This dumb password rule is from Gigabyte RMA system.

Your password must contain:
Between 8-12 characters
An upper case letter (A, B, C, etc.)
a lower case letter (a, b, c, etc.)
A number (1, 2, 3, etc.)
A symbol (-, ~, !, #, $, %, &, (, ), +, =, .)

https://dumbpasswordrules.com/sites/gigabyte-rma-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Mes Services Étudiant.

At least 6 characters, one uppercase letter, one lowercase letter, one digit
and one "special character".

These do not count as "special characters": `` + - = | @ " ' # ( ) [ ] { } < > / \ ` ;``.

https://dumbpasswordrules.com/sites/mes-services-etudiant/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Premera Blue Cross.

Password must contain 8-30 characters, including one letter and one number.
"Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error `-_'.@`

https://dumbpasswordrules.com/sites/premera-blue-cross/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from USAA Bank.

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

https://dumbpasswordrules.com/sites/usaa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Saturn.

Passwords need to be between 8 and 15 characters.

https://dumbpasswordrules.com/sites/saturn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Interactive Brokers.

Usual dumb password restrictions, but this one has incredibly dumb **username**
restrictions too:

**Username:**
- **Length of 8 or 9 letters and numbers**
- **Contain at least 3 letters and 3 numbers**
- Begin with a letter
- Lower case only, no spaces, no special characters

**Password:**
- Can...

https://dumbpasswordrules.com/sites/interactive-brokers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Testprep Training.

The max password size is 20 characters

https://dumbpasswordrules.com/sites/testprep-training/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from FACE IT Ltd. (Faceit).

Your password must be 6 - 20 characters. No special characters or numbers required.

https://dumbpasswordrules.com/sites/face-it-ltd-faceit/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@xarvos @sotolf

oooof. I update every week. I get a warning in my shell if I don't.

I'm ex-#infosec.

@dusnm

Yeah, that's sound. One thing I like about #OpenBSD is that they do process separation for as many services as possible. That's just a really basic #infosec discipline that isn't practiced nearly enough.

This dumb password rule is from Major League Baseball.

When creating a new account they enforce some password rules like: length must be
between 8 and 15 characters and there must be one upper case, one lower case letter
and one number.

https://dumbpasswordrules.com/sites/major-league-baseball/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Just a silly #meme...

#LossyPNG #doas #sudo #root #unix #linux #BSD #infosec

Alt...

Winnie-the-Pooh good-better-blurst meme: Good: sudo Better: doas Blurs't: ssh root@... Reduced to 8 colors to save space (#LossyPNG)

This dumb password rule is from Westpac Live Online Banking.

Password rules:
- be between 8 and 30 characters
- include at least 1 number, 1 letter and 1 special character (@#%^ etc)
- have no more than 2 repeating characters (AAB not AAA)
- not contain spaces
- not be the same as your last 3 passwords

https://dumbpasswordrules.com/sites/westpac-live-online-banking/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The NIS2 Directive is no longer a future problem. It's on your desk now, and your remote access stack is under scrutiny.

But be warned: most "VPN MFA" solutions have a critical compliance gap that auditors will find.

We wrote an engineering guide (no fluff) on how to fix it:
🔹 Real security vs. "checkboxes"
🔹 Implementing connection-level MFA
🔹 Making your setup compliant

Read the deep dive: https://defguard.net/blog/mfa-wireguard-nis2-compliance/

#NIS2 #WireGuard #InfoSec #MFA #SysAdmin

Alt...

A blog post cover image split vertically. The left panel has a dark blue background with the defguard logo and large white text that reads: "MFA for WireGuard: How to Meet NIS2 Directive Requirements". The address "defguard.net" is at the bottom left. The right panel is a futuristic illustration showing two hands with fingers reaching toward each other, creating a bright burst of light at the center of a glowing digital network of interconnections.

This dumb password rule is from Shell Fuel Rewards.

- No less than 8 and no more than 16 characters
- Allows only specific special characters: ! @ # $ %
- Doesn't bother to tell you what characters are allowed or not. Hope you like reading JS.

https://dumbpasswordrules.com/sites/shell-fuel-rewards/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://committing-crimes.com/articles/2024-09-09-jitpack/

The infosec hell was never users writing down their password in a post-it stuck to their monitor.

The true infosec hell is developers trusting centralized repositories of "open source" that nobody reads nor audits.

Again I have to battle against devs that, for pure convenience and laziness, put users and the company at the mercy of any random of the internet, with the willing to perform a supply chain attack.

#infosec #centralization #zerotrust #supplychainattack

We completely disabled TLS 1.0 & 1.1 on www.bbc.co.uk, www.bbc.com & BBC Account web endpoints today.

This follows a deprecation (soft-retirement via HTML warning page) period of about a month. Usage was low - ~5-10 RPS - and mostly from crufty old bots/scripts.

This one change took our TLS rating (on SSLLabs & testssl.sh) from B to A+.

Next up:
-* *Enabling PQC &* finally* removing 3DES on our in-house CDN
- Retiring non-FS ciphers

#Infosec #WebDev #TLS

Alt...

Screenshot of SSLLabs Server Test report for www.bbc.com showing grade "B"

Alt...

Screenshot of SSLLabs Server Test report for www.bbc.com showing grade "A"

Alt...

Screenshot of TestSSL.SH Server Test report for www.bbc.com showing grade "B"

Alt...

Screenshot of TestSSL.SH Server Test report for www.bbc.com showing grade "A"

This dumb password rule is from AmeriHealth.

Their site says "*All information is kept safe and secure.*" Just not as
secure as you'd like.

User Password must be between 6 and 14 characters and contain 1
numerical value.

https://dumbpasswordrules.com/sites/amerihealth/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So, curl doesn’t integrate with libsecret in any way? I assume that since there’s no discussion on the main mailing list of in the GitHub issues for it that I’m somehow being dumb thinking I want it.
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Ok, Crowdsec is working with traefik ​​

The traefik access logs are collected by Alloy and shipped to Loki, which the Crowdsec agent uses to make decisions on. The trade I ingresses are configured to use the bouncer middleware in stream mode.

Looking at the Crowdsec dashboards the ssh services running on high ports have had zero hits, probably not worth the effort of integrating those systems right now.

I didn't enable app-sec features becauze I don't want to deal with the latency penalty that I would end up with.

Open to suggestions on appsec, or other worthwhile security components/apps that could be integrated (uggh I wish they'd open up the AI blicklists)

Overall it works good, even if the free-tier often feels somewhat restrictive at times

#HomeLab #Kubernetes #Infosec

This dumb password rule is from Fidelity.

No more than 20 characters and leave out characters commonly used by
programmers. We don't want you to hack the mainframe.

https://dumbpasswordrules.com/sites/fidelity/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Dell.

Okay at least 6, that's alright I guess.

Oh at least one number and one letter, bit dumb but hey not that dumb.

But hiding the fact that it has a max of 20, now THAT is dumb!

https://dumbpasswordrules.com/sites/dell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from AirAsia.

- Between 8 and 16 characters
- Must contain a number, a lowercase letter, and an uppercase letter
- Special characters allowed, but not periods, commas, tildes, or angle brackets

https://dumbpasswordrules.com/sites/airasia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Entwickler.de.

Your password must be 12-20 characters.

https://dumbpasswordrules.com/sites/entwickler-de/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Crédit Agricole Centre-Est.

You have to enter your 6-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/credit-agricole-centre-est/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@hacks4pancakes Strange how in a country with so many tech experts they couldn't find women speakers.

Recently I attended #Kawaiicon2025 a #Cybersecurity / #InfoSec conference in Aotearoa New Zealnd, a country with just over 5Million people living here. They found an assortment credible and interesting speakers who were men or women or nonbinary (NB). Same with panels. And organisers which helps. The participating audience was still more Men than Women or NB but anyone attending would have found peers.
https://kawaiicon.org/talks/

A fully sponsored Girl Geek Dinner pre-con welcoming event was also held.
https://kawaiicon.org/con-events/#girl-geek-dinner

Calling out manels (all male panels) is brave work and it's helpful when men do the "Do Better" call.

This dumb password rule is from Seur.

Password must be between 8 and 12 characters...
Also no symbols are allowed. But this isn't displayed.

https://dumbpasswordrules.com/sites/seur/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PagoMisCuentas.

Password must be between 8 and 15 alphanumeric characters, and have
at least one uppercase and one lowercase letter.

https://dumbpasswordrules.com/sites/pagomiscuentas/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Standard Chartered Bank.

- Between 8 to 16 characters
- Only letters and/or numbers

https://dumbpasswordrules.com/sites/standard-chartered-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

New.

Google Threat Intelligence Group: Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks #Google #threatintel #threatintelligence #infosec #espionage

This is a fascinating use of a #sidechannel timing attack against calls to an #AI model.

By capturing encrypted TLS traffic and measuring timing, they can very accurately determine which streams corresponded to an LLM conversation about a pre-selected topic.

TLS is intact. So their ability to recover the conversation is limited to their ability to break TLS. But they can, with high confidence, sift out all the TLS traffic for the only conversations that reference the thing they care about. They don't have to worry about spending resources breaking TLS on traffic that is unrelated. Neat #security research from #Microsoft.

#cybersecurity #infosec #LLM

This dumb password rule is from Lloyds Bank.

Max 15 characters, min 8. You cannot use **ANY** special characters -
alpha-numerics only. This amazingly terrible password policy combines
with a known phrase (The "Memorable Information") of which you will be
asked for a random 3 characters of if you get your password right.
This phrase has sim...

https://dumbpasswordrules.com/sites/lloyds-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Best Buy.

You can enter whatever password you like! But you probably don't want to
make it too long, because you'll break us and you'll never be able to
login again.

https://dumbpasswordrules.com/sites/best-buy/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

My dad just called to ask for his computer's admin password. He fell for yet another fraudulent #Paypal charge #scam and gave the scammer access to his computer. The scammer was stopped by the fact that I've revoked Dad's admin rights for just this reason.
He has fallen repeatedly for this scam and others like it. We keep telling him it's a scam. We keep telling him to call us before calling any number he gets in an email. He keeps falling for it. It's infuriating.
#infosec #elderAbuse
1/2

This dumb password rule is from AmiAmi.

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

https://dumbpasswordrules.com/sites/amiami/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does anyone have #fediverse or #mastodon stats (preferably from a few different servers) about numbers of bad-faith actors being identified, banned, etc.? I've become pretty interested in this from a methodological point of view. I'm thinking of running some #moderation simulations to explore possibilities in a "calculate some stuff and make some graphs" way. Actually, if someone already did that, I'd be keen to read it.

I'm interested in how to detect "bad eggs," realizing as I think about it that I don't even know all the questions to ask, and this entire line of investigation has some thorny issues I'll need to deal with. I think infosec.exchange might, in some ways, be the perfect server to be on for this, because I am pretty sure that #cybersecurity has huge overlap with this whole domain.

#advice is helpful. #data is even more helpful.

#moderators #BadActors #infosec #socialmedia

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules