This dumb password rule is from Bank of America.

20 character max and lots of special character restrictions.
Bank of America - keeping your money safe.

Also: If you paste a password greater than 20 characters,
the form truncates it without telling you or giving an
error.

https://dumbpasswordrules.com/sites/bank-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Hey fedi
Does anyone know a good opensource firewall for a Linux server with an admin panel in web or tui?

I want to see recent tcp & udp connections, preferrably some info about their contents (e.g. compute JA4 fingerprint for TLS, extract domain from DNS request) and be able to immediately block by source/dest IP subnet, ASN, geoip, maybe even by JA4.

I guess i can just google it but i want to hear your recommendations. Firewall is a high-privileged software that have to be trusted anyway.

Thank you

#askfedi #linux #selfhosted #infosec #firewall

This dumb password rule is from Air Miles.

- Exactly 4 numbers.

https://dumbpasswordrules.com/sites/air-miles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Safeway.

Passwords limited to 8-12 characters.

https://dumbpasswordrules.com/sites/safeway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

How does Apple's Lockdown mode work and protecting you from Spyware?

This video shows you how

Credit: @bellis1000

https://www.youtube.com/watch?v=5D3lWDUEJA8

#infosec #cybersecurity #apple #iphone #lockdownmode

This dumb password rule is from Green Flag.

- 8 to 10 characters
- No special characters

https://dumbpasswordrules.com/sites/green-flag/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.

Not any more!

Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/

Bam! RCE by asking nicely.

🧵

#OpenClaw #AI #Hype #InfoSec

@nielsa no, that's not what I'm telling you.

I prefer to believe that most people will be thoughtful.

＂… a huge number of bugs. I have so many bugs in the Linux kernel that I can't report because I haven't validated them yet. I'm not going to make some open source developer validate bugs that I haven't checked yet. I'm not going to send them potential slop … I now have … several hundred crashes that they haven't seen because I haven't had time to check them. We need to find a way to fix this …＂

– Nicholas Carlini

#Linux #FreeBSD #security #cybersecurity #infosec #AI #LLMs

Alt...

Screenshot: a frame from https://www.youtube.com/watch?v=1sd26pWhfmg

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Paytm.

Password must be between 5 and 15 characters. Also, spaces don't count
as characters.

https://dumbpasswordrules.com/sites/paytm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

WARNING: LinkedIn has your profile. They have more from illegally spying on you.

“LinkedIn started injecting malicious code into the browsers of their users, without their knowledge or their consent. At the time of writing, this code downloads a list of 6,222 software products and brute-forces the detection of each one.”

More info:
https://browsergate.eu/executive-summary/

What you can do:
https://browsergate.eu/take-action/

🧵 1/2

#BrowserGate #LinkedIn #InfoSec #OpSec #Privacy #Crime #YouAreTheProduct #Microsoft

Alt...

Emulation of the LinkedIn logo, changed to read “unauthorized.”

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This is my second "holy shit" of the day.
Apparently #LinkedIn if silently collecting data on every extension you use every time you visit the site. Which it then uploads, with your identity attached to it.
This is absolutely horrifying. Literally, people should go to jail over this.
#infosec #privacy
https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

https://browsergate.eu

#tech #technology #BigTech #IT #enshittification #microslop #microsoft #LinkedIn #social #media #SocialMedia #data #security #safety #InfoSec #internet #web

This dumb password rule is from Telekom.

At first glance, their policy looks good - sure, the upper limit was chosen without necessity
and they enforce characters from all four groups, but your password manager will most likely come up with something suitable.

The website even tells you how 'wunderbar' your new password is - only to t...

https://dumbpasswordrules.com/sites/telekom/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Last summer I looked at the Internet exposure of a few #ICS devices that have historically been the subject of attacks by Iranian threat actors. Given continued activity in the region, I refreshed that data and took another look at exposures.

Good news: all four device/software types showed at least a slight decrease in exposures since last June, even if we aren't entirely sure why.

More details + graphs here: https://censys.com/blog/ics-iran-part-2-revisiting-exposure-of-previously-targeted-ics-devices/

#security #infosec

This dumb password rule is from Alipay.

- 8-20 characters (numbers or letters)
- no special characters allowed
- in the mobile app

https://dumbpasswordrules.com/sites/alipay/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NodeJS, for all the brilliant projects out there leaning on it, has a supply chain that might as well run the length of a dark alley permanently at 2am in the club district.

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Anyway, hope none of you good people are affected by this latest pox

#infosec #sysadmin

We can quit #cybersecurity and just go farm potatoes or something. After 25 years of #appsec one of the most talked-about tech companies invents a daemon process that

makes use of a file-based “memory system” designed to allow for persistent operation across user sessions.

Sure. Just store your system instructions in a random text file.

Why are we installing endpoint protection on this system?

Why do we verify cryptographic signatures on software updates to this system?

Why are we building a zero trust security environment?

Why do we do scan email to avoid social engineering emails?

Our AI-assisted users are gonna YOLO right past all that. And if they can’t get past our #security controls, this agentic Frankenstein will write itself some markdown and work quietly in the background figuring out how to bypass something the user couldn’t bypass on their own.

This is #infosec in 2026

This dumb password rule is from E-Redes.

Portuguese power distribution company, which requires short passwords (10 to 15 characters), no repetition of the same character, not using the username, the word "PASS" or the word "SAP" in the password, and limiting which special characters can be used.

https://dumbpasswordrules.com/sites/e-redes/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TLS and SSH rely on Certificate Authorities (CAs) for authentication, but they also present a vector for Man in the Middle attacks. What if you could set up your own CA to reduce your exposure?

➡️ https://fedoramagazine.org/make-a-private-ca-with-step-ca/

#WebDev #Linux #Security #InfoSec #Cybersecurity #Fedora

The FTC said OkCupid and Match shared nearly 3 million user photos with Clarifai in 2014, along with location and demographic data, without telling users or offering an opt-out. The proposed settlement, filed in federal court, includes no financial penalty and no admission of wrongdoing. It would permanently bar OkCupid and Match from misrepresenting how they collect, use, share, delete, or protect personal data and privacy controls.

https://arstechnica.com/tech-policy/2026/03/okcupid-match-pay-no-fine-for-sharing-user-photos-with-facial-recognition-firm/

#InfoSec #Privacy #FacialRecognition

This is alarming but not surprising:
https://www.forbes.com/sites/the-wiretap/2026/03/24/google-cookies-help-cops-identify-anonymous-users/
TLDR If you access multiple Google accounts from the same device, and the cops know about one of the accounts and ask Google the right questions, Google will tell the cops about the other accounts.
The general lesson here is one we already know: if you have any sort of account you don't want linked to you, you can't ever access it from a device or network connection you use other accounts on.
Caveat usor.
#infosec #OpSec #Google

This dumb password rule is from BMW ConnectedDrive.

Although the prompt suggests good things, after many failed attempts to
set a new password, it turns out you can ONLY use the special characters
shown in the prompt

https://dumbpasswordrules.com/sites/bmw-connecteddrive/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Another round of scammers. Beware of Scammers Claiming to be Ohio Bureau of Motor Vehicles texting you saying you owe a ticket and to pay or lose your license immediately. #Phishing #Infosec #Scam The #Scam was really bad in the summer of 2025.

The #Ohio Bureau of Motor Vehicles (BMV) has received reports of a possible texting scam being perpetrated on Ohioans today from scammers claiming to be from the State of Ohio.

Residents have reported receiving text messages from scammers informing the recipients that they have an outstanding parking ticket. The text then instructs the recipient to pay immediately to avoid a license suspension. This particular scam is a phishing attempt that is being reported by drivers nationwide and is designed to trick residents into giving up personal or financial information.

“If you receive this text, do not fall for this scam,” said Ohio BMV Registrar Charlie Norman. “Do not click any links, do not scan the QR code, and immediately delete the text. Ohio BMV will never send you a text demanding payment or requesting your personal information.”

Alt...

For Immediate Release: March 6, 2026 scam image Beware of Scammers Claiming to be Ohio Bureau of Motor Vehicles (COLUMBUS, Ohio) – The Ohio Bureau of Motor Vehicles (BMV) has received reports of a possible texting scam being perpetrated on Ohioans today from scammers claiming to be from the State of Ohio. Residents have reported receiving text messages from scammers informing the recipients that they have an outstanding parking ticket. The text then instructs the recipient to pay immediately to avoid a license suspension. This particular scam is a phishing attempt that is being reported by drivers nationwide and is designed to trick residents into giving up personal or financial information. “If you receive this text, do not fall for this scam,” said Ohio BMV Registrar Charlie Norman. “Do not click any links, do not scan the QR code, and immediately delete the text. Ohio BMV will never send you a text demanding payment or requesting your personal information.”

This dumb password rule is from Vistara.

Password must contain:
- 8 to 12 Characters.
- At least one lowercase and uppercase letter.
- At least one numeric character.
- At least one special character (!, @, #, $, %, %, ^, &, +, =).

Must not contain space, first or last name.

https://dumbpasswordrules.com/sites/vistara/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"...two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4...[which installs] a `postinstall` script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux"

My `package.json` files across 4 projects:
```
"axios": "1.14.0"
```

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#NodeJS #Axios #InfoSec #WebDev

Alt...

Screenshot of the film Snatch. Vinnie Jones' character is holding a gun and standing over a man who's cowering in fear against a wall. The gun has just failed to work when Jones tried to shoot the man. Jones says "You lucky bastard" and walks away.

This dumb password rule is from Battle.net.

8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive.
A real time travel adventure through the password rules of 2005!

https://dumbpasswordrules.com/sites/battle-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://blog.thereallo.dev/blog/decompiling-the-white-house-app

Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:

Inject JavaScript into every website you open

Has a full GPS tracking pipeline always on.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning.

Ships with dev artifacts in production.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation

#infosec #whitehouse #malware #StupidestTimeline

I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...

#security #infosec #google #googleworkspace

Alt...

Screenshot of the default Google Group settings for team mode

Alt...

Screenshot of the default Google Group settings for public mode