The cybersecurity wrecking ball is turning to VPNs ‼️

It's dangerous to attack a tool that can help to keep adults and children safe online.

Age-gating this tech for UK users would increase cybercrime and put under 18s at a greater risk of predators.

https://www.bbc.co.uk/news/articles/cn438z3ejxyo

#OnlineSafetyAct #onlinesafety #VPN #cybersecurity #privacy #ukpolitics #ukpol

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The UK has pulled its order to put a backdoor into Apple's encrypted services.

BUT "powers to attack encryption are still on the law books, and pose a serious risk to user security and protection against criminal abuse of our data."

🗣️ @jim, ORG Exec Director.

https://www.bbc.co.uk/news/articles/cdj2m3rrk74o

#apple #encryption #e2ee #privacy #security #cybersecurity #ukpolitics #ukpol

This dumb password rule is from CWT Business Travel Management Company.

Password:
- 8 to 32 characters long
- Must contain a combination of letters, numbers and symbols
- Must be different from your username
- Must be different from 5 previous passwords

https://dumbpasswordrules.com/sites/cwt-business-travel-management-company/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Another week, another data breach at a big-name Australian company, this time ISP iiNet.

No idea who did it, yet, but we're on the lookout.

#databreach #cybersecurity

https://www.cyberdaily.au/security/12518-aussie-isp-iinet-confirms-data-breach-impacting-more-than-200-000-customers

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

https://dumbpasswordrules.com/sites/centurylink-residential/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from SAS Eurobonus.

The best thing about rules, is that you can multiple different ones!
Like SAS that allows you to have a long password at least when signing
up, but you'll be sorry if you want to change your password later on.

https://dumbpasswordrules.com/sites/sas-eurobonus/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from California Department of Motor Vehicles.

They also prohibit pasting into the password field by using a JavaScript
`alert()` whenever you right-click or press the `Ctrl` button, so
you can't use a password manager.

https://dumbpasswordrules.com/sites/california-department-of-motor-vehicles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ING Australia.

4 numeric digits.
"Added security" by randomising the positions on the keypad. Must be clicked.

https://dumbpasswordrules.com/sites/ing-australia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ASN Bank.

Your password needs to be between 8 and 20 characters long - at least 1 number, 1 lower case letter, 1 upper case letter, 1 special character.

https://dumbpasswordrules.com/sites/asn-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Hetzner.

- 8 or more characters
- At least one uppercase and one lowercase letter
- At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:
- Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ?...

https://dumbpasswordrules.com/sites/hetzner/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@briankrebs You are a #cybersecurity Icons🏆 so they fake it till you make it.

This dumb password rule is from College Board.

Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.

https://dumbpasswordrules.com/sites/college-board/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Williams-Sonoma.

25 maximum characters and disallowing some specials.

https://dumbpasswordrules.com/sites/williams-sonoma/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So yesterday, I emailed a state court system that appears to be linked to the exposed data I mentioned recently and that the host notified on or about July 28.

No reply was received.

Today, I sent a contact form message to the lawyer for a juvenile whose records were sealed. Sealed, except 11 of them were exposed to anyone who can access the data. I told him what was going on and suggested he contact the court and tell them to get the data secured.

No reply was received.

Today, I sent an email to the judge who ordered the juvenile's records sealed and I cc:d the district attorney. I gave them the juvenile's name, case number and that I could see all the sealed records. I urged them to have their IT or vendor call me and I could give them the IP address over the phone, etc.

No reply was received.

Dear Russia, China, and North Korea:

You do not need to hack our courts. They are leaking like sieves and do not respond when we try to tell them they need to secure the data.

Yours in total frustration,

/Dissent

#infosec #cybersecurity #incident_response #dataleak #databreach #WAKETHEFUCKUP

At #DEFCON33, #Meshtastic ran its biggest mesh yet—2K+ nodes, thousands of msgs & an unexpected live vulnerability demo. Lessons learned ✅ Big plans for security, identity & UX.

Full recap 👉 https://meshtastic.org/blog/that-one-time-at-defcon/

#Cybersecurity #OpenSource

This dumb password rule is from Taiwan Pingtung University.

Password must:
- Be between 8 ~ 15 characters long.
- Exceeding 15 will result in an account lockout instead of
erroring on submit. Otherwise, the max character
length should be 20.
- Contains at least 1 number character
- Contains at least 1 lowercase character
- Contains at least 1 uppercase ...

https://dumbpasswordrules.com/sites/taiwan-pingtung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from KPMG Talent Community.

While stating otherwise, the site actually *accepts a backslash* in the password
and displays a forward slash as the example of the disallowed backslash
Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter
- Must contain at least 1 spec...

https://dumbpasswordrules.com/sites/kpmg-talent-community/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NL. Horrible data breach.

The data of 485,000 women who participated in the population screening for cervical cancer has been stolen via a hack. Not just personal information, such as name and address, was involved. Official identification numbers and test results were also captured.

https://www.rtl.nl/nieuws/binnenland/artikel/5522737/bevolkingsonderzoek-baarmoederhalskanker-data-gehackt-vrouwen

#privacy #security #cybersecurity #gdpr #tech

UK retail giant M&S restores Click & Collect months after cyber attack, some services still down

#CyberAttackRecovery #OnlineServicesRestoration #CyberSecurity #RetailTech #UKRetail

https://go.theregister.com/feed/www.theregister.com/2025/08/11/ms_restores_click_collect_following/

This dumb password rule is from Premera Blue Cross.

Password must contain 8-30 characters, including one letter and one number.
"Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error `-_'.@`

https://dumbpasswordrules.com/sites/premera-blue-cross/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Scandinavian Airlines.

The password rules itself is fine, but, it doesn't inform about the max length of the password.
Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it.
In this case, I changed my password to **Super_l0ng_password_that_fits_all_criteri...

https://dumbpasswordrules.com/sites/scandinavian-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So when it's this easy to get a MITM going things like making posts in public chats as anyone you want feels kinda low key.

But I do hope that extended warranty works out, everyone seems pretty concerned about them.

#defcon #meshtastic #lora #cybersecurity

Which brings me to part two, MeshMarauder.

An open source tool demonstrating proof-of-concept exploits against the DEFCON 33 Meshtastic firmware.

MeshMarauder will demostrate:

- Tracking user activity on any mesh regardless of encryption usage
- Hijack all meshtastic user profile metadata
- Change any users public key
- Send messages as any user in channel chats that appear authentic
- MITM direct messages

https://meshmarauder.net

#defcon #meshtastic #meshmarauder #cybersecurity

I've been busy as hell this past week.

A lot of people have been asking hard questions about the security of LoRa systems when they hear about mesh radios.

I'm not one to trust the marketing so I and several friends put together two new LoRa tools to help us audit the security claims of LoRa mesh systems!

🤘🏿 📡 ✨

#radio #cybersecurity #privacy #meshtastic #lorapipe #meshmarauder #lora #mesh

This dumb password rule is from Unicaja.

Username is your national Spanish ID (easy to find).
Your password must be 6 characters long. You can't type, only select characters from the virtual keyboard

https://dumbpasswordrules.com/sites/unicaja/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NEW: Federal judiciary says it is boosting security after cyberattack; researcher finds new leaks

More of those frustrating leaks where, despite our best efforts, we have been unable to get the network shares locked down so far, even with the host's assistance.

This one involves two courts: one state and one federal, and yes, we saw some files that were supposed to be sealed or confidential.

https://databreaches.net/2025/08/10/federal-judiciary-says-it-is-boosting-security-after-cyberattack-researcher-finds-new-leaks/

#dataleak #infosec #cybersecurity #databreach #govsec

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IHG.

4, yes 4, digits only.

https://dumbpasswordrules.com/sites/ihg/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Canadian Imperial Bank of Commerce.

Letters and numbers only, no symbols. Also an undocumented maximum of 12 characters!

https://dumbpasswordrules.com/sites/canadian-imperial-bank-of-commerce/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Any #infosec folks wanna help me with some decent data to backup the following point? I am trying to make the point to some executives that a #password policy requiring minimum 8 characters with 1 symbol, mixed case, and 1 number is just not reasonable in 2025. (I'm commenting on another company's policy, not my own!)

What is a good example of a policy (e.g., NIST 800-63 or whatever) that said 49 bits was no good?

I currently say: 49 bits of entropy was unacceptably low in 2005. It is unthinkably low in 2025. What can I point to that might resonate better than "bits of entropy?"

Using the classic method with Shannon's estimate, I figure it's on the order of 49 bits of entropy but that's only if it's purely random from the full character set, and we konw that's not true.

I'm not looking for rhetorical suggestions. I'm good at rhetoric. I'm looking for references I can point to (like "XYZ published in 2011 that the minimum acceptable password was 56 bits of entropy")

feel free to boost for fun
#security #cybersecurity

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Hetzner.

- 8 or more characters
- At least one uppercase and one lowercase letter
- At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:
- Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ?...

https://dumbpasswordrules.com/sites/hetzner/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Instead of building navigation with icons, Qualys thought it'd be a great idea to use boxes, each containing an acronym which can stand for any number of things.

If you are thinking that CSAM is for Child Sexual Abuse Material, that PM is for Project Management and PS is for Photoshop, well, you'd be wrong on all counts.

Can you guess why some buttons are different colors but the different colors are not all grouped together? Me neither.

#qualys #infosec #cybersecurity #design #softwaregore

Alt...

Screenshot of navigation buttons made entirely of acronyms.

This dumb password rule is from ADP.

Forced to change the password during the first login. At least they
could use proper grammar in their rule list.

https://dumbpasswordrules.com/sites/adp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules