This dumb password rule is from Replit.

Forces to use minimum 8 characters in the password and it must contain at least one uppercase.

https://dumbpasswordrules.com/sites/replit/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Telekom/T-Systems MyWorkplace.

Telekom's MyWorkplace is a Single Sign On / login hub for their
Open Telekom Cloud which is basically an Amazon AWS clone. It's
rather new and especially for business customers. Especially
because it is for business customers, there's absolutely no reason
to limit a password to 16 characters. Eve...

https://dumbpasswordrules.com/sites/telekomt-systems-myworkplace/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

New blog post: GeoIP-Aware Firewalling with PF on FreeBSD

Running a mail server means constant brute-force attempts. My solution: geographic filtering. SMTP stays open for global mail delivery, but client ports (IMAP, Submission, webmail) are restricted to Central European IP ranges only.

Result: ~90% reduction in attack logs, cleaner signal-to-noise ratio, smaller attack surface.

Using MaxMind GeoLite2 + PF tables with ~273k CIDR blocks.

https://blog.hofstede.it/geoip-aware-firewalling-with-pf-on-freebsd/

#FreeBSD #InfoSec #SysAdmin #pf #DevOps

This dumb password rule is from Green Flag.

- 8 to 10 characters
- No special characters

https://dumbpasswordrules.com/sites/green-flag/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CENLAR.

Your password can meet all the requirements in the list and still be invalid due to
an unspecified rule: any "special characters" that are not listed in the help text
are not allowed. Worse, it provides no useful feedback other than the "New Password"
field is red.

https://dumbpasswordrules.com/sites/cenlar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from M and M Direct.

- Maximum length of 24 characters
- Cannot contain special characters, eg. ! # $ " @

https://dumbpasswordrules.com/sites/m-and-m-direct/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from La Banque Postale.

Password must be 6 digits and entered on custom pad.

https://dumbpasswordrules.com/sites/la-banque-postale/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NordVPN.

- Password cannot be longer than 48 characters.

https://dumbpasswordrules.com/sites/nordvpn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vistara.

Password must contain:
- 8 to 12 Characters.
- At least one lowercase and uppercase letter.
- At least one numeric character.
- At least one special character (!, @, #, $, %, %, ^, &, +, =).

Must not contain space, first or last name.

https://dumbpasswordrules.com/sites/vistara/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PCPartPicker.

There are no rules for passwords. Passwords can be any length (including one character)
of any complexity. No password change confirmation emails are sent.

https://dumbpasswordrules.com/sites/pcpartpicker/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Been getting asked quite a bit why we're seeing fewer IMEI-based tracking methods, such as stingrays and tower dumps, compared to before, and why there are so many new companies entering this market with arguably less direct answers.

TL;DR:
Law enforcement has shifted to Advertiser ID tracking because it's asynchronous, and doesn't require warrants.

Stingrays and geofence warrants require being at a location to identify targets and establish probable cause on a large set of individuals. Warrants for major gatherings are not easy to obtain. Advertiser IDs allow you to buy someone's entire location history going back months or years from data brokers; there is no probable cause and no judge involved. This is because the data being purchased was not gathered for law enforcement but was considered a business good or OSINT. Carpenter v. US (2018) made warrants mandatory for pulling tower data from carriers.

1/2
#privacy #surveillance #infosec #databrokers #osint

A few companies have, IMHO, managed to stand out a little bit with what content they publish. There's just something about them.

@huntress
@DomainTools
@InfobloxThreatIntel

Today it was DTs turn (again) to publish this absolute beast of an article covering the KNOWSEC leak.

https://dti.domaintools.com/the-knownsec-leak-yet-another-leak-of-chinas-contractor-driven-cyber-espionage-ecosystem/

#ThreatIntel #Cybersecurity #Infosec

I'm hiring an Information Security Generalist at 4DMedical. Ref: https://4dmedical.bamboohr.com/careers/115
"Generalist" means we're a small #infosec team so everyone on the team wears lots of hats.
4DMedical is headquartered in Australia, but this is a U.S. remote position. U.S. citizenship is required.
4D is small, about 145 people. We're doing great work that helps real people every day, and 4D truly cares about its staff.
Please boost. Help people in the fedi get hired!
#GetFediHired #jobPosting

Check out this SendGrid account phishing message I received today.

The email claims that SendGrid will be adding a 'Support ICE' link to every email sent via their platform.

Of course 99.99% of orgs would want to opt-out if it were real, so this is an incredible lure to get SendGrid creds.

Also, if the bad guys are using opting out of supporting your organization as a lure, you know you done fucked up.

#infosec

Alt...

Phishing: We're writing to inform you of an important update to our email platform in response to recent events. As part of our commitment to supporting U.S. Immigration and Customs Enforcement (ICE), we will be adding a "Support ICE" donation button to the footer of every email sent through our platform. This button will appear automatically in all outgoing emails starting next week. What This Means for You All emails sent from your account will include the Support ICE footer element Recipients can click to donate directly to ICE support programs This change helps us demonstrate our platform's civic commitment Opt-Out Available If you prefer not to include this footer in your emails, you can disable it in your account settings.

This dumb password rule is from Lenovo.

Between 8 and 20, not more.

https://dumbpasswordrules.com/sites/lenovo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from AOK (German Health Insurance).

This is the online customer portal of the German health insurance company AOK. They have an extensive set of rules for both passwords and usernames.
The password rules are:
- Length between 8 and 14 characters
- At least one letter, one number and one special character
- Special characters are: !...

https://dumbpasswordrules.com/sites/aok-german-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Chase Bank.

* Can't use any special characters except ! # $ % + / = @ ~
* Max length restriction (32 characters).
* No runs of identical characters ("aaa") or sequential characters ("abc").
* Password check is case-insensitive

https://dumbpasswordrules.com/sites/chase-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

As I suspected it probably would be, my bug bounty submission of using an AI email summarizer was closed as being 'infeasible' and an 'acceptable risk' with AI.

But still - I think it's an interesting finding, so I have written it up thus: https://mike-sheward.medium.com/recruiting-google-geminis-email-summarizer-as-a-phishing-aid-417055295ba7

TL;DR = I discovered how you can use Google Workspace's Google Gemini Email Summarizer to make a phishing attack seem more convincing, because it summarizes hidden content.

#infosec #ai #llm

This dumb password rule is from Securvita BKK.

Your password can not exceed a length of 30 characters. However, they don't tell you this: If you try to set a longer password, they instead shame *you* for not including at least one uppercase letter, one lowercase letter, one digit and one symbol – *even if you did*.

The error message translat...

https://dumbpasswordrules.com/sites/securvita-bkk/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

As a test, I tried "tailscale funnel" to test sharing a Valhalla service running on port 8002 on my laptop over the internet. The Tailscale park was fast and easy, amazing even.

But as I sat and stared and marveled at my idle service logs, in less than a minute they went crazy with attack traffic looking for all sorts of common vulns.

Less than a minute! Port 8002!

Just best assume anything that's public on any port is immediately and constantly scanned for vulns.

#infosec #security

This dumb password rule is from Banco Mercantil.

8 to 15 chars. No special chars allowed but requires special chars. Also
requires lowercase, uppercase, and numbers. Consecutive chars are
prohibited. Did I mention the page hangs while you type? That eye icon
tho.

https://dumbpasswordrules.com/sites/banco-mercantil/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Ubisoft.

Only tells you the rules after submitting and clicking a link to a pop
up window.

https://dumbpasswordrules.com/sites/ubisoft/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Stuttgart Media University.

Your password has to be between 10 and 14 characters.
Also, you need to have at least one number, one uppercase letter and one lowercase letter.
And at least one of these special characters: ```!.,;+-=#$()[]{}&*```.
But don't use any of these special characters: ```<>|§@€?:%^\"'`°~```.
And don't...

https://dumbpasswordrules.com/sites/stuttgart-media-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LibraryThing.

"Your password cannot be longer than 20 characters"

https://dumbpasswordrules.com/sites/librarything/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Aight #infosec I'm looking ahead to my 2026 con calendar planning. What do people recommend from the greater midwest and just beyond?

This includes:
Wisconsin (will be at cyphercon)
Minnesota
Illinois (no Blue Team Con)
Michigan
Indiana
Ohio
Kentucky
Iowa

And am willing to drive to:
eastern North Dakota
eastern South Dakota
eastern Missouri
Memphis area of Tennessee.

And would cross the border to Winnipeg and Windsor, maybe Toronto if it was appealing enough.

Hit me!

This dumb password rule is from Bank Leumi (Israel).

- Password consists of 6 to 12 characters
- Password contains only english letters and numbers without spaces.

https://dumbpasswordrules.com/sites/bank-leumi-israel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vivo.

The password must only contains numbers and the max length is 6.

https://dumbpasswordrules.com/sites/vivo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Lenovo.

Between 8 and 20, not more.

https://dumbpasswordrules.com/sites/lenovo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Saturn.

Passwords need to be between 8 and 15 characters.

https://dumbpasswordrules.com/sites/saturn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Fidelity.

No more than 20 characters and leave out characters commonly used by
programmers. We don't want you to hack the mainframe.

https://dumbpasswordrules.com/sites/fidelity/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PizzaHut.

Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.

https://dumbpasswordrules.com/sites/pizzahut/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

If you think this is a niche #schweiz national interest story, think again, because Palantir are spreading their influence all over Europe.

Their software is used by ICE to track and deport migrants in the U.S., and in military targeting systems.

German civil society organizations are now citing the Swiss findings in their fight against Palantir’s expansion into German police forces.

Scrutiny is essential at this stage.

When journalists investigate and document *with proof*, the playbook comes out: Deny, obfuscate, claim they’re “misrepresenting” work that they don’t want scrutinized, mobilize the allies on LinkedIn, and bury critics in corporate double-speak.

Adrienne Fichter and Marguerite Meyer did excellent work. They deserve our support, not tech bros calling them “luddites” while Palantir rewrites what they actually reported. I *will* repeat their names so they’re not just “some journalists” somewhere.

Their investigation speaks for itself. So does Palantir’s response. That tells you everything you need to know about who’s operating in good faith.

#Infosec #TechEthics

This dumb password rule is from CenturyLink.

So many bad ideas: a low maximum length, requiring six specific character types while not accepting common symbols,
plus a weird restriction that makes random generation harder.

https://dumbpasswordrules.com/sites/centurylink/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

was on a group chat with a bunch of #infosec folks last night and we were playing, 'guess the made-up sales term for 2026'.

My entry, which I'm quite proud of, was:

"The Agentic Perimeter"

Dutch electricity grid operators will buy millions of Chinese “smart meters” because they were cheaper.

But this a bright idea security-wise?

And are the EU producers correct the CN ones were dumped below cost? Is this a good idea for industry policy?

https://www.nrc.nl/nieuws/2025/12/31/netbeheerders-kopen-4-miljoen-slimme-meters-in-china-kamer-bezorgd-over-afhankelijkheid-a4916560

#China #Energy #Renewables #Grid #Electricity #EU #Europe #Nederland #Infosec #digital #Industry

I don't usually post work or business related things on here, as it's my outlet for therapeutic shitposting BUT that said, I was reminded yesterday that 2025 marked the 10th year in business for my little venture, Secure Being, an #infosec consultancy focused on issues that impact real people.

I originally set it up with two goals - 1) manage book related things, and 2) as I became more leadershippy™️ in my day job, I wanted to have the opportunity to stay hands-on, and still engage in pen-testing and forensics and all the good stuff I love.

I don't aggressively advertise the company, it's a word of mouth type thing really, I have a regular core of customers at this point, who keep me busy - but of course, always happy to add new ones.

This last year was probably the most fun I've had with it though, I done infosec work for a professional sports arena, a brand new model of jet aircraft and its avionics, and I've had about 6 or so critical findings on various products that have caused me to stop testing, and get immediate fixes in place - as the issues discovered were extremely risky to, not just businesses, but actual human people too - which of course was the main focus.

So yeah, here's to another 10 years! And if you are ever in the market for a pentester, forensicator, or anything else really - give us a look!

Cheers!

https://www.securebeing.com/

#pentesting #DFIR #forensics

This dumb password rule is from Microsoft (work accounts).

What doesn't seem to be a problem for personal accounts, is for work
accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware
password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exoti...

https://dumbpasswordrules.com/sites/microsoft-work-accounts/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Windsor.

The password policy applies to alumni as well. Must be at least 10
characters long, with at least 1 upper case and 1 lower case
character, at least 1 number, at least 1 special character. Password
expires every 120 days, and you can't reuse an old one.

https://dumbpasswordrules.com/sites/university-of-windsor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules