This dumb password rule is from Bank of America.

20 character max and lots of special character restrictions.
Bank of America - keeping your money safe.

Also: If you paste a password greater than 20 characters,
the form truncates it without telling you or giving an
error.

https://dumbpasswordrules.com/sites/bank-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Banco Nacional (Costa Rica National Bank).

Between 8 and 16 characters.

Must have 4 numbers and 4 letters.

Must not contain same letter or number in consecutive order.

Can't contain vowel letters neither the letter Ñ.

Password can't be the same as the previous 6 used.

https://dumbpasswordrules.com/sites/banco-nacional-costa-rica-national-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

😆 this is excellent #TheCrux @daedalus

"We take security seriously!!
Cover up that incident with this handy sticking plaster."

https://www.redbubble.com/shop/ap/174240626

#infosec #slop #security #nosecurity

Alt...

EIGENMAGIC sticker in form of a band-aid claiming "We take security seriously."

I have an old #Netgear #R9000 WiFi #router acting as an access point. This router is end-of-life and supposedly no longer receives firmware updates; there was a security update last September, so it isn't _too_ stale.
Because it's serving as an access point it has no public IP address, though obviously a sufficiently dedicated attacker could literally sit outside our house and talk to it over WiFi.
If you were in my shoes, what would you do with this router?
#infosec #homeInternet

i was quite surprised to discover that no one had registered deleteduser [dot] com, and was curious to see how many emails i'd get if i registered it, assuming many orgs 'delete' logic probably just overwrote the email address with blahblah@deleteduser.com or similar.

The answer, is at least 3 different orgs in the hour that I've owned that domain and been listening for email.

And yes, all of those emails contain the actual PII of the person who has been 'deleted' :-D

#infosec

This dumb password rule is from MetLife.

Max length of 20 characters, no special characters allowed.
Pasting into the second password field is disabled even with
the Chrome extension Don't Fuck With Paste.

https://dumbpasswordrules.com/sites/metlife/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vancity Credit Union.

Personal Access Code (or PAC–they are too ashamed to call it a password), must be between 5 to 8 digits and cannot start with '0'. (no letters or symbols)

https://dumbpasswordrules.com/sites/vancity-credit-union/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Scandinavian Airlines.

The password rules itself is fine, but, it doesn't inform about the max length of the password.
Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it.
In this case, I changed my password to **Super_l0ng_password_that_fits_all_criteri...

https://dumbpasswordrules.com/sites/scandinavian-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

It doesn't just live on. It's thriving because criminals know they operate in a reactionary environment. It's leverage, and it's working and will continue to works so long as the crisis management model remains the same.

Security Boulevard: Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI https://securityboulevard.com/2026/04/ransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai/ #infosec #ransomware

This dumb password rule is from Benergy4.

12 to 25 characters, only these special chars allowed: @+/'!#$^?:,.(){}[]~-.
Also, security questions.

https://dumbpasswordrules.com/sites/benergy4/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Why is not every emailaddress an alias?

Access to your mailbox would be a totally unrelated username + password/MFA.

Why are we still giving away a free factor for compromise with every email we send?

#infosec #informationsecurity

@fschaap Skill issue.

Some of us have divorced authentication from message transport and delivery for decades. And talked about it. And advocated for it. And been mostly ignored.

Literally every email address that delivers to my main mailbox is an alias of some sort. Has been since 1995 when I fired up my own mail server. My mail is delivered into a Maildir+ mailbox owned by a system account whose name I have never used in an email address and never will.

#InfoSec

This dumb password rule is from LibraryThing.

"Your password cannot be longer than 20 characters"

https://dumbpasswordrules.com/sites/librarything/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Return of Reckoning.

Password must be between 6 and 100 characters.

It doesn't say on the website, but the password only works in the related game client if it is purely alphanumeric. Not even special characters like % or $ are allowed.

https://dumbpasswordrules.com/sites/return-of-reckoning/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Proton built their entire brand on one promise: Swiss law means government agencies can't touch your data.
Their own Terms of Service, their own infrastructure contracts, and a federal court case from March say otherwise.

https://blog.ppb1701.com/not-even-government-agencies

#bigtech #blog #infosec #privacy #proton #protonmeet #security #surveillance #userhostile #selfhosting

This dumb password rule is from Nelnet (student loan servicer).

8 to 15 characters and no spaces? Why no spaces? Also limited to only these 6 special characters. That could mean that there is some process somewhere that puts this as part of a command line invocation.

https://dumbpasswordrules.com/sites/nelnet-student-loan-servicer/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

hey so this is probably completely pointless but: looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years expereince administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps #GetFediHired

Please boost for reach, any job offers please DM me.

This dumb password rule is from Unicaja.

Username is your national Spanish ID (easy to find).
Your password must be 6 characters long. You can't type, only select characters from the virtual keyboard

https://dumbpasswordrules.com/sites/unicaja/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

hey so this is probably completely pointless but: looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years expereince administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps

Please boost for reach, any job offers please DM me.

@briankrebs Breaking #infosec Electronic Frontier Foundation Announces Departure from X After Nearly 20 Years👏🏼

RE: https://mastodon.social/@campuscodi/116374926358861040

This is a big freaking deal, and Anthropic is handwaving it away. Basically a malicious actor can remove the safety rails, and Claude becomes a pretty serious penetration tool.

#infosec #claude #vibecode #llm #ai

RE: https://flipboard.com/@404media/404-media-qvt3vv94z/-/a-qoIXNx-4Q-i9Qb4-DwsX5A%3Aa%3A4082434389-%2F0

If you think there's any chance that law enforcement might ever be interested in the content of your Signal chats, and you don't want them to have access to them, then setting up disappearing messages is necessary but not sufficient. You also need to go into the Signal settings and either disable notifications completely or set them to show "No name or message" so the content won't be capture and preserved in the phone's notification database.
#infosec #privacy #OpSec "#antifa"

This dumb password rule is from Itaú Bank.

I know, it's in spanish, let me translate this monstrosity for you.

- Allowed characters: letters A to Z uppercase or lowercase (ñ is not allowed), number 0 to 9, #, $, %, &, +, -, . :, ;, _.
- You must use 8 characters.
- The password must contain at least one letter and at least one number.
- ...

https://dumbpasswordrules.com/sites/itau-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does this mean that you shall also stop using curl?

AFAIK Daniel doesn't care what is used to find bugs

@rl_dane

https://mastodon.social/@bagder/116373716541500315

#curl #LLM #hallucinated #slop #AI #InfoSec #programming #technology

Oh boy…
https://edition.cnn.com/2026/04/08/china/china-supercomputer-hackers-hnk-intl

> A [cyberthreat actor] has allegedly stolen a massive trove of sensitive data – including highly classified defense documents and missile schematics – from a state-run Chinese supercomputer

> The dataset, which allegedly contains more than 10 petabytes of sensitive information, is believed by experts to have been obtained from the National Supercomputing Center (NSCC) in Tianjin

🧵

#InfoSec #China

@neil #linux #infosec

This dumb password rule is from Bank Millennium.

Passwords limited to 8 digits.

https://dumbpasswordrules.com/sites/bank-millennium/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

attention anybody with substantial experience with Rust and networking: my team is hiring!!

one of few rust jobs I'm aware of that is not web 3.0 horseplop.

fully remote (US timezones), good culture, good trans-inclusive healthcare, good work/life balance, and a nice defensive cybersecurity mission i can get behind.

feel free to reach out for more details and the job posting.

#fedihired #rust #infosec #cybersecurity #ot #ics

hey so this is probably completely pointless but: looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years expereince administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps

Please boost for reach, any job offers please DM me.

Attackers are impersonating a @linuxfoundation leader in Slack to target #opensource developers with a multi-stage attack that ends in malware delivery. @openssf issued a high-severity advisory.

More details and screenshots of the lure: https://socket.dev/blog/attackers-impersonating-linux-foundation-leaders-in-slack-targeting-oss-developers #infosec

#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost. 🤦
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch

This dumb password rule is from Inria.

This is the account for those who work at [Inria](https://www.inria.fr/)
"the French national research institute for
the digital sciences".

You have to wonder what's wrong with these special characters but not
the other ones.
- Password expiration once a year
- Your password must contain at leas...

https://dumbpasswordrules.com/sites/inria/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Critical File Upload Vulnerability Reported in Ninja Forms Plugin for WordPress

A critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms – File Upload plugin (CVE-2026-0740) allows attackers to achieve remote code execution.

**If you are using the Ninja Forms File Upload plugin, this is urgent! Immediately update to version 3.3.27. You can't hide WordPress from the internet, it's made to be visible online. Since this flaw is being actively scanned for, any delay in patching leaves your site exposed to automated attacks. After the update, review server logs for suspicious requests targeting the handle_upload action.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-file-upload-vulnerability-in-ninja-forms-plugin-exposes-50000-wordpress-sites-j-m-6-0-i/gD2P6Ple2L

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

one of my favorite google sheets features is when you are compiling lists of malicious actors email identifiers it pops up and says "hey, you mentioned blah@evil.com, but they don't have access to this sheet! would you like to give them access?"

#infosec

Hello, world!

We are IFIN, the Independent Federated Intelligence Network, and we want to change how threat intelligence is done.

We believe we're all safer when we share what we know. Come learn more and join us!

https://ifin-intel.org/blog/hello/

#ThreatIntel #ThreatIntelligence #Cybersecurity #Infosec

2026 Lumen Defender Threatscape Report https://www.lumen.com/en-us/resources/2026-threat-intelligence-report.html

Betanews: GenAI being used to industrialize cybercrime https://betanews.com/article/genai-being-used-to-industrialize-cybercrime/ @betanews @iandbarker #infosec

This dumb password rule is from Air France.

- Between 8 to 12 characters
- Should contain capital, lowercase letters and numbers

https://dumbpasswordrules.com/sites/air-france/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@bagder

Just so I understand this correctly...
We don't want machine generated vulerability reports...

...so we can leave our #foss projects vulnerable to hackers who are not constrained by ideology in their sploits using #Ai ?

Yeah, that tracks with the current majority of #infosec "professionals" letting the Rome burn while they roast the marshmallows, feeling super pure and superior.

This dumb password rule is from MySwissLife.

User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.

https://dumbpasswordrules.com/sites/myswisslife/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

It’s interesting how many people think wanting privacy means you’re doing something nefarious. The fact is, privacy is about sharing what you want with whom you choose.

(I don’t recall who wrote these words or where I originally saw them. I only made the graphic.)

#Privacy #InfoSec #OpSec #BigBrother

Alt...

Illustration of some eyes looking straight at you followed by text that reads “I need privacy, not because my actions are questionable. But because your judgment and intentions are.”