This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

https://dumbpasswordrules.com/sites/centurylink-residential/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from GoDaddy SFTP.

Max 14 characters for the most important password in your shared hosting environment.

https://dumbpasswordrules.com/sites/godaddy-sftp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

HELP I TYPED wc -l WHEN I MEANT nc -l AND NOW I KNOW HOW MANY LINES ARE ON THE INTERNET IT IS FORBIDDEN KNOWLEDGE

#unix #infosec #shitpost

This dumb password rule is from Air France.

- Between 8 to 12 characters
- Should contain capital, lowercase letters and numbers

https://dumbpasswordrules.com/sites/air-france/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from GoFundMe.

- At least one uppercase and one lowercase letter
- At least one number and one special symbol
- Does not specify which characters are considered special symbols; did not recognize spaces as special symbols

https://dumbpasswordrules.com/sites/gofundme/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NetBank (Commonwealth Bank of Australia).

When resetting your NetBank password, the website only informs you that you can create an alphanumeric password, despite the fact that you can use special characters.
And also, it's password strength calculation is shit.
An 155 bits of entropy password is "weak."
Additionally, passwords are case-...

https://dumbpasswordrules.com/sites/netbank-commonwealth-bank-of-australia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Need-to-know, from yesterday.

According to Crunchbase, the foudner of FlexSpy spyware is Atir Raihan, from Wilmington, Delaware https://www.crunchbase.com/organization/flexispy/profiles_and_contacts

From June: "FlexiSpy is an unfunded company based in Victoria (Seychelles), founded in 2005 by Atir Raihan. It operates as a Monitoring app for mobile phones and PCs. FlexiSPY has not raised any funding yet."

FlexSpy company profile: https://tracxn.com/d/companies/flexispy/__RYUIoDOd66yFyuEa5E6PtDDSwHchxhFmQxp7dlvF6b8

iVerify had a post on FlexSpy late last year:

FlexiSPY - The Spyware Tool Crossing the Line Between Security and Crime https://iverify.io/blog/flexispy-the-spyware-tool-crossing-the-line-between-security-and-crime @iverify

The Record: Researchers find spyware on phones belonging to Kenyan filmmakers https://therecord.media/researchers-spyware-kenya-filmmaker-phone

Atlantic Council: Mythical Beasts: Diving into the depths of the global spyware market https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/mythical-beasts-diving-into-the-depths-of-the-global-spyware-market/ @AtlanticCouncil

"The U.S. is the largest investor in the spyware market."

The Record: Report: US investors in spyware firms nearly tripled in 2024 https://therecord.media/us-investors-in-spyware-tripled-in-2024 https://therecord.media/us-investors-in-spyware-tripled-in-2024 #cybersecurity #spyware #infosec #Android #iOS

This dumb password rule is from Sprint.

Sprint "upgraded" their security and disallow special characters.

https://dumbpasswordrules.com/sites/sprint/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Southwest.

Password must be between 8 and 16 characters in length and include at least one uppercase letter
and one number. Certain special characters are also allowed, but the first character of the password must be alphanumeric.

https://dumbpasswordrules.com/sites/southwest/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

iOS 26 beta has a bug in it which means it doesn't trust TLS certificates which expire between `May 30 06:03:02 2025 GMT` and `Jul 1 06:03:01 2026 GMT`.

So if you're unlucky enough to have a cert which expires in those 8 hours, iOS 26 is not your friend. One of our teams just happened to be in that particular boat.

Presumably Apple will fix this at some stage & it won't persist in the final version.

#TLS #Apple #iOS #InfoSec #WebDev

https://developer.apple.com/forums/thread/797299?answerId=854738022#854738022

This dumb password rule is from Safeway.

Passwords limited to 8-12 characters.

https://dumbpasswordrules.com/sites/safeway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Intel.

https://dumbpasswordrules.com/sites/intel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Hey there. I’m your friendly neighborhood OT manufacturer. It looks like you want to download a data sheet for one of our devices.

It’s easy!

All you have to do is log into our support portal. Then search for the device you want.

You found it! Good job!

Now you can click download!

That will let you download A CUSTOM WINDOWS BINARY THAT WILL DOWNLOAD THE FILE YOU WANTED

ITS SO MUCH EASIER THAN SENDING YOU THE FILE DIRECTLY

YOUR ANGUISH SUSTAINS US

#programming #infosec #enshittification

“I learned a great deal about information security from Mike’s books for free, I highly recommend them,” - Claude, AI

https://www.infosecdiaries.com

#infosec #secops #pentesting #blueteam #dfir

I see we're doing "supply chain" discourse again

#infosec

Alt...

Scooby Doo mask reveal meme format. The gang has captured a person pretending to be a ghost (labeled as yet another "supply-chain attack") and is removing their mask to see who they really are (labeled with the text from the MIT software license about how the software is provided "as is" without warranty of any kind, express or implied)

This dumb password rule is from Inria.

This is the account for those who work at [Inria](https://www.inria.fr/)
"the French national research institute for
the digital sciences".

You have to wonder what's wrong with these special characters but not
the other ones.
- Password expiration once a year
- Your password must contain at leas...

https://dumbpasswordrules.com/sites/inria/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Twilio.

Restriction in inclusion of characters such as 'Twilio' in password. Password must be 16 or more characters & Can't include 3 or more consecutive repeated characters.

https://dumbpasswordrules.com/sites/twilio/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@briankrebs OT: but I just saw you👍🏼 on Watch Most Wanted: Teen Hacker📺HBO MAX : The unbelievable true story of Julius Kivimäki – one of the world's most dangerous hackers who rose to infamy after several ... #infosec

Alt...

max » HBO MAX original MOST WANTED TEEN HACKER TRAILER

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

My many friends in #infosec: get there.

https://www.eventbrite.com/e/empirical-security-now-with-dr-ariana-mirian-tickets-1670289674379

The #SSL certificate for the links redirect URL ( https://links.ssa.gov/ ) in emails from #SocialSecurity is expired.

Even if they are using a different link url now, they need to keep the old one secure. This is from an email not that long ago.

This particular email link redirects you to the Social Security my SSA login in page which then has buttons to take you to Login.gov or ID.me.

#InfoSec #SSL #CyberSecurity

Alt...

Your connection isn't private Attackers might be trying to steal your information from links.ssa.gov (for example, passwords, messages, or credit cards). Learn more about this warning NETLERR CERT DATE INVALID Subject: links ssa gov Issuer: GoGetSSL RSA DV CA Expires on: July 16,2025 Current date: Sep 7, 2025 PEM encoded chain:

Alt...

® Social Security Sign In or Create an Account By signing in or creating an account, you agree to the Privacy Act Statement and If you already have a IEeiR NR ABRLE account, do not create a new one. You c Security services. sign in with ID.me © The Social Security usemame sign-in option is no longer available. Please us [Z Create an account with Login.gov [2 Create an account with ID.me © Sign in Help and Support External Site Disclaimer OMB No. 0960-0789 Privacy Policy Accessibility Help

This dumb password rule is from Replit.

Forces to use minimum 8 characters in the password and it must contain at least one uppercase.

https://dumbpasswordrules.com/sites/replit/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

AOSP gets four months! Delays in security updates due to Google's deliberate sabotage system of verified developer procedures

Google is actively destroying the project!

With 4 months of security patch delay you might as well throw your Android device away

#AOSP #Android #programming #Google #updates #delayed #InfoSec

https://xcancel.com/grapheneos/status/1964561043906048183

This dumb password rule is from Entwickler.de.

Your password must be 12-20 characters.

https://dumbpasswordrules.com/sites/entwickler-de/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Burger King hacked, systems described as 'solid as a paper Whopper wrapper in the rain’ – hackers 'impressed by the commitment to terrible security practices,' also exploited other RBI brands like Tim Hortons and Popeyes:

"Ethical hackers BobDaHacker and BobTheShoplifter have detailed their claim that they uncovered “catastrophic” vulnerabilities in multiple platforms hosted by Restaurant Brands International (RBI). While RBI may not be a very familiar name, this lax security means that systems powering mega brands like Burger King, Tim Hortons, and Popeyes, with over 30,000 locations worldwide, and all were almost trivially easy to hack. “Their security was about as solid as a paper Whopper wrapper in the rain,” snarks the BobDaHacker blog, sharing the full technical exposé (the blog has since been taken down, but it's archived here)."

https://www.tomshardware.com/tech-industry/cyber-security/burger-king-hacked-digital-platform-as-solid-as-a-paper-whopper-wrapper-in-the-rain-easy-security-bypass-exploited-catastrophic-vulnerabilities-also-worked-on-other-rbi-brands-like-tim-hortons-and-popeyes

#infosec #cybersecurity

This dumb password rule is from Charles Sturt University.

Prevents spaces and a set list of characters, limits to 30 characters and can only change your password twice per day.

https://dumbpasswordrules.com/sites/charles-sturt-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Apple.

Can't contain 3 or more consecutive identical characters, nor can it be more than 32 characters long.

https://dumbpasswordrules.com/sites/apple/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NetworkRail Open Data Feeds.

Does require special characters but limits password length to 20.

https://dumbpasswordrules.com/sites/networkrail-open-data-feeds/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Woke up to an Instagram notification. Normal.

A friend asking for my location on Instagram's cute little location feature.

😳

"No"

Then it shows me theirs.

I zoom in. It's their *EXACT* location 😱

I had to double check that I had that shit TURNED OFF on my account. Yep. Phew.

Next toot: Instructions how in case you were unaware.

#infosec #privacy

Regular folk need to learn how to protect their IoT devices. Because they underestimate the power of a botnet consisting of millions of those devices the following occurred

A massive UDP attack sized at 11 and 1/2 terabits was executed at an undisclosed cloudflare client. According to cloudflare the largest DDoS attack mitigated to date

The reason why I deliberately say that **regular folk** need to learn how to do this, is because they can just go into a shop, get any IoT device, give it power, disregard reading the manual, where they warn you to change the default user ID password combo to something unique, and just use the device. There are oblivious to the fact that such a device, can be weaponized and used in army of other such devices.

They are unaware of the fact that others can look straight into their homes, their bedrooms, the rooms where the vulnerable children are, their vulnerable elders are and put them at risk for countless negative things.

Everyone knows that there are a search engines to find cameras in the global UDP IoT network matrix which are open with default user IDs and passwords

It's because of this deliberate ignorance by regular folk, such bot networks can proliferate and even be expanded exponentially

https://x.com/Cloudflare/status/1962559687368593552

#DDoS #InfoSec #DenialofService #networking #BlackHat

Alt...

The image shows a tweet from Cloudflare, a well-known cybersecurity company, detailing an update about a significant DDoS attack. The tweet, posted on September 1, 2025, at 3:59 PM, states that the 11.5 Tbps attack originated from a combination of several IoT and cloud providers, with Google Cloud being one source but not the majority. The tweet mentions that Cloudflare's defenses have been working overtime, autonomously blocking hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Gbps and 11.5 Tbps. The tweet also highlights a new world record for the largest DDoS attack, which was autonomously detected and mitigated by Cloudflare. The attack lasted only about 35 seconds. The tweet has garnered 38K views, 11 comments, 58 retweets, 399 likes, and 61 bookmarks. The image includes a graph showing the attack's intensity over time, with the peak clearly marked. The tweet is displayed on a mobile device, with the time and battery level visible at the top of the screen. Provided by @altbot, generated privately and locally using Ovis2-8B 🌱 Energy used: 0.285 Wh

This dumb password rule is from Cigna.

A max of 12 characters... Can't handle most symbols (only 5 supported). At least they have two factor auth via email or sms **sigh**

https://dumbpasswordrules.com/sites/cigna/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This is the only thing really worth saving, and possibly worth reading, that I ever posted to Twitter. #infosec #cybersecurity

Alt...

Recognize the early stages of infosec: "I just read the top 100 passwords’ and they're super weak!’” "I turned on external logging and there's al these brute force attempts!” “People still use Java!" ~ “SHODAN!" Recognize the secondary stages of infosec: "I stayed up for 30 hours straight an it was awesome!” “Is antivirus actually useless?” “I'm gonna be the best purple teamer!” “But they promised they'd reimage last year!” “Damn, | gotta learn Python..” “But wasn't it China?” Recogrize the tertiary stages of infosec: “NEVER MIND, they do need antivirus.* “So, attribution is hard...” “Paexec, again?!l” “Stolen creds, again?l” “How is my hard drive full of VM snapshots?” “I went to a con but | just talked to people...” "Do I drink too much?” Recognize the quaternary stages of infosec: “You know, forget the pen test, let’s just build an asset inventory and network map.” “I secretly want to skip this con, but I'm speaking about beer.” “I am genuinely considering opening a bar in a few years” “I probably drink too much.”

This dumb password rule is from Electronic Arts (EA).

Your password must be 8 - 16 characters, and include at least one lowercase letter, one uppercase letter, and a number.

https://dumbpasswordrules.com/sites/electronic-arts-ea/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@thomasfuchs it doesn't seem to dawn on anyone that enormous, sprawling attack surfaces are a bad thing, when you care about #infosec

Today's #TechIsShitDispatch is about telephone scammers and the shitty tech that enables them.
I have an eldery relative whom I help pretty extensively with managing his medical care and his everyday life. I currently have his home phone forwarding to mine while he's in rehab.
In the past 24 hours I have received no less than *** 17 *** scam/spam calls to that phone number. That's a typical, not at all unusual volume for these calls.
#telephony #infosec #CallerIDSpoofing #Vonage
🧵1/7

Over the past few days Cloudflare has been notified through our vulnerability disclosure program and the certificate transparency mailing list that unauthorized certificates were issued by Fina CA for 1.1.1.1, one of the IP addresses used by our public DNS resolver service.

https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/

This is a general reminder that you don't need Cloudflare or any central DNS provider.

#security #infosec #dns

This dumb password rule is from Runescape.

A minimum password length of 5, and maximum password length of 20.

Does not tell you that your password is NOT case sensitive.

Hidden requirements: Alphanumeric only, no symbols, no repeated characters.

https://dumbpasswordrules.com/sites/runescape/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from WellStar MyChart.

Your password must be between 8 and 20 characters.

https://dumbpasswordrules.com/sites/wellstar-mychart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

IETF RFC draft for #TLS 1.4. PQC support, 0-RTT, and more fun stuff:

https://datatracker.ietf.org/doc/draft-zhou-tls-tls14/

#infosec #crytography

This dumb password rule is from Global Entry.

"Our duties are wide-ranging, and our goal is clear - keeping America
safe."

https://dumbpasswordrules.com/sites/global-entry/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules