This dumb password rule is from Commsec.

Another financial institution with short password requirements. They also block pasting in to the field, making it a pain to use a password manager.

https://dumbpasswordrules.com/sites/commsec/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Ancestry.

Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter or special character
- Must not be a well known or common password

https://dumbpasswordrules.com/sites/ancestry/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Standard Chartered Bank.

- Between 8 to 16 characters
- Only letters and/or numbers

https://dumbpasswordrules.com/sites/standard-chartered-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from El Corte Ingles.

Min 6 and max 8 characters for password! Can't contain anything
different than letters and numbers. Apart, the email address must have
at least 8 characters (sorry million dollar domain owners! :D)

https://dumbpasswordrules.com/sites/el-corte-ingles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sparkasse.

„Sparkasse“ is a group of banks which is pretty popular in Germany. It
calls its passwords „PIN“ („persönliche Identifikations-Nummer“ —
personal identification number), the rules are pretty horrific and its
not even a number, even though it is called as such! Here is a
screenshot from the branch...

https://dumbpasswordrules.com/sites/sparkasse/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vivo.

The password must only contains numbers and the max length is 6.

https://dumbpasswordrules.com/sites/vivo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Craigslist.

No minimum character limit meaning you can go as low as 5 characters for a password

https://dumbpasswordrules.com/sites/craigslist/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Kryterion Webassessor.

I was quite surprised to see this when I was registering for my Google Professional Cloud **Security** Engineer certification. Nice part is that they **don't allow quotes** as special character, so I assume there possibly might be some other issues on their backends. :-)

https://dumbpasswordrules.com/sites/kryterion-webassessor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nevada DMV.

- Password length must be exactly 8 characters in length
- Password must contain at least one letter (any position)
- Password must contain at least one number (any position)
- Password must contain one of the following special characters: @ # $
- Password is not case sensitive

https://dumbpasswordrules.com/sites/nevada-dmv/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Interactive Brokers.

Usual dumb password restrictions, but this one has incredibly dumb **username**
restrictions too:

**Username:**
- **Length of 8 or 9 letters and numbers**
- **Contain at least 3 letters and 3 numbers**
- Begin with a letter
- Lower case only, no spaces, no special characters

**Password:**
- Can...

https://dumbpasswordrules.com/sites/interactive-brokers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from USAA Bank.

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

https://dumbpasswordrules.com/sites/usaa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NBA Store.

- Password cannot be longer than 20 characters

https://dumbpasswordrules.com/sites/nba-store/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

FreeRadical.zone is a Mastodon server themed around infosec and privacy and technology and leftward politics and cats and dogs.

This server has been online since 2017.

https://freeradical.zone

You can find out more at https://freeradical.zone/about or contact the admin account @tek

#FeaturedServer #InfoSec #Privacy #Tech #Technology #Mastodon #Fediverse #FreeFediverse

This dumb password rule is from Sharekhan.

- At least 8 characters.
- At most 12 characters.

https://dumbpasswordrules.com/sites/sharekhan/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Remember yesterday when I told y’all some of the redactions were easy to remove? The Guardian has words.

People examining documents released by the Department of Justice in the Jeffrey Epstein case discovered that some of the file redaction can be undone with Photoshop techniques, or by simply highlighting text to paste into a word processing file.

Y’all, they used Acrobat. Because the #DOJ fired all the #infosec people who normally sanitize data, and told 1200 agents not trained in infosec to hide anything that might embarrass the #GuardiansofPedophiles, and this is the result.

Have fun y’all, let’s see who we can embarrass.

https://www.theguardian.com/us-news/2025/dec/23/epstein-unredacted-files-social-media

This dumb password rule is from Mobility.

The username is the customer number, which is sequential and cannot be changed, currently 7 digits long for new customers.
The password has to be exactly 6 digits long, only numbers allowed.

https://dumbpasswordrules.com/sites/mobility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Any time you see the word “secure” in an edge device name, you should read it the same way you read “democratic” in a country’s name.

#infosec

This dumb password rule is from Netflix.

[The help page](https://help.netflix.com/de/node/54078)
and the [password reset page](https://www.netflix.com/password) say:

Ihr Passwort muss zwischen 4 und 60 Zeichen lang sein und darf keine Tilde (~) enthalten.

https://dumbpasswordrules.com/sites/netflix/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Why use a URL shortener when you can use a phishy URL extender?

https://phishyurl.com/

Keep your security people alert and awake, generate phishing-looking redirecting links

#infosec

Alt...

https://cheap-bitcoin.online/backdoor-loader/rat-controller/malware_patch.exe?cachecontrol=inject&cookievalue=steal&file=poison&id=fc3188fb&payload=%28function%28%29%7B+return+Math.floor%284.9%29%3B+%7D%29%28%29%3B&port=scan

This dumb password rule is from Mindware.

You "*may use special characters*", but only some of them - and we won't
necessarily tell you which ones.

https://dumbpasswordrules.com/sites/mindware/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Telcel.

- The username is the cell phone number (easy to get)
- The company creates a password between 8 and 12 characters for you
- Password must contain at least 1 capital letter and no special characters

https://dumbpasswordrules.com/sites/telcel/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Inpost.

Allows between 8 to 16 characters. Password is being used to log in and view packages sent to you, or for shipping packages.

https://dumbpasswordrules.com/sites/inpost/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Wells Fargo.

Your password must be between 8-32 characters long and inexplicably doesn't accept `-` but does seemingly accept other special characters.

https://dumbpasswordrules.com/sites/wells-fargo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from GoFundMe.

- At least one uppercase and one lowercase letter
- At least one number and one special symbol
- Does not specify which characters are considered special symbols; did not recognize spaces as special symbols

https://dumbpasswordrules.com/sites/gofundme/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Ok, looking at ssh certs a bit more...

using step-ca, ssh cert can be issued, but I would need a different provisioner to do it, since annoyingly ACME can't issue ssh certs.

That means clients will need the step CLI installed to request certs, not that big of a deal, but which provisioner?

Looking at the list of provisioners, my options are JWK, OIDC, or X5C. The JWT and OIDC will require more work and also require some form of secret to be shared.

The X5C provisioner actually looks good. They warn that it isn't recommended to use certs signed by step-ca itself because it can function as a form of privilege escalation.

But I think I can avoid that by using a restrictive template that limits it to only issuing host-certs, with SANs restricted to the same SANs as the x509 used to authenticate.

I'll use OIDC for shorter lived user-certs.

I'll keep pubkey auth enabled as a backup, since some of these systems would be used as jump boxes to troubleshoot OIDC/CA issues.

Oh and I should setup a new intermediate for the SSH host/user certs. #Homelab #InfoSec

What to do with TOTP MFA credentials these days?

I currently do #1, but it adds complexity.

I've seen some recommends for #2, which surprises me a bit. But then again a password manager failure is like catastrophic either way. Also if I think about it, based on the logic of option 1, I shouldn't have the recovery codes in the pw manager db either.
#Privacy #Security #InfoSec

This dumb password rule is from TwinSpires.

You can gamble on our site. We'll keep your money secure with a 12 character password!

https://dumbpasswordrules.com/sites/twinspires/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This might be a bit of a long shot, but does anyone have some great examples of questions and answers pertaining to #infosec and #cybersecurity that you'd get, as a company from your clients?

I know in the past I've had clients ask for stuff like longer log or backups retention, etc. but what sorts of questions are usually expected?

Thanks very much in advance and please boost far and wide!

This dumb password rule is from GameFly.

Password is 6-12 characters with no other restrictions. You can easily do 6 numbers, 6 lowercase letters, etc.

https://dumbpasswordrules.com/sites/gamefly/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vietnam Airlines.

`[[:alnum:]]{6,8}`

https://dumbpasswordrules.com/sites/vietnam-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Williams-Sonoma.

25 maximum characters and disallowing some specials.

https://dumbpasswordrules.com/sites/williams-sonoma/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Here is a brief summary of the AI/AI adjacent vulnerability-types I've noted in pen tests over the last year (some are AI specific, others could happen with any software project, I just happened to have found them in the context of an AI one):

- code injection type things: in order to better understand how they are making decisions, pretty much everything you send to an LLM is logged. I've had more than one successful SSRF this year simply by including code, or a link to code in my LLM convo. Sometimes it's self inflicted, in real time, other times it happens hours later when a human is reviewing the logs and wondering wtf is going on.

- mixing in outside knowledge: was able to get what was a closed loop transcription tool to go look something up and put it in the transcription. Could likely be used maliciously.

- Github storage of training data: for some reason, AI-tool developers seem intent on storing emails, documents, spreadsheets, whatever it is they are training their stuff on in public Github repos. Have easily found 8 or 9 examples of this in 2025.

- letting the AI do authorization: if you give AI access to 'all of the data' and expect it to self manage who is authorized to see what based on a prompt, you are in for a bad day/week/month. People are doing this.

- Exposure of third party Oauth tokens etc: Most of these agents etc are connecting to things like Google Workspace, Exchange, to read emails, documents etc. For some reason, people seem to do a very poor job of protecting the tokens that they give the AI. I can think of two examples this year where those tokens were readily accessible in an API response.

#infosec #pentesting

🧵 Tech-themed works, 26/x

Black Hat hacker (2016)

#hacker #malware #cybercrime #cybersecurity #InfoSec #security #safety #LowPoly #CharacterDesign #design #artwork #sculpture #3DArt #3DModeling #3DArtist #illustration #illustrator #picture #digital #style #art #artist #arts #arte #designer #GraphicDesign #3D #3DRendering #CGI #Blender3D #B3D #blender #DigitalArt #ArtLovers #MastoArt #FediArt #MastodonArt #CreativeToots #ArtistsOnMastodon

Alt...

Faceted, low-polygon style hacker character design, sitting in front of a laptop with a large skull sticker on the back of its screen.

The breach notification, from December 15: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/0f46ebfd-5508-426d-88f9-3ad07e6ef483.html

Infosecurity-Magazine: US Autoparts Maker LKQ Confirms Oracle EBS Breach https://www.infosecurity-magazine.com/news/lkq-confirms-oracle-ebs-breach/ #Oracle #databreach #infosec

This dumb password rule is from STOVE.

- 24 characters max

https://dumbpasswordrules.com/sites/stove/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

shout out to an oldie but a goodie:

pen test scenario - landed on a highly locked down windows environment

- can’t install anything that requires elevation
- powershell blocked
- SOC getting alerts and blocking every time i try fancy crap with wmic
- likewise with wscript
- wanna do some faster network discovery

Enter, the only thing that works: Angry IP Scanner dot exe!

#infosec