This dumb password rule is from URSSAF (French employers tax collection service).

When setting a new password:
Password must be exactly 8 characters, at least 1 letter, at least 1 number, but no special characters.

https://dumbpasswordrules.com/sites/urssaf-french-employers-tax-collection-service/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does anyone know of a table of data which shows PKI CA root certs and which devices/clients they are compatible with? (i.e. which devices/clients include each root cert in their default trust store)

I think I have asked about this in the past. It'd be incredibly useful.

#PKI #TLS #InfoSec #WebDev

This dumb password rule is from Keimyung University.

Okay, doesn't looks that hard... But wait, there are hidden rules!

Hidden rules: your password can't have 3 times the same character in a row or more than 2 consecutive numbers.
Also if your password is 20 characters or more you won't be able to write it in the mobile app.

https://dumbpasswordrules.com/sites/keimyung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

An #infosec drama, in two screenshots.

Alt...

The image is a screenshot of a Twitter post by a user named Quackity, featuring a promotional tweet about a product called DABABEL. The tweet reads: "INTRODUCING DABABEL. THE UNIVERSAL REAL TIME TEXT AND VOICE TRANSLATION TOOL. SPEAK ANY LANGUAGE, WITH ANYBODY, ANYWHERE. AVAILABLE RIGHT NOW." Below the text, there is an image of two men sitting on stools, with one holding a smartphone. The man on the right is wearing a black t-shirt with the text "CAMPO REAL SOCCER" on it. The background is white with a logo partially visible. The tweet has garnered significant engagement, with 39.5K likes, 19K retweets, and 2.3K comments. Below the tweet, there is a reply from a user named Daniel Christensen, who mentions finding security issues in the software and requests a direct message. The reply has 1 like and 137 retweets.

Alt...

The image displays a mobile phone screen showing a subscription plan selection interface. The background is black, and the text is primarily white with some red and blue accents. At the top, the time is 7:04, and the battery is at 33%, with 5G connectivity indicated. The interface features several subscription plans: Pro Plan: Highlighted as "Popular," priced at $17.99 weekly, offering 10,000 credits, suitable for regular travelers and those who work, learn, and create across borders. Premium Plan: Priced at $29.99 weekly, offering 20,000 credits, best for individuals with busy, global lives. Business Plan: Priced at $139.99 weekly, offering 100,000 credits, designed to empower teams to collaborate on a global scale. BobTShoplifter on X: Priced at $29.99 weekly, offering 20,000 credits, with a note that it is "Hacked by bob." BobTShoplifter on X tryna report several security issues: Priced at $9.99 weekly, offering 5,000 credits. At the bottom, there are two buttons: "Continue with Pro Plan" in red, and "Continue without Membership" in gray.

I'm an iPhone dunce but my daughter's iPhone started sending weird messages to group texts earlier today. She was busy and not touching her phone at the time.

We checked the text threads in her messages app on the iPhone and they are not there. Multiple people on Android and iPhone devices received those messages, though.

We have reset all of her apple account credentials and logged out all devices and websites. Is there anything else I should be doing?

#infosec #iphone #apple

This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Observation I’ve made in recent times: the push to get AI into every aspect of the business means that more companies are giving engineers who have never been exposed to business systems outside of regular user levels of access (think ms365, slack, google workspace, zendesk etc), api keys with deeper levels of access to data to “see what they can do” by chucking it at the AI.

Sadly, it seems, that a lot of the “seeing what they can do” involves hastily thrown together python scripts with said api keys embedded, alongside various chunks of sample data that are things like giant slack exports - which are now being stored in the open on public github repos.

I found one of these cases a few months ago and thought it might be a one off, but alas, I just found the fifth such example.

#infosec

This dumb password rule is from Copart.

Copart: "The security of our members is extremely important to us."
Also Copart: "We're gonna need you to keep your password between 5-10 characters."

https://dumbpasswordrules.com/sites/copart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CGHS.

Can't use any special characters except @ $ # ? _ * &

https://dumbpasswordrules.com/sites/cghs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BBVA.

Username is your national ID (easy to find) and your password must have up to **6** alphanumeric characters only.
For a bank account with all your money in one of the largest financial institutions in the world.

https://dumbpasswordrules.com/sites/bbva/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Personally I don’t believe that AI will have a sudden, profound impact on companies from the defensive #infosec perspective, since a lot of companies are still considering establishing a committee to evaluate authorizing a project that looks at the cost risk benefit of disabling smbv1.

This dumb password rule is from Pole-Emploi.

Password must contain at least one letter, one number and one character from `&-_@*%=.,;:!?` only.
It rejected passwords generated by pass, while accepting `p@ssw0rd!`...
They also block pasting on the password confirmation field,
forcing you to manually type your 32-letters-long generated passwo...

https://dumbpasswordrules.com/sites/pole-emploi/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Indiana University silent on major security breach while dozens of services are down for weeks.

https://www.ipm.org/news/2025-07-04/administrator-says-iu-will-never-explain-it-security-breach-publicly?fbclid=IwY2xjawLVRjFleHRuA2FlbQIxMQABHkfpe_KACeX4r2kR7sWjWSMdr6ASrFltBVcS4xXAaIAtUBLiUuG7g8KXBR83_aem_tMrMLsvOTvB3sMFPwNz8qg

#iu #indiana #cybersecurity #security #infosec

This dumb password rule is from Mes Services Étudiant.

At least 6 characters, one uppercase letter, one lowercase letter, one digit
and one "special character".

These do not count as "special characters": `` + - = | @ " ' # ( ) [ ] { } < > / \ ` ;``.

https://dumbpasswordrules.com/sites/mes-services-etudiant/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Happy Intergalactic Infosec Day, to all those who celebrate.

#InfoSec #Movies #ID4

Alt...

Screenshot from the movie Independence Day (1996) showing a computer screen containing a window that reads "Uploading Virus" with a skull and crossbones logo and a nearly complete progress bar.

This dumb password rule is from South Western Railway.

Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦

https://dumbpasswordrules.com/sites/south-western-railway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from American Express.

Sometimes I forget that caps-lock is on, glad it doesn't matter.

https://dumbpasswordrules.com/sites/american-express/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sephora.

Password must be between 6 and 12 characters. No other rules
specified.

https://dumbpasswordrules.com/sites/sephora/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Parnassus Investments.

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

https://dumbpasswordrules.com/sites/parnassus-investments/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@briankrebs #infosec #microsoft #windows

Alt...

| ' Windows Has Panicked ~ J | my is A fatal fun exception has | | [1] ! ; : - | | © ¢ occurred ot OxCAFEBABE | | € Windows got confused and I | forgot what it was doing. [| | + SYSTEM CRASHED_BECAUSE_CAT_WALKED OH- l | KEYBOARD | * ERROR_COOE: BLUE_SCREEH_OF DERP | | If this is the first time you're seeing this stop error, | you're lucky. If this screen appears again, stop poking | things you don't understand. | ~ | Reboot suggestion: | | Press CTRL+ALT+0EL or offer Windows a snack. I (Chips recommended, cookies accepted, RAM appreciate.) | | Beginning mind wipe... [THN 42% |

This dumb password rule is from UniSuper.

Passwords need:
- a lower case letter
- a number
- a capital letter
- at least 8 characters

In the 'Change password' form,
passwords are now restricted to a `maxlength` of 18.

If your current password is longer than 18 characters,
you won't be able to change your password.
When I contacted them...

https://dumbpasswordrules.com/sites/unisuper/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Texas at Austin.

Because of the last two rules, which ban dictionary words and any
variants using symbol substitutions, *neither* of the passwords
presented in the [xkcd comic](https://xkcd.com/936/) are allowed.

https://dumbpasswordrules.com/sites/university-of-texas-at-austin/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does stumbling upon and reporting security or access control issues while applying for IT jobs help or hurt my cause?

Am I embarrassing them? I do not emit one iota of snark.

I guess I am out here alerting companies to web compromise, phishing portals they have hosted, and easily acquired access to internal "tech bible" & situational client interaction resources.

@briankrebs

#ITjobs #infosec #GetFediHired #JobSearch

This dumb password rule is from BMO Bank of Montreal.

Password requires at least one special character but disallows backtick ```, backslash `\`, vertical bar `|`, and underscore `_`.

https://dumbpasswordrules.com/sites/bmo-bank-of-montreal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Interesting catch by Dark Tower's Gary Warner: the data sample of a supposed new Verizon breach with 61 million records is full of fake data.

Same (new) account is offering "new breach dumps" from multiple other firms claiming hundreds of millions of records.

Not a new thing, but I expect it's much exacerbated by GenAI.

#infosec #cybersecurity

https://www.linkedin.com/posts/garwarner_looks-like-theres-potentially-a-new-verizon-activity-7345500085025206272-bzDu?utm_source=share&utm_medium=member_desktop&rcm=ACoAABIZhqYBjXCQuV7JX7N_3xlpxZY6alHZ77o

Alt...

For further information, "G_mic" is also selling 55 Million records from T-Mobile ( hxxps://darkforums[.]st/Thread-T-Mobile-US--15149 ) Full data including Social Security Numbers for 283 Million Americans ( hxxps://darkforums[.]st/Thread-283-M-USA-Citizen ) and 5GB of Citibank customer records ( hxxps://darkforums[.]st/Thread-Selling-Citibank-N-A-Citigroup-Inc ) in other words, he's a multi-fake scammer selling lots of bogus data. (In fact, I've seen the "283 Million citizens" headline twice already today as well. Fake.)

This dumb password rule is from Fidelity National Information Services.

White label online banking provider. Typically appears as `BANK.ibanking-services.com` or `BANK.ebanking-services.com`. If your small local bank has a crappy online banking experience, these guys probably provide it.

`\<>'` and spaces prohibited, upper bound. Passwords of exactly the maximum len...

https://dumbpasswordrules.com/sites/fidelity-national-information-services/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I paid attention to the #InfoSec and #DataPrivacy news over the weekend so you wouldn't have to.

Read, "What'd I Miss? Weekend News Roundup" curated by Sherpa Intelligence: You're Guide Up a Mountain of Information!
https://sherpaintelligence.substack.com/p/whatd-i-miss-june-27-30-2025

Alt...

White background. Blue circle with the words What'd I Miss? Weekend News Roundup. In the center of the circle is the Sherpa Intelligence logo of a series of translucent blue outlines of mountains.

Movies should mix in the actual stuff that we have to do in #infosec along with the exciting bits to set expectations accordingly.

“Quick, capture the handshake and spoof the path so you can redirect the flow to sniff the keys, then we can disarm the weapon!”

“Will do, but first I gotta create a custom permission set in Docusign so this guy can create templates but not be an admin.”

I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...

#security #infosec #google #googleworkspace

Alt...

Screenshot of the default Google Group settings for team mode

Alt...

Screenshot of the default Google Group settings for public mode

This dumb password rule is from Mindware.

You "*may use special characters*", but only some of them - and we won't
necessarily tell you which ones.

https://dumbpasswordrules.com/sites/mindware/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vietnam Airlines.

`[[:alnum:]]{6,8}`

https://dumbpasswordrules.com/sites/vietnam-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BinckBank.

Between 10 and 16 letters and/or digits. No special characters are allowed.
Must be renewed at least every 180 days, but you can configure to let the password expire sooner.
When changing the password, the new password cannot be too similar to the existing password.

https://dumbpasswordrules.com/sites/binckbank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Man, this seems really bad.

But at least our government isn’t pulling back on the #cybersecurity we need to protect this information!

Whew!

#CISA #infosec

https://www.npr.org/2025/06/29/nx-s1-5409608/citizenship-trump-privacy-voting-database

@thedoctor

That's funny, they didn't even chop it up into a bunch of smaller videos like a lot of platforms do nowadays.

Now that I think of it, the big commonality between physical security and #infosec is the incredibly flawed thinking that a product can GIVE you security.

This dumb password rule is from Cigna.

A max of 12 characters... Can't handle most symbols (only 5 supported). At least they have two factor auth via email or sms **sigh**

https://dumbpasswordrules.com/sites/cigna/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IHG.

4, yes 4, digits only.

https://dumbpasswordrules.com/sites/ihg/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Microsoft security advisories, posted yesterday, affecting six Chromium-based Edge vulnerabilities.

Microsoft security update guide: https://msrc.microsoft.com/update-guide #Microsoft #cybersecurity #infosec #Chromium