I'm an iPhone dunce but my daughter's iPhone started sending weird messages to group texts earlier today. She was busy and not touching her phone at the time.

We checked the text threads in her messages app on the iPhone and they are not there. Multiple people on Android and iPhone devices received those messages, though.

We have reset all of her apple account credentials and logged out all devices and websites. Is there anything else I should be doing?

#infosec #iphone #apple

This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Observation I’ve made in recent times: the push to get AI into every aspect of the business means that more companies are giving engineers who have never been exposed to business systems outside of regular user levels of access (think ms365, slack, google workspace, zendesk etc), api keys with deeper levels of access to data to “see what they can do” by chucking it at the AI.

Sadly, it seems, that a lot of the “seeing what they can do” involves hastily thrown together python scripts with said api keys embedded, alongside various chunks of sample data that are things like giant slack exports - which are now being stored in the open on public github repos.

I found one of these cases a few months ago and thought it might be a one off, but alas, I just found the fifth such example.

#infosec

This dumb password rule is from Copart.

Copart: "The security of our members is extremely important to us."
Also Copart: "We're gonna need you to keep your password between 5-10 characters."

https://dumbpasswordrules.com/sites/copart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CGHS.

Can't use any special characters except @ $ # ? _ * &

https://dumbpasswordrules.com/sites/cghs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BBVA.

Username is your national ID (easy to find) and your password must have up to **6** alphanumeric characters only.
For a bank account with all your money in one of the largest financial institutions in the world.

https://dumbpasswordrules.com/sites/bbva/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Personally I don’t believe that AI will have a sudden, profound impact on companies from the defensive #infosec perspective, since a lot of companies are still considering establishing a committee to evaluate authorizing a project that looks at the cost risk benefit of disabling smbv1.

This dumb password rule is from Pole-Emploi.

Password must contain at least one letter, one number and one character from `&-_@*%=.,;:!?` only.
It rejected passwords generated by pass, while accepting `p@ssw0rd!`...
They also block pasting on the password confirmation field,
forcing you to manually type your 32-letters-long generated passwo...

https://dumbpasswordrules.com/sites/pole-emploi/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Indiana University silent on major security breach while dozens of services are down for weeks.

https://www.ipm.org/news/2025-07-04/administrator-says-iu-will-never-explain-it-security-breach-publicly?fbclid=IwY2xjawLVRjFleHRuA2FlbQIxMQABHkfpe_KACeX4r2kR7sWjWSMdr6ASrFltBVcS4xXAaIAtUBLiUuG7g8KXBR83_aem_tMrMLsvOTvB3sMFPwNz8qg

#iu #indiana #cybersecurity #security #infosec

This dumb password rule is from Mes Services Étudiant.

At least 6 characters, one uppercase letter, one lowercase letter, one digit
and one "special character".

These do not count as "special characters": `` + - = | @ " ' # ( ) [ ] { } < > / \ ` ;``.

https://dumbpasswordrules.com/sites/mes-services-etudiant/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Happy Intergalactic Infosec Day, to all those who celebrate.

#InfoSec #Movies #ID4

Alt...

Screenshot from the movie Independence Day (1996) showing a computer screen containing a window that reads "Uploading Virus" with a skull and crossbones logo and a nearly complete progress bar.

This dumb password rule is from South Western Railway.

Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦

https://dumbpasswordrules.com/sites/south-western-railway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from American Express.

Sometimes I forget that caps-lock is on, glad it doesn't matter.

https://dumbpasswordrules.com/sites/american-express/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sephora.

Password must be between 6 and 12 characters. No other rules
specified.

https://dumbpasswordrules.com/sites/sephora/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Parnassus Investments.

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

https://dumbpasswordrules.com/sites/parnassus-investments/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@briankrebs #infosec #microsoft #windows

Alt...

| ' Windows Has Panicked ~ J | my is A fatal fun exception has | | [1] ! ; : - | | © ¢ occurred ot OxCAFEBABE | | € Windows got confused and I | forgot what it was doing. [| | + SYSTEM CRASHED_BECAUSE_CAT_WALKED OH- l | KEYBOARD | * ERROR_COOE: BLUE_SCREEH_OF DERP | | If this is the first time you're seeing this stop error, | you're lucky. If this screen appears again, stop poking | things you don't understand. | ~ | Reboot suggestion: | | Press CTRL+ALT+0EL or offer Windows a snack. I (Chips recommended, cookies accepted, RAM appreciate.) | | Beginning mind wipe... [THN 42% |

This dumb password rule is from UniSuper.

Passwords need:
- a lower case letter
- a number
- a capital letter
- at least 8 characters

In the 'Change password' form,
passwords are now restricted to a `maxlength` of 18.

If your current password is longer than 18 characters,
you won't be able to change your password.
When I contacted them...

https://dumbpasswordrules.com/sites/unisuper/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Texas at Austin.

Because of the last two rules, which ban dictionary words and any
variants using symbol substitutions, *neither* of the passwords
presented in the [xkcd comic](https://xkcd.com/936/) are allowed.

https://dumbpasswordrules.com/sites/university-of-texas-at-austin/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does stumbling upon and reporting security or access control issues while applying for IT jobs help or hurt my cause?

Am I embarrassing them? I do not emit one iota of snark.

I guess I am out here alerting companies to web compromise, phishing portals they have hosted, and easily acquired access to internal "tech bible" & situational client interaction resources.

@briankrebs

#ITjobs #infosec #GetFediHired #JobSearch

This dumb password rule is from BMO Bank of Montreal.

Password requires at least one special character but disallows backtick ```, backslash `\`, vertical bar `|`, and underscore `_`.

https://dumbpasswordrules.com/sites/bmo-bank-of-montreal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Fidelity National Information Services.

White label online banking provider. Typically appears as `BANK.ibanking-services.com` or `BANK.ebanking-services.com`. If your small local bank has a crappy online banking experience, these guys probably provide it.

`\<>'` and spaces prohibited, upper bound. Passwords of exactly the maximum len...

https://dumbpasswordrules.com/sites/fidelity-national-information-services/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Movies should mix in the actual stuff that we have to do in #infosec along with the exciting bits to set expectations accordingly.

“Quick, capture the handshake and spoof the path so you can redirect the flow to sniff the keys, then we can disarm the weapon!”

“Will do, but first I gotta create a custom permission set in Docusign so this guy can create templates but not be an admin.”

I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...

#security #infosec #google #googleworkspace

Alt...

Screenshot of the default Google Group settings for team mode

Alt...

Screenshot of the default Google Group settings for public mode

This dumb password rule is from Mindware.

You "*may use special characters*", but only some of them - and we won't
necessarily tell you which ones.

https://dumbpasswordrules.com/sites/mindware/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Vietnam Airlines.

`[[:alnum:]]{6,8}`

https://dumbpasswordrules.com/sites/vietnam-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BinckBank.

Between 10 and 16 letters and/or digits. No special characters are allowed.
Must be renewed at least every 180 days, but you can configure to let the password expire sooner.
When changing the password, the new password cannot be too similar to the existing password.

https://dumbpasswordrules.com/sites/binckbank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Man, this seems really bad.

But at least our government isn’t pulling back on the #cybersecurity we need to protect this information!

Whew!

#CISA #infosec

https://www.npr.org/2025/06/29/nx-s1-5409608/citizenship-trump-privacy-voting-database

@thedoctor

That's funny, they didn't even chop it up into a bunch of smaller videos like a lot of platforms do nowadays.

Now that I think of it, the big commonality between physical security and #infosec is the incredibly flawed thinking that a product can GIVE you security.

This dumb password rule is from Cigna.

A max of 12 characters... Can't handle most symbols (only 5 supported). At least they have two factor auth via email or sms **sigh**

https://dumbpasswordrules.com/sites/cigna/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LepidaID.

Password must:
- be 8 to 16 characters in length
- contain at least 1 upper-case character
- contain at least 1 lower-case character
- contain at least 1 number
- contain at least 1 non-alphanumeric character
- not contain more than 2 of the same consecutive characters
- not contain any public da...

https://dumbpasswordrules.com/sites/lepidaid/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IHG.

4, yes 4, digits only.

https://dumbpasswordrules.com/sites/ihg/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Microsoft security advisories, posted yesterday, affecting six Chromium-based Edge vulnerabilities.

Microsoft security update guide: https://msrc.microsoft.com/update-guide #Microsoft #cybersecurity #infosec #Chromium

This dumb password rule is from Arlo.

Your password contains characters not listed. Therefore, they do not
match.

https://dumbpasswordrules.com/sites/arlo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

For those playing along at home, just an observation that as of today:

breachforums[.]info

has spun up as new on DDoS-Guard, registered through Nicenic yesterday.

#infosec #threatintel