This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

What the actual friggedy frig is this - GitHub has done a very stupid thing, and the underlying cause of this will SHOCK YOU, SHOCK YOU I SAY.

"A recent product change now allows users to stay connected to an enterprise once organization access is revoked. If a user is removed from all organizations in your enterprise, they will now remain in the enterprise as an “unaffiliated user” instead of being automatically removed."

And then it goes on to say, that rather than relying on the industry standard SCIM mechanism for access management, you now have to concoct code that talks to some GraphQL endpoint.

BUT WHAT IS THE RECENT PRODUCT CHANGE THAT DROVE SUCH BANANAS DECISION MAKING?!?!

"Manage Copilot and users via Enterprise Teams"

FUCKING COPILOT.

I'm old enough to remember the trustworthy computing memo. Nowadays, Microsoft burns that memo to feed its AI god that no one asked for about 780 times a day.

#infosec

Alt...

A recent product change now allows users to stay connected to an enterprise once organization access is revoked. If a user is removed from all organizations in your enterprise, they will now remain in the enterprise as an “unaffiliated user” instead of being automatically removed. Unaffiliated users no longer have access to private or internal repositories, but can still consume Copilot licenses if assigned at the enterprise level. To fully offboard a user from your enterprise, you’ll now need to either: Take the remove enterprise member action through the enterprise account People view, or Set up automation using the remove enterprisemember GraphQL API endpoint. Note: This applies even if you have SCIM configured at the organization level. You’ll need to take one of the actions above to fully remove users from the enterprise

@jerry interesting take, for sure. I am an advocate for stopping password rotation, and you mentioned the research. The issue with your argument of password reuse (which I 100 % agree is a bigger issue than brute force) is that, allowing to have weak rotated passwords, and in practice a lot of my company clients only enforce 8-10 chars, is that every password you rotate is equally bad.

So assuming my FB password 'donut2022' is leaked, by using 'donut20256' as my rotated work password (6th rotation) really does not improve the security of my work account, bc whoever will try to hack the account will have that rotation accounted for. The tools already include these tiny modifiers to passwords while trying to log in forcefully.

So for me, password rotation gives this false sense of security. Effort would be better spent teaching your employees to use longer (14+) passwords and, if necessary, a password manager.

#infosec

This dumb password rule is from Costco.com.

Due to Costco's short max password length of 16 characters, I strongly recommend using a password manager to make a random password to satisfy all of these conditions below:
* Use between 8 and 16 characters
* Include at least one lowercase (a-z) and one uppercase letter (A-Z)
* Include at least ...

https://dumbpasswordrules.com/sites/costco-com/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Southwest.

Password must be between 8 and 16 characters in length and include at least one uppercase letter
and one number. Certain special characters are also allowed, but the first character of the password must be alphanumeric.

https://dumbpasswordrules.com/sites/southwest/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Which nation-state actor is behind the F5 breach?

#infosec #shitpost

This dumb password rule is from Advanzia.

- Requires at least 6 to a maximum of 12 characters [sic!]
- Allows only digits and letters without umlauts
- Allows only specific special characters: ? ! $ \u20AC% & * _ = - +. ,:; / () {} [] ~ @ #
- Allows no spaces"

https://dumbpasswordrules.com/sites/advanzia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

If you use F5 anything, run, do not walk: https://my.f5.com/manage/s/article/K000156572

#f5 #infosec

This dumb password rule is from Red Hat.

Symbols. You keep using that word. I don't think it means what you think
it means.

https://dumbpasswordrules.com/sites/red-hat/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Hmm.

Crowdsec is installed in the cluster, but it really wants host path access?

ok there has got to be another way to do this...
#Homelab #Infosec #Selfhosted

Okta issues:

"We are investigating issues with our authentication service that are causing intermittent login problems with OktaVerify. Our initial findings suggest a conflict related to a recently installed third-party patch. Our team is actively working to gather more details, and we will provide updates in the next 30 minutes."

https://status.okta.com/#incident/a9CKZ000000oMAj2AM

F5 patch?

#infosec

This dumb password rule is from Whitcoulls.

Your password must:
- be between 7 and 15 characters
- contain a capital letter
- have no spaces (shown only when you go to change it)

https://dumbpasswordrules.com/sites/whitcoulls/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from A1.net.

- At least 8 and at most 16 characters
- At least 1 digit
- At least 1 uppercase letter

The password must not contain your first name, surname or username.
The allowed special characters are: ! @ # % ^ & * _.

https://dumbpasswordrules.com/sites/a1-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

a reminder that while several airports are refusing to play Kirsti Noem’s propaganda videos, the RSA conference invited her to keynote.

something to bear in mind as you plan out where to spend your #infosec dollars…

This dumb password rule is from Vietnam Airlines.

`[[:alnum:]]{6,8}`

https://dumbpasswordrules.com/sites/vietnam-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

#TLDR: Quad9 will be discontinuing support within DNS-over-HTTPS (DOH) using HTTP/1.1 on December 15, 2025.

Mark your calendar 🗓️ and please share, especially if you know someone who will be affected!

Full story here 👉 https://quad9.net/news/blog/doh-http-1-1-retirement/

#DOH #DNS #infosec

Alt...

Quad9 logo centered in bold white and pink against a circuit-themed purple and blue background.

This dumb password rule is from Slovenska sporitelna.

Slovenska sporitelna is the biggest bank in Slovakia. Despite pretty new version of the internet banking (rolled out in 2018), their password policy restricts password to be 16 characters long at most and prohibits any special characters.

https://dumbpasswordrules.com/sites/slovenska-sporitelna/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

A while back, I had the idea of creating a series of Information Security Stories that were aimed at both 'children and budget holders'. Anyway, I teamed up with my old friend from growing up who illustrated them. I never got round to making more than one episode, because life, but I'd like to share with you the one we did finish. Harry The Information Security Hero: Audit Time #infosec

Alt...

Harry is an information security hero. People enjoy working with him wherever he may go. With his big smile, blue eyes and beard so hairy. He’s known throughout the land as a visionary.

Alt...

Harry is charged with keeping his company secure, Everything from data, and apps, to locking the door. He’s got full support but limited funds of course, But that’s okay, for most of his tools are open source.

Alt...

Harry lets the business operate without being a pain, With well aligned technical controls that are easy to explain. Using data to make decisions about risk, He’s not worried about losing a single hard disk.

Alt...

But Compliance Colin is here today, It’s audit time and he’s ready to play. Colin just needs to put a checkmark in a box, And he doesn’t mind which project he blocks.

This dumb password rule is from Afraid.org FreeDNS.

Password must be between 4 and 16 characters long

https://dumbpasswordrules.com/sites/afraid-org-freedns/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Inria.

This is the account for those who work at [Inria](https://www.inria.fr/)
"the French national research institute for
the digital sciences".

You have to wonder what's wrong with these special characters but not
the other ones.
- Password expiration once a year
- Your password must contain at leas...

https://dumbpasswordrules.com/sites/inria/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Am I misunderstanding AGENTS.md or is it a horror show from a security perspective? It sure looks as though it’s literally inviting somebody to include commands that then get run by the computer without human interaction…

Pretty sure 5 years ago that would have been a CVE and packages pulled from registries. Now it’s just “normal development practices”?

#infosec #agenticai

This dumb password rule is from Wells Fargo.

Your password must be between 8-32 characters long and inexplicably doesn't accept `-` but does seemingly accept other special characters.

https://dumbpasswordrules.com/sites/wells-fargo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Microsoft (e company store).

Max of 16 character oh and please don't use any characters we don'y know how to escape properly
also if it starts with ? you may break our wonderful website. What out with your password generator
duplicated characters is far too insecure to allow here.

https://dumbpasswordrules.com/sites/microsoft-e-company-store/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Credit Union Australia (CUA) Health.

Password must be between 7 and 10 characters, contain both an uppercase and a lowercase letter and have at least one number.

https://dumbpasswordrules.com/sites/credit-union-australia-cua-health/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from A1.net.

- At least 8 and at most 16 characters
- At least 1 digit
- At least 1 uppercase letter

The password must not contain your first name, surname or username.
The allowed special characters are: ! @ # % ^ & * _.

https://dumbpasswordrules.com/sites/a1-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Charles Sturt University.

Prevents spaces and a set list of characters, limits to 30 characters and can only change your password twice per day.

https://dumbpasswordrules.com/sites/charles-sturt-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LCL.

You have to enter your 6-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/lcl/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

THIS NEEDS TO BE A THING:

Fingerprint login for your phone, that, when a pre-selected finger is used, completely wipes the phone.

#infosec

By some miracle, @catbailey hasn't yet lost the storage with her kid's inheritance. However, it is still expected to go up for auction in a couple of days. (It surprises me because in my dealings with self-storage, if they can't get your money then they can't get rid of your stuff fast enough. And then they still demand that you pay for whatever expenses the auction doesn't cover.)

It will cost Cat $781.60, right now, to bring the storage rents on this unit current. Perhaps less if she were able to clear it out but that requires people, either to volunteer, or to hire (for which she has no money, so someone would need to do it on her behalf), and a large truck/van.

Hopefully the other storage unit also has not yet been auctioned off. That one is in a different location, though.

The things in storage, if they have to be removed, will have to be stored somewhere else for the time being and that is an additional expense that needs to be covered.

And then there is the car, which has missed another payment. It requires at least $2800 to bring that current, and then there's some insurance, fees, and fines that have been added on top of that. And some worrying stuff, such as the car being driven around by someone else while it is supposed to be in storage, is occurring. It has to return to her care before something else happens to it.

All told, around $3500 is needed right now.

These are above the usual living expenses and does not include other expenses that creditors have deferred for the time being.

Cat is considering something that is highly dangerous to her and her family just to have some money for survival. It should not be necessary to go to such extremes..

It's like a death by a thousand cuts. It doesn't have to be this way. Not at all.

Please help her and her family. And if you're hiring, know of someone who is, please DM Cat! She is actively hunting and applying for work.

All help is tremendously appreciated! And a huge thank you, on Cat's behalf, for all you who are helping!

GoFundMe: https://www.gofundme.com/f/aid-for-cat-and-her-kids-in-crisis?lang=en_US
PayPal: https://paypal.me/catalystediting
Venmo: @BlackCatHackers
CashApp: $BlackCatOps

#MutualAid #MutualAidRequest #Infosec #InfosecFamily #HelpCatAndCo

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vietnam Airlines.

`[[:alnum:]]{6,8}`

https://dumbpasswordrules.com/sites/vietnam-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I know i’ve mentioned it before, but the most effective way to get any sort of priv escalation or additional access as part of an internal pen test, where you have a “low level” employee account is to go to the org’s Sharepoint and search all files for “password”.

95% of the time you will find improperly stored creds that’ll get you to new places, EDR be damned.

#infosec

This dumb password rule is from HSA Bank.

- Must be minimum 12 characters
- Must not be one of user's past 5 passwords
- Must contain uppercase and lowercase letters
- Must contain a number
- Must not be the same as user's account number or login/username

But also...
- Cannot be longer than 20 characters

https://dumbpasswordrules.com/sites/hsa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Western Australia (Pheme).

Passwords:
1. Must contain at least 8 characters;
2. Must contain at least 3 out of 4 types of characters
(uppercase letters, lowercase letters, digits, special characters);
and
3. Must not contain
"the user's account name or parts of the user's full name
that exceed two consecutive characters".
...

https://dumbpasswordrules.com/sites/university-of-western-australia-pheme/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

ICE now owns roving vans with integrated cell site simulators

https://techcrunch.com/2025/10/07/ice-bought-vehicles-equipped-with-fake-cell-towers-to-spy-on-phones/

for commentary on this breaking news, i turn to my recently-made friend Ray Hunter

Luckily everyone else can too!

#infosec #privacy

https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying

This dumb password rule is from IBM TSO/E Logon terminal.

It might not be a web site, but that does not make it less dumb.
Since many don't know about IBM mainframes, it seems they don't think you need to up the policies.

Default old password policy is: 6-8 characters long, A-Z, 0-9

Over the last few years they have updated their policies a bit, but d...

https://dumbpasswordrules.com/sites/ibm-tso-e-logon-terminal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

We have a company that we use for third-party penetration testing and they are fantastic. But best practices says you should rotate between a few different companies since each company will have a slightly different methodology.

It has come to our attention that many, many companies, even huge best-of-breed companies, are simply running a big ol' vulnerability scan and calling it a Pen Test. Even companies that used to do actual Penetration Testing are doing this. It's enshitification. There is no other word for it.

So here is my ask: what penetration testing companies do you know of that still do actual penetration testing and have a track record of being "good at their job"?

I'm not talking about Red Teaming, just Penetration Testing.

So we provide a list of IP addresses, FQDNs, and websites, then they find the vulnerabilities and verify that they exist and are real. Then they risk rank them using human intelligence and conversations with us about mitigating controls and produce a report that isn't just a 300 page spreadsheet.

#InfoSec #InformationSecurity #PenetrationTesting #PenTesting

Passkeys aren't scary - passwords are. Let's bust some security myths | PCWorld

Passkeys are the informal name for the WebAuthn standard for authentication. It relies on asymmetrical encryption (aka public-key cryptography). When you create a passkey, a public-private key pair is generated. The website gets the public key. You own the private key, which remains secret. It facilitates the authentication process, but it’s never directly shared for the verification process to complete. Nor can it be extrapolated from the public key.

This is a really nice primer for how passkeys work and how they are different from passwords.

#InfoSec #PassKeys #PassWords #WebAuthN

NGINX has a variable named `$ssl_curve` & since the curve is what differs when using post-quantum crypto, I checked it would hold the PQC KM value so we can log it & determine when PQC is used.

Turns out that when the curve in play is the PQC KM which Chrome & Firefox support (`X25519MLKEM768`), the value of `$ssl_curve` is `0x11ec` which is the raw/internal curve name/ID.

Slightly frustrating but at least it differentiates PQC from normal KM.

https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html#name-x25519mlkem768

#PQC #InfoSec #WebDev

This dumb password rule is from Microsoft (work accounts).

What doesn't seem to be a problem for personal accounts, is for work
accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware
password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exoti...

https://dumbpasswordrules.com/sites/microsoft-work-accounts/

#password #passwords #infosec #cybersecurity #dumbpasswordrules