbow table repository and submit a PR removing your credentials. OWASP will probably add this to their Top 10 best practices any day now
Classic lifecycle: git commit password; git push public; panic PR; git log --grep='ILoveCats123' laughs last
Defense-in-depth: upstream a PR removing your password from SecLists and trust that every botnet’s CI pipeline is pinned to last quarter’s wordlist
Security-by-PR: assuming botnets don’t git pull; Hashcat rigs cloned SecLists years ago - use MFA and unique passwords
ah here we go again Comment deleted
https://github.com/danielmiessler/SecLists/pull/155 it's real lmao Comment deleted
the autor wrote a blog post saying it was done as a joke Comment deleted
yup Comment deleted
if you have no password to enter to your account, so you can't be hacked. Comment deleted
actually true. Use email login + yubikey and you are probably way safer than any password Comment deleted
To cheat hackers you need to think like a hacker Comment deleted