LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is phishing, and why don't the standard password defenses (Argon2, length, rate-limits) stop it?

Phishing is a form of social engineering where the attacker tricks the user into giving up credentials (or executing harmful actions) directly — no password guessing involved.

The defenses for online/offline password attacks all assume the attacker is guessing. In phishing the attacker doesn't guess — the user hands them the real password. So:

  • Long passwords? Still typed into the fake page.
  • Argon2 hashing? Irrelevant — the attacker has the plaintext.
  • Rate-limits? Bypassed — the attacker logs in once with correct credentials.

Phishing variants:

Variant Channel Typical lure
Email phishing Email "Your account is locked, click here to verify"
Spear phishing Targeted email Tailored to one person/role using OSINT
Whaling Targeted at executives Fake CFO/CEO requests, wire transfers
Vishing Phone call "This is IT, we need to remotely fix your machine"
Smishing SMS "Your parcel is held up, follow this link to pay"
Website phishing Look-alike domain paypaI.com (capital i) login form

Real defenses against phishing:

  • User education (but assume it will fail at scale).
  • Phishing-resistant 2FA — WebAuthn / FIDO2 / passkeys cryptographically bind credentials to the real origin, so a fake paypaI.com can't use them.
  • Email filtering — SPF, DKIM, DMARC; URL rewriting; sandboxed link previews.
  • Browser anti-phishing (Google Safe Browsing).

Tip: WebAuthn / passkeys are the only credential type that is fundamentally phishing-resistant — they refuse to authenticate to the wrong domain, period. SMS and TOTP codes can still be phished in real time.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jul 14, 2026