This dumb password rule is from PizzaHut.

Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.

https://dumbpasswordrules.com/sites/pizzahut/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

What you can do:

1. Read the original investigation. Judge for yourself:
📄 https://www.republik.ch/2025/12/09/warum-palantir-zum-risiko-fuer-die-schweiz-wird

2. Support investigative journalism. These reporters aren’t getting rich doing this work. They’re doing it because someone needs to document what powerful companies don’t want documented. A year spent in FOIA requests is not nothing.

3. *Do* pay attention to the LinkedIn drama
The tactic of replying to critical journalism where the general public won’t see is deliberate. They’re trying to discredit journalists among decision-makers and industry insiders. Make this stuff visible if you can.

4. Make your politicians answer questions about government contracts. If the Swiss said no NINE times after careful evaluation, why did the UK say yes? Who benefits from these deals? This matters for #DataSovereignty and national security.

Support #InvestigativeJournalism. These journalists are fighting battles most of us will never see.

Thanks for reading.

#OSINT #Surveillance #CyberSecurity

This dumb password rule is from CenturyLink.

So many bad ideas: a low maximum length, requiring six specific character types while not accepting common symbols,
plus a weird restriction that makes random generation harder.

https://dumbpasswordrules.com/sites/centurylink/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Microsoft (work accounts).

What doesn't seem to be a problem for personal accounts, is for work
accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware
password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exoti...

https://dumbpasswordrules.com/sites/microsoft-work-accounts/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Windsor.

The password policy applies to alumni as well. Must be at least 10
characters long, with at least 1 upper case and 1 lower case
character, at least 1 number, at least 1 special character. Password
expires every 120 days, and you can't reuse an old one.

https://dumbpasswordrules.com/sites/university-of-windsor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Commsec.

Another financial institution with short password requirements. They also block pasting in to the field, making it a pain to use a password manager.

https://dumbpasswordrules.com/sites/commsec/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Ancestry.

Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter or special character
- Must not be a well known or common password

https://dumbpasswordrules.com/sites/ancestry/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Standard Chartered Bank.

- Between 8 to 16 characters
- Only letters and/or numbers

https://dumbpasswordrules.com/sites/standard-chartered-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Encryption is never far from the political crosshairs.

Now more than ever, we need to stand our ground to combat attempts to break encryption for surveillance.

Because privacy is our defence against hackers and predators.

Become an ORG member today ⬇️

https://www.openrightsgroup.org/join/

#ORG2025 #digitalrights #e2ee #encryption #privacy #cybersecurity #ukpolitics #ukpol

Lurking in the UK Online Safety Act is the spy clause that could make encrypted message apps scan our private chats.

This would shatter our right to privacy and create vulnerabilites that anyone could exploit.

That's why we launched #PracticeSafeText ⬇️

https://www.openrightsgroup.org/blog/the-case-for-encryption/

#ORG2025 #digitalrights #e2ee #encryption #privacy #cybersecurity #ukpolitics #ukpol

When the UK government tried to force Apple to give them backdoor access to encrypted products, we stepped in.

We ensured that at least some of the appeal would be heard in public, recognising the huge global implications for secure communication.

Read more ⬇️

https://www.openrightsgroup.org/press-releases/make-the-investigatory-powers-tribunal-on-apple-encryption-a-public-hearing/

#ORG2025 #digitalrights #e2ee #encryption #Apple #privacy #cybersecurity #ukpolitics #ukpol

2025 has seen sneaky attempts to break encryption. ORG was there to fight back 🔒

We resisted the UK government's attempt to force a backdoor into Apple encryption. We’ll keep fighting until the dangerous powers that remain on the books are gone.

Find out more ➡️ https://www.openrightsgroup.org/campaign/save-encryption/

#ORG2025 #digitalrights #e2ee #encryption #Apple #privacy #cybersecurity #ukpolitics #ukpol

Alt...

Text: Defending Encryption – ORG challenged the secret hearing on the order to force a backdoor into Apple's encrypted products. Image: Green and pink textured abstract background.

This dumb password rule is from El Corte Ingles.

Min 6 and max 8 characters for password! Can't contain anything
different than letters and numbers. Apart, the email address must have
at least 8 characters (sorry million dollar domain owners! :D)

https://dumbpasswordrules.com/sites/el-corte-ingles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sparkasse.

„Sparkasse“ is a group of banks which is pretty popular in Germany. It
calls its passwords „PIN“ („persönliche Identifikations-Nummer“ —
personal identification number), the rules are pretty horrific and its
not even a number, even though it is called as such! Here is a
screenshot from the branch...

https://dumbpasswordrules.com/sites/sparkasse/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vivo.

The password must only contains numbers and the max length is 6.

https://dumbpasswordrules.com/sites/vivo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Craigslist.

No minimum character limit meaning you can go as low as 5 characters for a password

https://dumbpasswordrules.com/sites/craigslist/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Kryterion Webassessor.

I was quite surprised to see this when I was registering for my Google Professional Cloud **Security** Engineer certification. Nice part is that they **don't allow quotes** as special character, so I assume there possibly might be some other issues on their backends. :-)

https://dumbpasswordrules.com/sites/kryterion-webassessor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nevada DMV.

- Password length must be exactly 8 characters in length
- Password must contain at least one letter (any position)
- Password must contain at least one number (any position)
- Password must contain one of the following special characters: @ # $
- Password is not case sensitive

https://dumbpasswordrules.com/sites/nevada-dmv/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Interactive Brokers.

Usual dumb password restrictions, but this one has incredibly dumb **username**
restrictions too:

**Username:**
- **Length of 8 or 9 letters and numbers**
- **Contain at least 3 letters and 3 numbers**
- Begin with a letter
- Lower case only, no spaces, no special characters

**Password:**
- Can...

https://dumbpasswordrules.com/sites/interactive-brokers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from USAA Bank.

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

https://dumbpasswordrules.com/sites/usaa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NBA Store.

- Password cannot be longer than 20 characters

https://dumbpasswordrules.com/sites/nba-store/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sharekhan.

- At least 8 characters.
- At most 12 characters.

https://dumbpasswordrules.com/sites/sharekhan/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Mobility.

The username is the customer number, which is sequential and cannot be changed, currently 7 digits long for new customers.
The password has to be exactly 6 digits long, only numbers allowed.

https://dumbpasswordrules.com/sites/mobility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Defguard v1.6.0 released -
Scale WireGuard Enterprise VPN.

🖥️ Windows Pre-logon & Always-on WireGuard with Service Locations

🚀 Zero-touch Enrollment & Provisioning – MSI, macOS App Store, and file-based tokens.

⚙️ Enterprise-ready clients - WireGuardNT on Windows & native Swift on macOS

🌐 Improved network reliability – Manual MTU configuration for LTE/5G.

Release notes & details: https://defguard.net/blog/defguard-16-release-notes/

#WireGuard #VPN #SelfHosted #ZeroTrust #CyberSecurity #EnterpriseIT

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Netflix.

[The help page](https://help.netflix.com/de/node/54078)
and the [password reset page](https://www.netflix.com/password) say:

Ihr Passwort muss zwischen 4 und 60 Zeichen lang sein und darf keine Tilde (~) enthalten.

https://dumbpasswordrules.com/sites/netflix/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🆕 blog! “Book Review: Code, Chips and Control - The Security Posture of Digital Isolation by Sal Kimmich”

My friend Sal has written a book! I was lucky enough to get early access to it.

Code, Chips and Control is an in depth look at cyber security. And I do mean in depth - this literally starts at the silicon…

👀 Read more: https://shkspr.mobi/blog/2025/12/book-review-code-chips-and-control-the-security-posture-of-digital-isolation-by-sal-kimmich/
⸻
#BookReview #CyberSecurity

This dumb password rule is from Mindware.

You "*may use special characters*", but only some of them - and we won't
necessarily tell you which ones.

https://dumbpasswordrules.com/sites/mindware/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

More bad behavior with serious adverse repercussions — for the nation and longtime, dedicated CISA staff. But don't worry — high level administration staffers are there to pass the blame and throw others under the bus. 😕
https://www.politico.com/news/2025/12/21/cisa-acting-director-madhu-gottumukkala-polygraph-investigation-00701996
#CISA #cybersecurity

This dumb password rule is from Telcel.

- The username is the cell phone number (easy to get)
- The company creates a password between 8 and 12 characters for you
- Password must contain at least 1 capital letter and no special characters

https://dumbpasswordrules.com/sites/telcel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Inpost.

Allows between 8 to 16 characters. Password is being used to log in and view packages sent to you, or for shipping packages.

https://dumbpasswordrules.com/sites/inpost/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

RE: https://mas.to/@statsguy/115728441112466728

I've had a similar scam email today, telling me my vehicle tax is due to be renewed today, and now the "Update" link goes to what is very obviously a scammer's website.

I now wonder if the purpose of the previous email was just to prime me to think that my vehicle tax was due soon and the whole thing is connected?

#Cybersecurity #Scams

This dumb password rule is from Wells Fargo.

Your password must be between 8-32 characters long and inexplicably doesn't accept `-` but does seemingly accept other special characters.

https://dumbpasswordrules.com/sites/wells-fargo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from GoFundMe.

- At least one uppercase and one lowercase letter
- At least one number and one special symbol
- Does not specify which characters are considered special symbols; did not recognize spaces as special symbols

https://dumbpasswordrules.com/sites/gofundme/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from TwinSpires.

You can gamble on our site. We'll keep your money secure with a 12 character password!

https://dumbpasswordrules.com/sites/twinspires/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Who's got the latest? I dunno. I think Joe edited it last. Here's the version he emailed me last week. Ask what he's got.

They've got a book of loans like this. Hundreds of millions of pounds, and a few folks keeping track with ad hoc valuations and a spreadsheet they email around.

Naturally, the SEC urged them to do this with a system.

So they made the code freeze and got the thing deployed with no authorization.

The sad thing is, my contract there ended shortly after that, so I really couldn't tell you how it all played out. Did they add authorization in January? June? next December? I dunno. I'm sure they did eventually.

#cybersecurity #finserv #fintech

4/fin

This season reminds me of a time when I was doing #cybersecurity for a financial firm in London. The firm goes into "code freeze" in the first or second week of December until January to minimize the possibility of problems during the holidays.

I was doing #security architecture analysis on an important system. Basically the US SEC had demanded they start using a purpose-built system to track certain numbers (I'll explain in a reply to this) instead of just emailing spreadsheets around. So they had basically built a system that was a spreadsheet in a website. They had one year to comply. This system had not yet launched. If it didn't go live in this last possible week, they'd have to explain to the SEC how, 12 months on, they had failed to deploy anything at all in response to the requirement. (I'm sure I'm being imprecise here, that's the gist of it)

1/