This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easyjet.

No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.

https://dumbpasswordrules.com/sites/easyjet/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.

Malicious NuGet packages drop disruptive 'time bombs' https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/

#infosec #cybersecurity

This dumb password rule is from NVV (Nordhessische VerkehrsVerbund).

Password length must be 4 to 10 characters with only a few special characters allowed.

https://dumbpasswordrules.com/sites/nvv-nordhessische-verkehrsverbund/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Very.co.uk.

Password field allows *only* the listed Special Characters ($ . , ! % ^ \*).
You're also forced to use both upper, and lower letters, as well as a number.

https://dumbpasswordrules.com/sites/very-co-uk/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

tfw you can't get the verification code sent by your health insurance company to your email because the IP address it's coming from is listed in Spamhaus AND the email they're sending violates their enforcing DMARC policy. *sigh*
#infosec #DMARC #Spamhaus #SysAdmin #EmailAdmin #healthInsurance

This dumb password rule is from Whitcoulls.

Your password must:
- be between 7 and 15 characters
- contain a capital letter
- have no spaces (shown only when you go to change it)

https://dumbpasswordrules.com/sites/whitcoulls/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Question to all of the infosec people: At work, one of our major internal services shut down HTTP access and blocked port 80. This screwed up reproducibility, as we are legally obligated to keep artifacts and reproducible builds for a long time. And some of that scripting still contained HTTP URLs.

My question: Is there a security issue with configuring a HTTP -> HTTPS redirect, instead of just disabling HTTP and blocking port 80?

1/2

#infosec #AskFedi

This dumb password rule is from MKB NetBankár.

It only accepts lowercase letters, uppercase letters and numbers (any
other character counts as forbidden character).
Also, if your password contains any invalid character, it will get
marked as "Identical to the former 10 passwords".

To make it more fun, during the registration, it allows to se...

https://dumbpasswordrules.com/sites/mkb-netbankar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Others have already shared this, but I want to share it separately. #AI is not creating undetectable, advanced #malware. It’s just not happening.

Thanks to @dangoodin for a great article.

#infosec #cybersecurity

https://arstechnica.com/security/2025/11/ai-generated-malware-poses-little-real-world-threat-contrary-to-hype/

🔒 Is your enterprise VPN a "Black Box"?

When security relies on "trust" in closed code, you're exposed to hidden risks, vendor lock-in, and outdated protocols.

We compared the traditional "all-in-one" model with an open, enterprise-ready stack built on WireGuard®.

👉 Swipe for 2 key differences
📊 Full 8-point analysis: https://defguard.net/defguard-vs-fortinet/

#CyberSec #VPN #OpenSource #WireGuard #InfoSec #EnterpriseSecurity

What’s your Enterprise VPN built on?

Alt...

Is your enterprise VPN a “Black Box”? Why monolithic architecture is the real source of security risk and performance issues. A 5-point comparison of legacy vs. modern open-source WireGuard® stack. Swipe to explore.

Alt...

The Speed: Legacy relies on heavy, stateful SSL/IPsec protocols not built for modern speed. Modern is built on WireGuard® — lightweight, kernel-level, and optimized for performance. Swipe for more.

Alt...

Architecture: Legacy is monolithic — a single proprietary OS runs everything, creating one large point of failure. Modern uses microservices — Core and Proxy run independently, eliminating single points of failure.

Alt...

Stop comparing features. Start comparing security approaches. Read our full 8-point strategic comparison: defguard vs. Fortinet.

This dumb password rule is from MarketWatch.

- Cannot be longer than 15 characters.
- Must contain one number.
- Cannot contain spaces, %, & or +.

https://dumbpasswordrules.com/sites/marketwatch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

“Meta projected 10% of its 2024 revenue would come from ads for scams and banned goods, documents seen by Reuters show. And the social media giant internally estimates that its platforms show users 15 billion scam ads a day.”

https://www.reuters.com/investigations/meta-is-earning-fortune-deluge-fraudulent-ads-documents-show-2025-11-06/

#news #Meta #SocialMedia #infosec

This dumb password rule is from Virgin Trains.

Your password needs to be between 8 and 10 characters long. Previously
this would silently truncate the password without warning, causing
confusion when the password wouldn't work.

https://dumbpasswordrules.com/sites/virgin-trains/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from European Union Intellectual Property Office.

- The password must be between 8 and 30 characters, containing at least a digit [0-9], a lower case letter [a-z], an upper case letter [A-Z] and one of [!@#$%&*,.] characters

https://dumbpasswordrules.com/sites/european-union-intellectual-property-office/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The schedule for #BSIDESLDN2025 / #BSidesLondon is out: https://cfp.bsides.london/bsides-london-2025/schedule/

#InfoSec

This dumb password rule is from Lloyds Bank.

Max 15 characters, min 8. You cannot use **ANY** special characters -
alpha-numerics only. This amazingly terrible password policy combines
with a known phrase (The "Memorable Information") of which you will be
asked for a random 3 characters of if you get your password right.
This phrase has sim...

https://dumbpasswordrules.com/sites/lloyds-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Dell.

Okay at least 6, that's alright I guess.

Oh at least one number and one letter, bit dumb but hey not that dumb.

But hiding the fact that it has a max of 20, now THAT is dumb!

https://dumbpasswordrules.com/sites/dell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Someone asked me to hand-translate a publicly posted Chinese technical report about NSA shenanigans on the Chinese Center for Time-Keeping network. It took me a while, because it turns out translating technical corporatese from your third language is very hard when chronically sleep deprived, but it is done.

https://docs.google.com/document/d/1gk1fDLKrN3m5jOSk7QbpGL1SBcLvrm0FTN3H-5ZJZcY/edit?usp=sharing

#nsa #fiveeyes #opsec #infosec #threatintel

This dumb password rule is from Sky Ticket.

Sky is a german pay-TV provider with over 23 million subscribed users worldwide. They also have an online streaming service called "Sky Ticket".

You can only set a **4 digit long PIN** with no option for two-factor authentication or any additional security mechanisms.

https://dumbpasswordrules.com/sites/sky-ticket/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vélib’ Métropole.

Your password must be at least 10 characters, with at least 1 uppercase character, 1 lowercase character, 1 number and 1 special character (only from this list: @, $, €, #, %, *, ., ;, !, ?).

You're not allowed to paste passwords.

https://dumbpasswordrules.com/sites/velib-metropole/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

And this, kids, is why we never ever set up easy-to-guess passwords. Even in testing, even temporarily. Just pwgen it, every time.

https://www.unionesarda.it/en/world/louvre-robbery-security-flaws-the-obviously-password-was-quot-louvrequot-ft1kkp6c

> accessing the museum's video surveillance server required typing the all-too-obvious word: LOUVRE

#InfoSec

This dumb password rule is from Discovery Benefits.

Requires at least one symbol, but must be one of `! @ # $ % & * ?`, and also
has an unstated max length of 20 characters.

https://dumbpasswordrules.com/sites/discovery-benefits/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Replit.

Forces to use minimum 8 characters in the password and it must contain at least one uppercase.

https://dumbpasswordrules.com/sites/replit/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The #infosec professionals who tell us that humans are the weakest link in infosec are, themselves, human, so they are the weakest link in infosec and should therefore not be trusted to tell us about the weakest link in infosec.

This dumb password rule is from Taiwan Pingtung University.

Password must:
- Be between 8 ~ 15 characters long.
- Exceeding 15 will result in an account lockout instead of
erroring on submit. Otherwise, the max character
length should be 20.
- Contains at least 1 number character
- Contains at least 1 lowercase character
- Contains at least 1 uppercase ...

https://dumbpasswordrules.com/sites/taiwan-pingtung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from WeatherBug.

Maximum 16 characters.

https://dumbpasswordrules.com/sites/weatherbug/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).

Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.

The root cause of this bug is the incorrect use of == to match the password hash:

if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )

The fix is to use === for the comparison.

This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php

#CVE_2025_47776 #infosec #cybersecurity

Alt...

Root cause of CVE-2025-47776 vulnerability: Use of == instead of === to compare password hashes.

This dumb password rule is from CENLAR.

Your password can meet all the requirements in the list and still be invalid due to
an unspecified rule: any "special characters" that are not listed in the help text
are not allowed. Worse, it provides no useful feedback other than the "New Password"
field is red.

https://dumbpasswordrules.com/sites/cenlar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://cybersecuritynews.com/phantomraven-attack-involves-126-malicious-npm-packages/

#NodeJS and especially the libary repository #NPM is really becoming the PHP security problem of 2025.

Another breach of libaries hosted on npm, this time 126 malicious npm packages that have collectively accumulated over 86000 downloads are affected

#infosec #cybersecurity #clownsecurity

This dumb password rule is from UL Standards.

- Passwords must be between 8 and 12 characters
- Passwords cannot contain any blank spaces
- Passwords must contain at least one number, one uppercase letter, and one lowercase letter.
- Password Reset will randomly fail for no reason.

https://dumbpasswordrules.com/sites/ul-standards/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Editing a draft of an internal #infosec policy spreadsheet. (I hate security-by-spreadsheet!)

I am seriously on a campaign to stomp out the use of the word comprehensive. It virtually never adds anything. It's rarely true. We routinely forego being "comprehensive" in order to be "efficient."

Like emdashes and 3-item bulleted lists, it's also a favourite output of LLMs.

Alt...

Screenshot showing Microsoft Excel's find and replace dialog. In the find box it says "comprehensive" and in the replace box it says nothing at all. There's a pop up that says "All done. We made 89 replacements." That is: we deleted 89 instances of the word comprehensive.

"Tell me you're a crappy old script scraping BBC Radio content without telling me you're a crappy old script scraping BBC Radio content"

2 out of 55 results even go so far as to state a user-agent...
...and they're Windows 7 and iTunes on Windows. Retro.

#WebDev #BBC #InfoSec

Alt...

Screenshot of logs for www.bbc.co.uk/radio/* today, with a total per ASN and user-agent. There's 55 results, all have an empty user-agent except for 2 (not shown, they're below "the fold") which are Windows 7 and iTunes on Windows.

This dumb password rule is from Electronic Arts (EA).

Your password must be 8 - 16 characters, and include at least one lowercase letter, one uppercase letter, and a number.

https://dumbpasswordrules.com/sites/electronic-arts-ea/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Keimyung University.

Okay, doesn't looks that hard... But wait, there are hidden rules!

Hidden rules: your password can't have 3 times the same character in a row or more than 2 consecutive numbers.
Also if your password is 20 characters or more you won't be able to write it in the mobile app.

https://dumbpasswordrules.com/sites/keimyung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from El Corte Ingles.

Min 6 and max 8 characters for password! Can't contain anything
different than letters and numbers. Apart, the email address must have
at least 8 characters (sorry million dollar domain owners! :D)

https://dumbpasswordrules.com/sites/el-corte-ingles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Aetna Health Insurance.

- Password cannot be longer than 20 characters
- Password cannot have spaces and more 2 characters repeated in a row
- Password cannot have user's first name, last name or username

https://dumbpasswordrules.com/sites/aetna-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from A1 Mobile Serbia.

A1 mobile Serbia is a mobile provider in Serbia that imposes poor password rules.

Translation: "Length of the password must be between 8 and 20 characters and can only have letters and digits."

https://dumbpasswordrules.com/sites/a1-mobile-serbia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Yesterday I deployed a change on www.bbc.co.uk/.com, account.bbc.com, our main media mediation service etc. which soft-disabled TLS 1.0 & 1.1.

Requests over TLS 1.0/1.1 on ^ result in an error page (inc link to a feedback form).

So far I've uncovered a load of internet junk inc. a fleet of old TVs in Asia which poll our weather pages for their local forecast but nothing's been reported broken yet.

Really wish the web had a deprecation strategy. This is a lot of work.

#WebDev #InfoSec #BBC

What is this? 2021?

#Log4Shell #InfoSec #WebStats

Alt...

Screenshot of some web server logs showing a user-agent string which contains a payload for the Log4Shell vulnerability.