This dumb password rule is from Dutch Tax Authorities (Belastingdienst).

At least 8 and at most 25 characters, of which at least 3 of the characters were not used in the previous password.
No more than 3 of the same characters.
At least 1 upper case and 4 lower case characters.
No more than 3 special characters.

It's not like hashing passwords is a thing or something.

https://dumbpasswordrules.com/sites/dutch-tax-authorities-belastingdienst/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@ireneista @darkuncle @tg

Just curious, does anyone still use #PortKnocking, or has stuff like Tailscale relegated that to the bitbucket of #infosec praxis?

This dumb password rule is from College Board.

Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.

https://dumbpasswordrules.com/sites/college-board/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sprint.

Sprint "upgraded" their security and disallow special characters.

https://dumbpasswordrules.com/sites/sprint/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Holy shit, Microsoft. Whoever made this decision should be fired. Into the Sun.

https://lemmy.world/post/46435614

#infosec #facepalm #clowncar

This dumb password rule is from NVV (Nordhessische VerkehrsVerbund).

Password length must be 4 to 10 characters with only a few special characters allowed.

https://dumbpasswordrules.com/sites/nvv-nordhessische-verkehrsverbund/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

A very good article by @ggpsv (& Tunnel and Fortress graduate) surveying the state of container security in light of the recent #copyfail vuln. He makes a strongly-argued case for rootless Podman, with a defence-in-depth and isolationist strategy limiting damage in the event of privilege escalation in containerised deployment contexts.

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#infosec #sysadmin

DENIC's status page:
https://status.denic.de/

Screenshot below in case you're not able to load it (as I said, stuff is going to be intermittently failing).

#DNS #DENIC #DNSSEC #InfoSec #SysAdmin

Alt...

DNSSEC disruption affecting .de domainsPartial Service Disruption Incident Status Partial Service Disruption Components DNS Services DNS Nameservice May 5, 2026 23:28 CEST May 5, 2026 21:28 UTC INVESTIGATING Frankfurt am Main, 5 May 2026 – DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability. The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible. Based on current information, users and operators of .de domains may experience impairments in domain resolution. Further updates will be provided as soon as reliable findings on the cause and recovery are available. DENIC asks all affected parties for their understanding. For further enquiries, DENIC can be contacted via the usual channels.

Here's a thought:

The fact that people are experiencing issues with DE sites and asking if CloudFlare is down speaks volumes about the stability of DE ccTLD and the broader DNS compared to big cloud providers.

#DNS #InfoSec #SysAdmin

Looks like DE ccTLD is unresolvable due to DNSSEC issue:
https://dnsviz.net/d/nic.de/dnssec/

😬

#InfoSec #DNSSEC #DNS #Germany

hey so. looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years experience administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. I'm also 26, so I started when I was 11, explaining the no jobs so far. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Three machines, 72 docker containers. One running most of them, one running Mastodon+glitchsocial, one running the uptime monitor. encrypted root on ZFS, alpine linux, gVisor on supported containers, plan to move to Kata. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. Currently using gVisor, docker compose, and kata containers in production, experience with Linux, docker, Net/Open/FreeBSD, Cisco IOS, Juniper Junos, Mikrotik and UniFi, configuring and administering Asterisk, plus extensive experience with IBM AIX and Sun Solaris. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps #GetFediHired

Please boost for reach, any job offers please DM me.

https://www.theregister.com/2026/05/02/ncsc_brace_for_patch_tsunami/

The patch tsunami is coming. #infosec

"All organizations have 'technical debt'; a backlog of technical issues – that is both expensive and time-consuming – as a result of prioritising short-term gains over building resilient products.

Artificial Intelligence, when used by sufficiently-skilled and knowledgeable individuals, is showing the ability to exploit this technical debt at scale and at pace across the technology ecosystem. The result is likely to be a "forced correction" as those weaknesses are uncovered and addressed in bulk"

I am looking for a few more US-based early adopters to provide feedback on a protective DNS service offering aligned with NIST SP 800-81 Rev. 3 (March 2026).

https://csrc.nist.gov/pubs/sp/800/81/r3/final

This service merges Zero Trust and DNS without requiring client-side agents. Supports mobile devices, browsers, server hardware & IoT.

If you're interested in providing feedback on this service as a free beta tester, email me at:

securednsbeta@techliterate.co

#FreeBSD #BastilleBSD #ZTA #DNS #IOT #NIST #Infosec

This dumb password rule is from PagoMisCuentas.

Password must be between 8 and 15 alphanumeric characters, and have
at least one uppercase and one lowercase letter.

https://dumbpasswordrules.com/sites/pagomiscuentas/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Did a good zero knowledge to full control of web app without tools pen test last week.

1. found /.git/config was readable
2. said config file contained GitHub personal access token
3. cloney cloney clone clone
4. review app source, find lots of debug holes and frankly, nasty sql injection issues
5. find hardcoded cloud storage credentials in source
6. party like it were the early 2000’s i guess

#infosec

This dumb password rule is from Banca Intesa Serbia.

Online banking portal of Banca Intesa Serbia has some password restrictions.
This is the translation of the requirements:

No special characters, minimum number of characters is 8, maximum number of
characters is 22, minimum number of upper case letters is 1, lower case also 1,
numeric characters...

https://dumbpasswordrules.com/sites/banca-intesa-serbia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Mobility.

The username is the customer number, which is sequential and cannot be changed, currently 7 digits long for new customers.
The password has to be exactly 6 digits long, only numbers allowed.

https://dumbpasswordrules.com/sites/mobility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Experiment update

Amazon are 2/2 for hitting the QR canary token - same CDN, same non-phone user agent each time. Seems to happen async after the delivery, maybe 20 mins or so later.

Actual delivery photo from today below.

Only other test subject so far is Fedex, they did not trigger the QR.

#infosec

Alt...

amazon delivery photo

This dumb password rule is from Wageworks.

In addition to the following rules regarding passwords...
- 8-20 characters in length
- Include at least 4 of the following: lowercase letter, uppercase letter, number AND symbol
- Not include your last name, first name or space

Your new password should be different from your previous twenty pas...

https://dumbpasswordrules.com/sites/wageworks/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CloverSecurity.

* Password restricts quantity of characters "of same case", making [correcthorsebatterystaple](https://xkcd.com/936/)-style passwords problematic
* No feedback for which rules are broken
* Unlisted prohibited characters

https://dumbpasswordrules.com/sites/cloversecurity/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Rediff.

A maximum password length of 12. The hidden requirements are:
- at least 1 uppercase letter
- at least 1 lowercase letter
- at least 1 numeric character
- at least 1 special symbol (which can not be ^, %)

https://dumbpasswordrules.com/sites/rediff/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Zurich.

Password must be EXACTLY 8 characters long.

Alpha numeric characters ONLY.

The first character must be alphabetic.

NO spaces.

The new Password cannot be the same as the last 32 passwords you have used. (they actually store your last 32 passwords)

https://dumbpasswordrules.com/sites/zurich/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Really Useful Storage Boxes.

- Have a length between 8 and 20 alphanumeric characters (without accents)
- Contain at least 1 CAPITAL letter
- Contain at least 1 lowercase letter
- Contain at least 1 numeric character
- Contain at least 1 special character taken from the following list: *$@&()[]{}=#.-!?+/£€%

https://dumbpasswordrules.com/sites/really-useful-storage-boxes/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Has anyone here heard anything about GiveHero? Work's using it for a fitness challenge thing and while I'm ok with handing out a week of fitness data for some fun community building nonsense with my new coworkers I'd rather not find out the app is a front for some military-industrial complex spyware or something.

#infosec #privacy #GiveHero

Yikes.

https://arstechnica.com/security/2026/04/as-the-most-severe-linux-threat-in-years-surfaces-the-world-scrambles/

#linux #infosec

Fresh gist: mitigating CVE-2026-31431 ("Copy Fail") on RHEL 8/9/10 with a tiny Ansible playbook.

It blacklists algif_aead via a kernel boot arg (initcall_blacklist=algif_aead_init), reboots only when needed, and asserts the mitigation actually stuck after reboot. Idempotent & safe to re-run.

https://codeberg.org/Larvitz/gists/src/branch/main/2026/20260501-CVE-2026-31431_RHEL_Mitigation.md

#Ansible #RHEL #Linux #InfoSec #SysAdmin #DevOps #CVE #CVE_2026_31431 #copyfail

Thinking about two-part cryptography tokens got me sad - Alexa, play...

Dos PASETO #infosec #cybersecurity

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

trying a new thing, have 3D printed a QR code and put it on the front porch

QR code triggers a canary token

want to see if any of the delivery companies are using the drop off proof of delivery pics to train AI

#infosec

Alt...

my door mat with a 3d printed qr code to the side, the qr code is covered up in this picture to protect the integrity of the experiment

A lot of people are apparently happily running a script clearly marked as a root exploit from some random website using curl | bash

Some do inspect the script, but then still run it using curl | bash anyway.

Incidentally, this very relevant blogpost about detecting curl | bash and serving different scripts based on that is almost exactly a decade old:
https://web.archive.org/web/20230318063325/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

#CopyFail #InfoSec

This dumb password rule is from Turkish Airlines.

- Your password must consist of 6 digits
- Make sure that your password does not contain your date of birth or three consecutive digits...
- but two is OK, for sure.
- ... and that the same number is not repeated three or more times.
- but two times is probs OK

https://dumbpasswordrules.com/sites/turkish-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Trying to run that exploit from a container running in my cluster

No luck so far on account of dropping capabilities and maybe also seccomp RuntimeDefault on every container in the cluster that has python installed. (I know python isn't strictly required but I'm lazy)

I also want to test how this works with host user namespace disabled hostUsers: false

Time to spin up a test container since all of the existing workload containers got nowhere.

#Kubernetes #InfoSec

This dumb password rule is from Vancity Credit Union.

Personal Access Code (or PAC–they are too ashamed to call it a password), must be between 5 to 8 digits and cannot start with '0'. (no letters or symbols)

https://dumbpasswordrules.com/sites/vancity-credit-union/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Once again, my professional recommendation in response to the latest Linux kernel vulnerability in the news is that you should gather up all your electronic devices, cast them into the sea, and retreat to the woods.

Each night, gather your children and tell them tales of the Before Times when the hubris of humanity grew so large that we made idols of sand and spoke to them as equals. Remind them that the sand, of course, did not speak or think, but we imagined it could, and let it guide us to folly.

Should a stranger ever come to your village with a glowing rectangle, encourage the youth to beat them with sticks.

#infosec

This dumb password rule is from Best Buy.

You can enter whatever password you like! But you probably don't want to
make it too long, because you'll break us and you'll never be able to
login again.

https://dumbpasswordrules.com/sites/best-buy/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

One of the other domains I registered as I descended into this rabbit hole was "dev-user.com".

Based on email traffic, owning that domain has been enough to give me admin access to a couple of Wordpress-powered sites, and multiple SaaS apps (particularly, staging/non-prod instances).

All orgs involved have been informed.

So to summarize current state of Plexfiltration:

1 - Deleteduser/deleted-user.com = 65 orgs using
2 - Internaluser.com - 12 orgs
3 - service-account.com - 8 orgs
4 - dev-user.com - 6 orgs

#infosec

This dumb password rule is from IBM.

12-63 characters
One uppercase character
One lowercase character
One number
Sufficiently Strong
Special characters are optional.
Double byte characters are not allowed

https://dumbpasswordrules.com/sites/ibm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from EllieMae Access.

Must reset password every 6 months and password requirements are not displayed _anywhere_.
Reset uses a Security Question, and you have to choose from a list of 5.

https://dumbpasswordrules.com/sites/elliemae-access/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from A1.net.

- At least 8 and at most 16 characters
- At least 1 digit
- At least 1 uppercase letter

The password must not contain your first name, surname or username.
The allowed special characters are: ! @ # % ^ & * _.

https://dumbpasswordrules.com/sites/a1-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I just got given admin access to some Medicaid filing platform because I own the domain internaluser.com

#infosec