Skip to content
DevMeme
2531 of 7435
Security by Pull Request Deletion
Security Post #2806, on Feb 27, 2021 in TG

Security by Pull Request Deletion

Why is this Security meme funny?

Level 1: Change The Lock

This is like accidentally posting your house key online, then asking one website to erase the picture of the key so nobody can get in. The real fix is to change the lock, because someone may already have copied the key.

Level 2: The Secret Is Gone

A password list is a collection of words or known leaked passwords that security testers and attackers can use to check whether accounts are protected by weak or reused credentials. Security teams use these lists defensively to test systems. Attackers can use similar lists offensively.

The person in the screenshot appears to think that if their password is removed from the list, hackers will not be able to use it. That is not how leaked information works. If a password was public long enough to be included in a list, you should act as if other people may already have copied it.

GitHub pull requests are useful for changing code and text in a repository. They are not a way to make a secret secret again. Even if the PR deleted the password from the current version, the old version could still exist in history or in someone else's copy. This is why developers learn a hard rule: never commit secrets, and if you do, rotate them immediately. Deleting the line is only part of cleanup.

Level 3: Rotate, Don't Rewrite

The screenshot shows a dark-mode GitHub pull request in danielmiessler / SecLists #155 with the title:

Remove my password from lists so hackers won't be able to hack me

Below it, the branch label reads assafnativ:remove_my_password, the PR is marked Closed, and the interface shows 30 files changed, +2 -32, and Commits 1. The joke is brutal because the proposed security fix misunderstands the entire life cycle of leaked credentials. Once a password appears in a public wordlist, the problem is not that one repository contains it. The problem is that the password is no longer secret.

Security people laugh and wince at this because password lists are not magic hacker spellbooks where removing one line from one file makes the universe forget it. Lists get forked, mirrored, cached, downloaded, indexed, copied into tools, bundled into private collections, and passed around. Git history may retain old content. Search engines or archives may have seen it. Other lists may already contain the same value. A pull request can remove visible text from one branch, but it cannot revoke knowledge.

The correct remediation is credential rotation: change the password everywhere it was used, invalidate active sessions if appropriate, check for reuse across services, enable multi-factor authentication, and assume the exposed value is burned. If the password protected anything important, the investigation also needs to consider whether the account was accessed before the user noticed the leak. Editing a public repository is cosmetic cleanup; changing the secret is the security fix.

The deeper industry pattern is that people often treat passwords like personal possessions instead of shared-risk artifacts. “My password” feels like something you can retrieve or request back. In reality, a password is closer to a bearer token: anyone who knows it can try to use it. That is why security advice is so repetitive about unique passwords and password managers. Reuse turns one leaked credential into many possible compromises, especially through credential stuffing, where attackers try known username-password pairs across other services.

The GitHub framing makes the misunderstanding especially funny. A pull request is a collaborative software mechanism: propose a change, review it, merge or close it. That model works for code. It does not work for secrecy after publication. The screenshot accidentally turns a security incident into an open-source contribution workflow, which is exactly the kind of thing that makes an incident responder stare quietly at the wall for a minute before asking for the rotation plan.

Description

The image is a dark-mode GitHub mobile screenshot from "danielmiessler / SecLists #155". The pull request title reads "Remove my password from lists so hackers won't be able to hack me", with a branch label showing "assafnativ:remove_my_password" pointing toward the repository; the PR is marked "Closed", shows "30 files changed", "+2 -32", a "Review" link, and "Commits 1". The humor is that someone appears to think removing their password from a public security wordlist would make it safe again. For security practitioners, the real fix is password rotation and assuming compromise, not editing history in an open-source repository.

Comments

13
Anonymous ★ Top Pick Once your password is in SecLists, the remediation plan is rotate credentials, not submit a GDPR takedown to `rockyou.txt`.
  1. Anonymous ★ Top Pick

    Once your password is in SecLists, the remediation plan is rotate credentials, not submit a GDPR takedown to `rockyou.txt`.

  2. @O5XIVenera 5y

    What kind of message this post is? I mean how send picture placed under text?

    1. @nuntikov 5y

      Repost

      1. @O5XIVenera 5y

        But how?

        1. @OkeyDot 5y

          Using bot

        2. @OkeyDot 5y

          @ControllerBot, maybe that

          1. @O5XIVenera 5y

            Thx

        3. @pyproman 5y

          Link with two U+200B (Zero width space)

          1. @deerspangle 5y

            Why do people do that though? Seems like it doesn't make anything better, just means the top and bottom get cropped off [on mobile], and the image doesn't show up in the channel photos list?

          2. @DrPratyash 5y

            Will you please explain it to me in detail?? DM me

  3. @NiKryukov 5y

    I post my passwords on Twitter so I can't lose them

    1. @JoseAngelSanchez 5y

      ask me if you ever forget it

  4. @V0W4N 5y

    Hackers can't hack into your database if every request crashes the server

Use J and K for navigation