This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Waze.

After you request a password reset and you receive an email with instructions and link to reset your password, you are presented with this password reset form. Your password length is limited between 8 and 16 characters. Additionally the form breaks with an error if you use any special characters...

https://dumbpasswordrules.com/sites/waze/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Whitcoulls.

Your password must:
- be between 7 and 15 characters
- contain a capital letter
- have no spaces (shown only when you go to change it)

https://dumbpasswordrules.com/sites/whitcoulls/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BOINC Bakerlab.

Passwords may only include ASCII characters, not even extended ASCII.

https://dumbpasswordrules.com/sites/boinc-bakerlab/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nintendo.

Password between 8-20 characters, at least two "categories" of characters, and cannot use the same character more than twice in a row. At least it supports MFA.

https://dumbpasswordrules.com/sites/nintendo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Learning about the "bodysnatcher" attack on serviceNow and "ai agents authenticated only by an unverified email address and a well known reused api token" is so great i bet everyone is doing it.

#infosec

This dumb password rule is from LCL.

You have to enter your 6-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/lcl/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Omnivox.

Password length must be 8 to 20 characters long with lower case characters and numbers only.

https://dumbpasswordrules.com/sites/omnivox/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from KPMG Talent Community.

While stating otherwise, the site actually *accepts a backslash* in the password
and displays a forward slash as the example of the disallowed backslash
Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter
- Must contain at least 1 spec...

https://dumbpasswordrules.com/sites/kpmg-talent-community/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Ok finally just about finished, full egress policies.

Well, they already had egress policies, but now apps also have FQDN based policies for any outbound https/DNS, with only a small number of exceptions.

Now to watch the DNS dashboard I created to watch for DNS policy failures to add what I missed.

For sure the most complex policy was Homeassistant and idk what the runner-up is, nothing else is close.

I'm also keenly aware that some of these apps have api.github.com or raw.githubusercontent.com could be directed to almost anything. Good enough for now!
#HomeLab #Kubernetes #SelfHosted #InfoSec

New infosec AI guidance just dropped

#infosec #Shitpost #Shitposting #ShamelesslyStolenFromSomewhereElseOnTheInternetHonestlyICantKeepTrackOfThisStuffAnymore

Alt...

PLEASE Don't Thank you

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from MarketWatch.

- Cannot be longer than 15 characters.
- Must contain one number.
- Cannot contain spaces, %, & or +.

https://dumbpasswordrules.com/sites/marketwatch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So I need to test the security properties of a remote TLS server. Normally, I'd use Qualys' TLS server testing tools. However, this server uses an IPv4 allowlist, so Qualys wouldn't be able to reach it.

So, I'm looking for tools I can run locally (Linux, the BSDs, or Windows).

Anyone have any suggestions?

#infosec #pentest

For anyone who still thinks Proton is all that:

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

Many of us have been raising alarm bells because their CEO is a fascist boot licker. Some say that’s hot air, but he continues to fit the M.O.

https://techstory.in/proton-mail-faces-backlash-over-claims-of-political-neutrality-amid-ceos-praise-for-republican-party/

https://mas.to/@markwyner/115199799549199535

https://lgbtqia.space/@alice/113830130669521824

Ditch Proton. You deserve better.

#Proton #Privacy #InfoSec #FBI #ProtonIsNotYourFriend

Once again Proton hand over data on an activist to authorities, this time to the FBI via the Swiss High Court.

Proton is unsafe for use by frontliners.

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

#infosec #opsec

a very cool technique that some #infosec salesfolk are doing now - if you have the iOS phone call screening thing turned on on your phone, they state their reason for calling as

"cybersecurity breach" or "urgent breach detected"

Because they know that'll go to your screen as text.

And by very cool what I mean is "a very cool way of making sure I never talk to you"

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

RE: https://hachyderm.io/@evacide/116178700239265110

hot take: @protonprivacy didn’t fail you. YOUR OPSEC failed you.

encryption ≠ anonymity. these are not the same thing and never have been.

Proton did exactly what they said they’d do - encrypted your emails and complied with lawful Swiss legal orders. that’s the whole deal. that’s what you signed up for.

the credit card you used to pay for your “anonymous” account was never part of the encryption. that was always traceable. that was always a liability.

and here’s the kicker - Proton literally accepts Monero and cash. they gave you the tools. you chose the Visa.

#infosec #opsec #privacy #ProtonMail #threatmodeling #monero​​​​​​​​​​​​​​​​

Wen boosted

evacide » 🌐 2026-03-05
@evacide@hachyderm.io

If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

#ProtonMail Helped #FBI Unmask Anonymous ‘#StopCopCity’ #Protester

by Joseph Cox
Mar 5, 2026 at 3:36 PM

A court record reviewed by 404 Media shows privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.

Read more:
https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

Archived version:
https://archive.ph/8cpN1

#Doxing #USPol #WorldPol #SilencingDissent #Infosec #CriminalizingDissent #StopCopCitiesEverywhere

RE: https://mastodon.social/@404mediaco/116178581339270397

If you're an activist, you can't rely on Proton Mail to keep your identity private unless you figure out how to pay them in a way that can't be linked back to you.
I'm not going to say that Proton was in the wrong here—they didn't do anything that they claim they won't do—but I will say that I think some people may have an inflated sense of the extent to which Proton can/will protect their privacy when the rubber hits the road.
#infosec #privacy

Tim Hergert boosted

404 Media » 🌐 2026-03-05
@404mediaco@mastodon.social

A court record reviewed by 404 Media shows privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

This dumb password rule is from Coppell, TX - Water Utility.

Local Utility with a password restriction of 30 characters. Better than some for sure, but still dumb.

https://dumbpasswordrules.com/sites/coppell-tx-water-utility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I'm pleased to report that I've just submitted the final capstone paper for my master's degree in cybersecurity!

#cybersecurity #infosec #freebsd #bastillebsd #learning #education

This dumb password rule is from Singapore Airlines.

`/[0-9]{6}/`

https://dumbpasswordrules.com/sites/singapore-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I am seeing a lot – a *lot* – more spam than before. I am not the only one. Seems like some larger phishing campaign got kicked off?

I wonder if this is related to the aggression on Iran.

#InfoSec

This dumb password rule is from Kryterion Webassessor.

I was quite surprised to see this when I was registering for my Google Professional Cloud **Security** Engineer certification. Nice part is that they **don't allow quotes** as special character, so I assume there possibly might be some other issues on their backends. :-)

https://dumbpasswordrules.com/sites/kryterion-webassessor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There are scam notifications about "monetization" on here going around.

👉 Don't fall for them.
👉 Don't click the link.
👉 Report and block on sight.

There is no monetization scheme on mastodon.social, nor any other fedi instance I know of.

Stay safe!

#Fediverse #InfoSec

Alt...

Screenshot of a message from a scam account, @MonetizationNotification@mstdn.ca (already blocked on my instance). I altered the phishing link in the description below on purpose, to make it harder to click on it. @rysiek Mastodon Sent You Message Important notification for your account! The Mastodon team has noticed your activity on our forum and we would like to offer you a partnership. Partnering with us means that monetization will be enabled for your account. To begin collaborating with our team, please confirm that you are the owner of this account by following the link below. Verify now: https://lyzo[.]io/icLJa If you attempt to avoid verification, our system will freeze your account indefinitely. Thank you for staying with us. Mastodon.social

This dumb password rule is from Fidelity.

No more than 20 characters and leave out characters commonly used by
programmers. We don't want you to hack the mainframe.

https://dumbpasswordrules.com/sites/fidelity/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Mini Blue Team Diaries story:

An alert came into our team because a machine was making a series of unexpected connections to abnormal destinations. Specifically, the connection that triggered the alert was SSH to an IP in Singapore.

Investigated the machine and found that it was used to self host Atlassian Confluence.

That same day, some 0day in Confluence was making the rounds, and it didn’t take long to determine that the exploit was how the machine got compromised.

Working with the team that owned the server, we were helping clean it up, when we noticed something strange - the attackers had managed to elevate themselves to root, which of course, made their lives much easier.

But how? The Atlassian 0day would’ve given them access for sure, but not as root. They would’ve inherited the permissions confluence was running under.

We began to try and understand what local priv escalation vulnerability they’d used to become root on the machine - but we couldn’t find anything.

Finally, I asked outright, “folks, was the web facing Confluence app running as root this whole time?”

“Yes. It was the only way we could get it to run,” came the answer.

It was at this point I ordered that server burnt to the ground, and a hastily arranged migration to hosted confluence took place.

For more, less mini stories like this one, check out the Blue Team Diaries series of stories, part of the Infosec Diaries series.

https://infosecdiaries.com

#infosec #dfir #blueteam

You're paying AI companies a monthly subscription fee to be fingerprinted like a parolee.

I got bored and ran uBlock across Claude, ChatGPT, and Gemini simultaneously.

Claude:

• Six parallel telemetry pipelines.
• A tracking GIF with 40 browser fingerprint data points baked into the URL, routed through a CDN proxy alias specifically to make it harder to block.
• Intercom running a persistent WebSocket whether you use it or not.
• Honeycomb distributed tracing on a chat UI because apparently your conversation needs the same observability stack as a payments microservice.

ChatGPT:

• proxies telemetry through their own backend to hide the Datadog destination URL from blockers.
• uBlock had to deploy scriptlet injection — actual JS injected into the page to intercept fetch() at the API level — because a network rule wasn't enough.
• Also ships your usage data to Google Analytics. OpenAI. To Google. You cannot make this up.
• Also runs a proof-of-work challenge before you're allowed to type anything.

Gemini:

• play.google.com/log getting hammered with your full session behavior, authenticated with three SAPISIDHASH token variants, piped directly into the Google identity supergraph that correlates everything you've ever done across every Google product since 2004. - Also creates a Web App Activity record in your Google account timeline. Also has "ads" in one of the telemetry endpoint subdomains.

When uBlock blocks Gemini's requests, the JS exceptions bubble up and Gemini dutifully tries to POST the error details back to Google. uBlock blocks that too. The error messages contain the internal codenames for every upsell popup that failed to load.

KETCHUP_DISCOVERY_CARD.
MUSTARD_DISCOVERY_CARD.
MAYO_DISCOVERY_CARD.

Google named their subscription upsell popups after condiments and I found out because their error handler snitched on them.

All three of these products cost money.
One of them is also running ad infrastructure.

Touch grass. Install @ublockorigin

#infosec #privacy #selfhosted #foss #surveillance

This dumb password rule is from Benergy4.

12 to 25 characters, only these special chars allowed: @+/'!#$^?:,.(){}[]~-.
Also, security questions.

https://dumbpasswordrules.com/sites/benergy4/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@nixCraft #ImpactedByObjects
the new #privacy #infosec threat
#iranwar

my laptop was impacted by objects
my datacenter was impacted by objects

Alt...

news item where Amazon datacenter in use being impacted by objects je catching fire

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The #tech industry pays well, especially if you’ve been working in it for more than a few years. I’ve often wondered if that steady paycheck makes people forget. It really seems like some folks lose sight of what living without money means, even when they grew up with food insecurity as a part of their life experience.

For instance, I’ll see posts where #infosec folks absolutely lambast anyone who doesn’t use a service like Tuta or Protonmail for emails and just will not hear it when people say, “Hey, it’s a good idea you’ve got there, but the reason you know this is important is because you work in the industry and unless you can explain why it is important without being an ass, you’re not convincing anyone.”

Spinning up private, encrypted Nextcloud instances sounds amazing! How do you think someone is going to do that when they are worried about access to food? You have a spare computer under your desk running your Plex server and you’re yelling at someone who doesn’t have their own internet connection and is only able to get access to the internet from the library.

Knowledge is just another kind of privilege. Don’t use yours to punch down, use it to educate and elevate.

EDIT: WHELP https://github.com/aquasecurity/trivy/commit/d267cc4b6dc0f159477184d4267d6a49feb68083

Did Trivy just drop all of their open source offering, or is something else going on here?

https://github.com/aquasecurity/trivy (empty repo??)

#InfoSec

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Suncorp.

To "improve security" and "be password savvy", passwords must:
- be six to eight characters long
- Contain both numbers and letters
- Include upper and lowercase letters

https://dumbpasswordrules.com/sites/suncorp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Entwickler.de.

Your password must be 12-20 characters.

https://dumbpasswordrules.com/sites/entwickler-de/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Trump's decision stopped short of #threats issued by #Hegseth & the #Pentagon, including that it could invoke the Defense Production Act to require Anthropic's compliance. The Pentagon had also said it considered designating #Anthropic a #SupplyChain risk, a step previously only used against businesses tied to foreign adversaries.

But #Trump vowed further action if Anthropic did not cooperate with the phaseout.

#law #AI #surveillance #AutonomousWeapons #privacy #security #InfoSec