This dumb password rule is from Best Buy.

You can enter whatever password you like! But you probably don't want to
make it too long, because you'll break us and you'll never be able to
login again.

https://dumbpasswordrules.com/sites/best-buy/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

My dad just called to ask for his computer's admin password. He fell for yet another fraudulent #Paypal charge #scam and gave the scammer access to his computer. The scammer was stopped by the fact that I've revoked Dad's admin rights for just this reason.
He has fallen repeatedly for this scam and others like it. We keep telling him it's a scam. We keep telling him to call us before calling any number he gets in an email. He keeps falling for it. It's infuriating.
#infosec #elderAbuse
1/2

This dumb password rule is from AmiAmi.

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

https://dumbpasswordrules.com/sites/amiami/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does anyone have #fediverse or #mastodon stats (preferably from a few different servers) about numbers of bad-faith actors being identified, banned, etc.? I've become pretty interested in this from a methodological point of view. I'm thinking of running some #moderation simulations to explore possibilities in a "calculate some stuff and make some graphs" way. Actually, if someone already did that, I'd be keen to read it.

I'm interested in how to detect "bad eggs," realizing as I think about it that I don't even know all the questions to ask, and this entire line of investigation has some thorny issues I'll need to deal with. I think infosec.exchange might, in some ways, be the perfect server to be on for this, because I am pretty sure that #cybersecurity has huge overlap with this whole domain.

#advice is helpful. #data is even more helpful.

#moderators #BadActors #infosec #socialmedia

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Wonder if @thetyee is aware of this.

#infosec

Alt...

HTTP 500 error page when trying to reach thetyee.ca from a firefox browser.

This dumb password rule is from Credit Union Australia (CUA) Health.

Password must be between 7 and 10 characters, contain both an uppercase and a lowercase letter and have at least one number.

https://dumbpasswordrules.com/sites/credit-union-australia-cua-health/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

As LLM’s take over the world, a reminder that you can still buy hand crafted, small batch collections of words.

Stand out from the crowd this holiday season with a Mike Sheward InfoSec book - written the old fashioned way - by hand, and fueled by an undying rage that can only exsist in someone who uses JIRA.

Available wherever you buy books and also Walmart for some reason.

Learn more at https://infosecdiaries.com.

#infosec #books #cybersecurity #dfir #pentesting #blueteam #redteam

Alt...

a collection of Mike Sheward Books under a festive fern

Chrome now wants to store and autofill your driver’s license and other ID info.

From a cybersecurity perspective, that is a hard no from me. Info-stealer malware already targets browser autofill, and you cannot rotate a driver’s license number like a password. Putting high value IDs in the most targeted consumer app on the planet is a bad trade for a little convenience.

I wrote up why this feature is such a risky idea and what I recommend instead:

🔗 https://www.kylereddoch.me/blog/chromes-new-drivers-license-autofill-is-a-terrible-idea/

#Infosec #Privacy #Chrome #Cybersecurity

They say "no sensitive information" was compromised, after a data breach involving real names, email addresses, phone numbers, and physical addresses.
That's some serious bullshit right there.
That is, in fact, "sensitive information," you idiots.
#infosec #privacy #DoorDash #breach
DoorDash confirms data breach impacting users’ phone numbers and physical addresses | TechCrunch
https://techcrunch.com/2025/11/17/doordash-confirms-data-breach-impacting-users-phone-numbers-and-physical-addresses/

Who's using #olvid?
#messaging #infosec #privacy

This dumb password rule is from PizzaHut.

Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.

https://dumbpasswordrules.com/sites/pizzahut/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Anyone know of a good curated list of JA3 fingerprints of known shitty bots? (Think: Alibaba, Tencent, AI slop, etc)

The only two I could find are:

f79b6bad2ad0641e1921aef10262856b
5cc600468c246704e1699c12f51eb3ab

#infosec #websecurity #noai

Another brilliant video from @bennjordan https://youtu.be/uB0gr7Fh6lY

#Security #Surveillance #InfoSec #Cameras #BigBrother

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

https://dumbpasswordrules.com/sites/centurylink-residential/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Rogers.

I can only use 4 special characters?

Password guidelines
- Your password should be between 8-20 characters and have at least one number and one letter.
- The following special characters are allowed: ! @ # $

https://dumbpasswordrules.com/sites/rogers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Suncorp.

To "improve security" and "be password savvy", passwords must:
- be six to eight characters long
- Contain both numbers and letters
- Include upper and lowercase letters

https://dumbpasswordrules.com/sites/suncorp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I have to admit, I see the domain hackerone dot com and in my head it rhymes with macaroni dot com.
#hackerone #hacker #infosec

This dumb password rule is from Craigslist.

No minimum character limit meaning you can go as low as 5 characters for a password

https://dumbpasswordrules.com/sites/craigslist/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Admiral.

Restrict the inclusion of a % character.

https://dumbpasswordrules.com/sites/admiral/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CENLAR.

Your password can meet all the requirements in the list and still be invalid due to
an unspecified rule: any "special characters" that are not listed in the help text
are not allowed. Worse, it provides no useful feedback other than the "New Password"
field is red.

https://dumbpasswordrules.com/sites/cenlar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Capital One.

- May only use the following characters: Aa-Zz 0-9 - _ . / \\ @ $ * & ! #
- No spaces

https://dumbpasswordrules.com/sites/capital-one/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Under the hood quiet progress to keep your machine secure:

"Fedora Linux 43 will be the first release with RPM 6.0. Like I said, this should go unnoticed to end-users, but it is a significant change. RPM 6.0 provides some interesting security enhancements, like multiple key signing of packages. This should help future-proof package signing as we transition to post-quantum-crypto OpenPGP keys in future releases."

➡️ https://fedoramagazine.org/announcing-fedora-linux-43/

#Fedora #Security #InfoSec #Cybersecurity #Linux

> "This raises an important question: if AI models can be misused for cyberattacks at this scale, why continue to develop and release them? The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber defense."

Guys, we need to use #AI to defend ourselves against AI!

What could go wrong?

https://www.anthropic.com/news/disrupting-AI-espionage

#cybersecurity #infosec

This dumb password rule is from Synchrony Financial.

Financial services - where we don't allow you to create the strongest
password possible.

https://dumbpasswordrules.com/sites/synchrony-financial/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@nemo

> Multi-factor authentication (MFA) remains essential even if credentials are compromised, an attacker without access to the secondary authentication method cannot penetrate the account.

MFA didn't do a damn thing to save my mom from being phished a few weeks ago. Unsuspecting victims of phishing schemes like these will enter their MFA code along with their password, et voila, they are owned.

A solution to this problem is sorely needed, and MFA is not it.

#cybersecurity #infosec

@deadinside

Most people don't have a tech-savvy concierge standing next to them every time they use a computer or phone.

People need to be able to look after their own security.

And even if that could be done, it wouldn't work. I'm computer- and security-literate and even I could be fooled by some of these phishing schemes.

The real solution is credentials that are impossible to phish, i.e. asymmetric keys.

@nemo

#cybersecurity #infosec

@deadinside

This incident was especially egregious as it was my mom's bank account that was phished.

Banks are the one kind of business that already gives all of its customers a hardware authentication token (a debit card).

I see no good reason why these cards shouldn't also have a USB connector on them, and a corresponding FOSS PKCS#11 driver for Windows/macOS/Linux/etc, to use for authenticating to the bank's website. Browsers already support this right now!

@nemo

#cybersecurity #infosec

Mini Pen Test Diaries story:

One time I was testing a finance app that you could link with a bank account to add funds.

Pretty standard workflow, you added the bank account details, it made two micro deposits in the account, and you had to confirm the amounts of those deposits to verify you had access to the account.

Only issue was, when you signed up for the free trial of the app, it gave you 'business' level access/features, which included a transaction audit log.

And yep, those verification transactions were included in said audit log, so you could just grab the deposit values from there, and with that info, you could of course verify any bank account...uh oh.

#infosec #pentest #pentesting

Read more fun, less mini stories like this at https://infosecdiaries.com

This dumb password rule is from Bank Leumi (Israel).

- Password consists of 6 to 12 characters
- Password contains only english letters and numbers without spaces.

https://dumbpasswordrules.com/sites/bank-leumi-israel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@GossiTheDog

Yeah, my mom almost got duped by one of these full-screen phishing sites.

It even somehow disabled the Esc key! I told her to try a bunch of keyboard shortcuts to escape from it. Command+W (it's a Mac) finally worked.

Memorizing that shortcut should NOT have been necessary!!!

#Browser full-screen APIs should still show a bit of browser chrome at the top of the screen so you know you're looking at, and have a way to escape from, a full-screen web page.

#cybersecurity #infosec

The day wouldn't be complete without this. Just ... don't kick out the loonies over here.

Tech Crunch: Elon Musk’s X botched its security key switchover, locking users out https://techcrunch.com/2025/11/12/elon-musks-x-botched-its-security-key-switchover-locking-users-out/ @TechCrunch @zackwhittaker #infosec #Musk

@jerry

This dumb password rule is from Sampath Bank.

So many rules!

https://dumbpasswordrules.com/sites/sampath-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Wanna watch something horribly boring with me in it? You get another chance tomorrow! The 59th IANA KSK (key signing key) ceremony is tomorrow, and it will hopefully be the least eventful yet. I say that because I will be the ceremony administrator, and the fewer events (we call them "exceptions") that happen, the better. Live streaming on YouTube starts around 1PM US East Coast time.

https://www.youtube.com/watch?v=NJBRtOyiq40

If you're wondering why IANA has such boring ceremonies four times a year, the short answer is to increase the trust in DNSSEC. The KSK for the root zone is the source of all cryptographic trust in the DNS, and there are two ways to do that:

1) Keep the process very secret so no one knows how to attack it
2) Make the process extremely transparent so that everyone can see how well the key is maintained

IANA chose #2, which has the happy side-effect that the entire Internet #infosec / security community can comment on the procedure, which helps IANA keep improving it. The side-effect of those improvements is that lots of people use the IANA scripts as a basis for their own scripts for using their own HSMs (hardware security modules). For example, I have heard from bankers that they watch the ceremonies for tips on how they should run their (much more private) ceremonies for their keys.

Anyhow, if you want to tune in, you can watch and marvel how uninteresting it is. You can even see the script we're working from:

https://www.iana.org/dnssec/ceremonies/59

Because I'm the ceremony administrator, you'll see me a lot more than anyone else, but there will be many people in the room with many important roles (witnesses, auditors, support, ...). The whole thing is expected to take about 4.5 hours this time; sometimes it goes much longer.

This dumb password rule is from Microsoft (e company store).

Max of 16 character oh and please don't use any characters we don'y know how to escape properly
also if it starts with ? you may break our wonderful website. What out with your password generator
duplicated characters is far too insecure to allow here.

https://dumbpasswordrules.com/sites/microsoft-e-company-store/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I really need to update the #Scrapers #Blocklist more often...

• Also I should bill #OpenAI for the need to manually download and review that shit as they use #ClownFlare to prevent automatic downloads of said IP address range list and sending back fraudulent 403 errors when #pfBlockerNG tries to #curl that shit.

Given that they retroactively added this, this means they're actively fighting against automated means to stop their ingestion aka. #DDoS'ing of sites!

#AIslop #AI #Enshittification #ITsec #InfoSec #OpSec #ComSec

This dumb password rule is from Mobi Bike Share.

Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: *1234*.

https://dumbpasswordrules.com/sites/mobi-bike-share/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myRTA.

The Roads and Traffic Authority's 'Online Services' website for New South Wales, Australia.
Password rules:
- Must be between 6 and *10* characters long
- Must be a combination of letters and numbers
- Cannot be the same as any of the previous two passwords, including the current password
- Is ca...

https://dumbpasswordrules.com/sites/myrta/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Nothing like marketing a product 'free' from the OPM #breach years ago. That kind of breach is going to haunt me for a lifetime, but the same people who lost my data decided 10 years of open-sourced commercialized OSINT should cover it 🥴 It took multiple FOIA requests before they even sent me a 70% redacted version of the data they lost 🤦‍♂️

I feel bad for the folks who don't work in #infosec or just don't have the knowledge to protect ourselves from the gross negligence of OPM, other government agencies, and NGO conglomerates.

Some free resources to help keep your accounts secure, and learn more:

* https://haveibeenpwned.com - @haveibeenpwned

* NBTV Newsletters, videos, book - https://www.nbtv.media

And lastly, advice:
Use a password safe (I go with @bitwarden), hide your actual e-mail address as much as possible (integrated in most password safes even!). You can store OTP and passkeys if you don't have or want a FIDO key - 2FA everything that you can, and nag services you have to use who don't offer it by now (phone and SMS don't count as 2FA).

Use encrypted mailboxes that the provider can't normally see as the data is encrypted on their end, such as @protonprivacy or @Tutanota).

This dumb password rule is from USAA Bank.

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

https://dumbpasswordrules.com/sites/usaa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easyjet.

No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.

https://dumbpasswordrules.com/sites/easyjet/

#password #passwords #infosec #cybersecurity #dumbpasswordrules