This dumb password rule is from Paytm.

Password must be between 5 and 15 characters. Also, spaces don't count
as characters.

https://dumbpasswordrules.com/sites/paytm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

WARNING: LinkedIn has your profile. They have more from illegally spying on you.

“LinkedIn started injecting malicious code into the browsers of their users, without their knowledge or their consent. At the time of writing, this code downloads a list of 6,222 software products and brute-forces the detection of each one.”

More info:
https://browsergate.eu/executive-summary/

What you can do:
https://browsergate.eu/take-action/

🧵 1/2

#BrowserGate #LinkedIn #InfoSec #OpSec #Privacy #Crime #YouAreTheProduct #Microsoft

Alt...

Emulation of the LinkedIn logo, changed to read “unauthorized.”

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This is my second "holy shit" of the day.
Apparently #LinkedIn if silently collecting data on every extension you use every time you visit the site. Which it then uploads, with your identity attached to it.
This is absolutely horrifying. Literally, people should go to jail over this.
#infosec #privacy
https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

https://browsergate.eu

#tech #technology #BigTech #IT #enshittification #microslop #microsoft #LinkedIn #social #media #SocialMedia #data #security #safety #InfoSec #internet #web

This dumb password rule is from Telekom.

At first glance, their policy looks good - sure, the upper limit was chosen without necessity
and they enforce characters from all four groups, but your password manager will most likely come up with something suitable.

The website even tells you how 'wunderbar' your new password is - only to t...

https://dumbpasswordrules.com/sites/telekom/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Last summer I looked at the Internet exposure of a few #ICS devices that have historically been the subject of attacks by Iranian threat actors. Given continued activity in the region, I refreshed that data and took another look at exposures.

Good news: all four device/software types showed at least a slight decrease in exposures since last June, even if we aren't entirely sure why.

More details + graphs here: https://censys.com/blog/ics-iran-part-2-revisiting-exposure-of-previously-targeted-ics-devices/

#security #infosec

This dumb password rule is from Alipay.

- 8-20 characters (numbers or letters)
- no special characters allowed
- in the mobile app

https://dumbpasswordrules.com/sites/alipay/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NodeJS, for all the brilliant projects out there leaning on it, has a supply chain that might as well run the length of a dark alley permanently at 2am in the club district.

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Anyway, hope none of you good people are affected by this latest pox

#infosec #sysadmin

Watching the livestream of the Artemis II launch, I just witnessed one of the astronauts type in the password on their tablet while sitting in the capsule on camera.

#ArtemisII #Artemis #Artemis2 #NASA #InfoSec #cybersecurity #OpSec #Privacy #SpaceExploration

We can quit #cybersecurity and just go farm potatoes or something. After 25 years of #appsec one of the most talked-about tech companies invents a daemon process that

makes use of a file-based “memory system” designed to allow for persistent operation across user sessions.

Sure. Just store your system instructions in a random text file.

Why are we installing endpoint protection on this system?

Why do we verify cryptographic signatures on software updates to this system?

Why are we building a zero trust security environment?

Why do we do scan email to avoid social engineering emails?

Our AI-assisted users are gonna YOLO right past all that. And if they can’t get past our #security controls, this agentic Frankenstein will write itself some markdown and work quietly in the background figuring out how to bypass something the user couldn’t bypass on their own.

This is #infosec in 2026

This dumb password rule is from E-Redes.

Portuguese power distribution company, which requires short passwords (10 to 15 characters), no repetition of the same character, not using the username, the word "PASS" or the word "SAP" in the password, and limiting which special characters can be used.

https://dumbpasswordrules.com/sites/e-redes/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TLS and SSH rely on Certificate Authorities (CAs) for authentication, but they also present a vector for Man in the Middle attacks. What if you could set up your own CA to reduce your exposure?

➡️ https://fedoramagazine.org/make-a-private-ca-with-step-ca/

#WebDev #Linux #Security #InfoSec #Cybersecurity #Fedora

This is alarming but not surprising:
https://www.forbes.com/sites/the-wiretap/2026/03/24/google-cookies-help-cops-identify-anonymous-users/
TLDR If you access multiple Google accounts from the same device, and the cops know about one of the accounts and ask Google the right questions, Google will tell the cops about the other accounts.
The general lesson here is one we already know: if you have any sort of account you don't want linked to you, you can't ever access it from a device or network connection you use other accounts on.
Caveat usor.
#infosec #OpSec #Google

This dumb password rule is from BMW ConnectedDrive.

Although the prompt suggests good things, after many failed attempts to
set a new password, it turns out you can ONLY use the special characters
shown in the prompt

https://dumbpasswordrules.com/sites/bmw-connecteddrive/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Another round of scammers. Beware of Scammers Claiming to be Ohio Bureau of Motor Vehicles texting you saying you owe a ticket and to pay or lose your license immediately. #Phishing #Infosec #Scam The #Scam was really bad in the summer of 2025.

The #Ohio Bureau of Motor Vehicles (BMV) has received reports of a possible texting scam being perpetrated on Ohioans today from scammers claiming to be from the State of Ohio.

Residents have reported receiving text messages from scammers informing the recipients that they have an outstanding parking ticket. The text then instructs the recipient to pay immediately to avoid a license suspension. This particular scam is a phishing attempt that is being reported by drivers nationwide and is designed to trick residents into giving up personal or financial information.

“If you receive this text, do not fall for this scam,” said Ohio BMV Registrar Charlie Norman. “Do not click any links, do not scan the QR code, and immediately delete the text. Ohio BMV will never send you a text demanding payment or requesting your personal information.”

Alt...

For Immediate Release: March 6, 2026 scam image Beware of Scammers Claiming to be Ohio Bureau of Motor Vehicles (COLUMBUS, Ohio) – The Ohio Bureau of Motor Vehicles (BMV) has received reports of a possible texting scam being perpetrated on Ohioans today from scammers claiming to be from the State of Ohio. Residents have reported receiving text messages from scammers informing the recipients that they have an outstanding parking ticket. The text then instructs the recipient to pay immediately to avoid a license suspension. This particular scam is a phishing attempt that is being reported by drivers nationwide and is designed to trick residents into giving up personal or financial information. “If you receive this text, do not fall for this scam,” said Ohio BMV Registrar Charlie Norman. “Do not click any links, do not scan the QR code, and immediately delete the text. Ohio BMV will never send you a text demanding payment or requesting your personal information.”

This dumb password rule is from Vistara.

Password must contain:
- 8 to 12 Characters.
- At least one lowercase and uppercase letter.
- At least one numeric character.
- At least one special character (!, @, #, $, %, %, ^, &, +, =).

Must not contain space, first or last name.

https://dumbpasswordrules.com/sites/vistara/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"...two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4...[which installs] a `postinstall` script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux"

My `package.json` files across 4 projects:
```
"axios": "1.14.0"
```

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#NodeJS #Axios #InfoSec #WebDev

Alt...

Screenshot of the film Snatch. Vinnie Jones' character is holding a gun and standing over a man who's cowering in fear against a wall. The gun has just failed to work when Jones tried to shoot the man. Jones says "You lucky bastard" and walks away.

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

@SocketSecurity

👆 #infosec #supply_chain #cve

This dumb password rule is from Battle.net.

8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive.
A real time travel adventure through the password rules of 2005!

https://dumbpasswordrules.com/sites/battle-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://blog.thereallo.dev/blog/decompiling-the-white-house-app

Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:

Inject JavaScript into every website you open

Has a full GPS tracking pipeline always on.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning.

Ships with dev artifacts in production.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation

#infosec #whitehouse #malware #StupidestTimeline

Smith & Co Solicitors Reports Data Breach and Financial Fraud Following Email Compromise

Smith & Co Solicitors in Ipswich suffered an email-based data breach affecting 25% of its clients and resulting in at least one instance of financial fraud. Attackers gained unauthorized access to the firm's email systems to impersonate staff and intercept sensitive client communications.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/smith-co-solicitors-reports-data-breach-and-financial-fraud-following-email-compromise-z-2-h-j-o/gD2P6Ple2L

And now linux.org has been defaced. This kinda reminds me of the old defacement crews of the mid-to-late 1990's like Hackweiser and World of Hell.

#infosec

This dumb password rule is from STOVE.

- 24 characters max

https://dumbpasswordrules.com/sites/stove/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Okee, ik haak af bij het webinar van NCSC over leveranciersmanagement.

Over de risico's van bigtech zeggen/adviseren ze: maak een risicoanalyse zodat de risico's geaccepteerd zijn, want een andere optie heb je toch niet omdat deze leveranciers zo groot zijn dat je hun voorwaarden wel moet accepteren.

Uh?

#infosec #informatiebeveiliging

Financial institutions when they want to authenticate the account with your life savings in it:

#infosec #2fa

Working on another sticker for #37c3 - found this image a while ago, but only as a lowres jpg, so I re-did it as a vector graphic.

#infosec #devops #sticker
We do not test on animals, we test in production.

EDIT: Here's the SVG for all of you who asked https://codeberg.org/FlohEinstein/vectors/src/branch/main/we_do_not_test_on_animals_we_test_in_production (updated version with better readable font)

Alt...

A green no parking sign with the inscription we do not test on animals we test in production showing a bunny, a red heart and a stack of servers going up in flames Original idea found on https://www.reddit.com/r/ProgrammerHumor/comments/z1z43b/ive_made_a_new_sticker_so_your_projects_has_no by u/AlFlakky (AlexBlintsov)
Used sources from Flaticon.com: Star Icons by Pixel perfect, Hase by torskaya, hacken by juicy_fish, dedizierter Server by Design Circle, Herz by IconBaandar

Wow, u/DeeZett made a 3D version of my "We do not test on animals, we test in production" sticker. I love it!

Reddit: https://www.reddit.com/r/3Dprinting/comments/1s6r5tc/we_do_not_test_on_animals_we_test_in_production/
Model on Makerworld: https://makerworld.com/en/models/2587482-we-do-not-test-on-animals-we-test-in-production#profileId-2854614
Thing on Thingiverse: https://www.thingiverse.com/thing:7323159

#3dprint #makerworld #thingiverse #devops #infosec #sticker #wedonottestonanimalswetestinproduction

Alt...

A green no parking sign with the inscription we do not test on animals we test in production showing a bunny, a red heart and a stack of servers going up in flames 3D printed in bright green (sign), white (inscription, bunny, inner flame), red (heart, flame) and black (servers).

This dumb password rule is from BCV.

Username is randomly generated, example: 'H2487414'. The password must have **6** digits only.

Password can only be changed from the mobile application:

https://dumbpasswordrules.com/sites/bcv/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Netflix.

[The help page](https://help.netflix.com/de/node/54078)
and the [password reset page](https://www.netflix.com/password) say:

Ihr Passwort muss zwischen 4 und 60 Zeichen lang sein und darf keine Tilde (~) enthalten.

https://dumbpasswordrules.com/sites/netflix/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from AmiAmi.

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

https://dumbpasswordrules.com/sites/amiami/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Walmart.

Your password must include the following:
- 8-100 characters
- Upper & lowercase letters
- At least one number or special character

https://dumbpasswordrules.com/sites/walmart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

a thing you can try sometimes in #infosec

it’s a super cool trick, rarely shared, but i’m going to divulge it now

if you ever work with another security team at a partner/supplier/customer etc.

you don’t have to be a dick to them

seriously, just try it

This dumb password rule is from NBC (National Bank of Canada).

- Password length must be 8 to 25 characters
- Password must contain at least one lower letter (any position)
- Password must contain at least one digit (any position)
- Password cannot contain spaces.
- Copy/paste is not allowed when trying to set a new password

https://dumbpasswordrules.com/sites/nbc-national-bank-of-canada/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

In today's episode of "Can It Run Doom": DNS fucking TXT records.

Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.

RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.

Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.

blog: https://blog.rice.is/post/doom-over-dns/

repo: https://github.com/resumex/doom-over-dns

Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.

It was always DNS.

#infosec #dns #doom #itisalwaysdns

This dumb password rule is from Delta.

It's a good thing they don't store personal information such as your passport number... oh wait.

https://dumbpasswordrules.com/sites/delta/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IBM.

12-63 characters
One uppercase character
One lowercase character
One number
Sufficiently Strong
Special characters are optional.
Double byte characters are not allowed

https://dumbpasswordrules.com/sites/ibm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Minnesota Unemployment Insurance.

Locked to *exactly* 6 chars, alphanumeric only, not special chars.

https://dumbpasswordrules.com/sites/minnesota-unemployment-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from South Western Railway.

Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦

https://dumbpasswordrules.com/sites/south-western-railway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules