Quiz Entry - updated: 2026.07.14
What is phishing, and why don't the standard password defenses (Argon2, length, rate-limits) stop it?
Phishing is a form of social engineering where the attacker tricks the user into giving up credentials (or executing harmful actions) directly — no password guessing involved.
The defenses for online/offline password attacks all assume the attacker is guessing. In phishing the attacker doesn't guess — the user hands them the real password. So:
- Long passwords? Still typed into the fake page.
- Argon2 hashing? Irrelevant — the attacker has the plaintext.
- Rate-limits? Bypassed — the attacker logs in once with correct credentials.
Phishing variants:
| Variant | Channel | Typical lure |
|---|---|---|
| Email phishing | "Your account is locked, click here to verify" | |
| Spear phishing | Targeted email | Tailored to one person/role using OSINT |
| Whaling | Targeted at executives | Fake CFO/CEO requests, wire transfers |
| Vishing | Phone call | "This is IT, we need to remotely fix your machine" |
| Smishing | SMS | "Your parcel is held up, follow this link to pay" |
| Website phishing | Look-alike domain | paypaI.com (capital i) login form |
Real defenses against phishing:
- User education (but assume it will fail at scale).
- Phishing-resistant 2FA — WebAuthn / FIDO2 / passkeys cryptographically bind credentials to the real origin, so a fake
paypaI.comcan't use them. - Email filtering — SPF, DKIM, DMARC; URL rewriting; sandboxed link previews.
- Browser anti-phishing (Google Safe Browsing).
Tip: WebAuthn / passkeys are the only credential type that is fundamentally phishing-resistant — they refuse to authenticate to the wrong domain, period. SMS and TOTP codes can still be phished in real time.