I had an argument with an IT professor I know regarding passwords and security. I was mad about my in-laws having a weak WPA1 protected router and the stock password while I insist on having WPA3 and a very strong passphrase.
Well, the discussion continued and later he said something to the point of “everything tries to guess your password, so I don’t have any where it is possible, because the programs don’t know what to do if there isn’t one“
What are your opinions about this?
That’s a profound misunderstanding of how login brute force works. Also a profound misunderstanding of how credentials cracking/storage works. Basic CTF knowledge would get you that understanding.
I’m not a security “expert” by any stretch, and I’m not a “hacker” either. I’m just a sysadmin that enjoys HTB/THM CTFs. So with that in mind I’m not super knowledgeable on the approach to attacking wifi specifically.
However, generally the first thing we all, and by all I mean CTF players, try is blank passwords/anonymous login. For me I do those manually, but I assure you nessus/ZAP have no problems finding those either (I’ve seen those on reports professionally before). To add to that, the first line of my rockyou list is a blank line for the above “blank password” reason. Ffuf/burpe/gobuster/nmap script/my custom python script/whatever are all going to try blank passwords first to see what I get. The program itself doesn’t give a single shit if I pass it a blank string. Not only that but I’m analyzing the return code, and response length to figure out if I got in or not. At no point will any program be fooled by a blank password.
I’m surprised that dude hasn’t failed his way upward into a fortune 500 leadership position.
The programs (whatever that means) will just connect…
This is a stupid take. “The programs don’t know what to do” - okay, but people do. This is like not locking your front door at all because you think the lock can be broken. Any lock is better than none. You can set a pass phrase, hide the WiFi SSID, and be done with it. No idea why on earth anyone would just not set any password on a router, or anything for that matter, if there is an option to set one.
Blank cred is like the first thing that is tried, right before 1234, admin, and password
That sounds even worse than security by obscurity.
What are your opinions about this?
I just don’t understand his statement , can you elaborate more?
His statement is that he has no password whatsoever because it is more secure than having a strong password
He’s very, very wrong and there are some good answers above as to the why.
Did he give you an example application where he practices this password-free lifestyle?
Yes and what is the name of his pet?