This dumb password rule is from Intelink Passport.

Intelink is a group of "secure" intranets used by the United States Intelligence Community. Passport is
an identity and access management service for Intelink.

Rule #3 prohibits three or more consecutive uppercase, lowercase, or digit characters, even if those
characters are not the same. For ex...

https://dumbpasswordrules.com/sites/intelink-passport/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@zackwhittaker This is terrible. My dog isn’t very good with #cybersecurity and uses her owner’s name as her #password. I tried giving her a password wallet but she just buried it in the back yard.

This dumb password rule is from CVent.

Password Rules
- 8 to 20 characters with at least 1 number and 1 letter.
- No symbols or spaces.

https://dumbpasswordrules.com/sites/cvent/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Petco’s security lapse affected customers’ SSNs, drivers’ licenses and more

Petco reported that the affected data included: names, Social Security numbers, driver’s license numbers, financial information such as account numbers, credit or debit card numbers, and dates of birth.

#petco #pets #retail #databreach #security #cybersecurity #hackers #hacking #hacked

https://techcrunch.com/2025/12/08/petcos-security-lapse-affected-customers-ssns-drivers-licenses-and-more/

Petco data breach — it wasn't Polly who spilled the crackers.
https://techcrunch.com/2025/12/05/petco-confirms-security-lapse-exposed-customers-personal-data/
#cybersecurity #DataBreach #privacy #NoPrivacy

This dumb password rule is from Sunny Portal.

The password must consist of at least 10 and at most 50 characters. It must contain at least one special character, one number, one lower-case letter and one upper-case letter.
The following characters are permitted for the password:

- Lower-case letters (a-z)
- Upper-case letters (A-Z)
- Digits...

https://dumbpasswordrules.com/sites/sunny-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🛰️ 📡🚗 A wave of cyber attacks has reportedly immobilized Porsche vehicles across Russia — disrupting security, tracking, and immobilizer systems. Experts warn this may mark a new frontier in automotive cyber warfare. Full story 👇
🔗 https://www.cybersecurity-insiders.com/porche-cars-immobilized-by-cyber-attacks-in-russia/
#CyberSecurity #Porsche #Russia #Hacking #AutomotiveTech

I am urgently looking for work. My unemployment ends soon and my family is approaching eviction. With Christmas near and kids in the house, the pressure has become extremely difficult. I’ve been interviewing since September and reached multiple final rounds, but have not secured a role yet.

I have over 15 years of experience in Cyber Threat Intelligence, OSINT, Social Engineering, Security Engineering, Vulnerability Management, and detection rule development. I’ve built CTI programs, developed Python automation, improved workflows, supported investigations, and authored Practical Social Engineering. I hold a US patent for a cybersecurity reconnaissance system.

I can support Sales and Sales Engineering teams as a subject matter expert when needed, adding technical depth and threat context to customer conversations. I also write white papers, blogs, and podcast material and speak regularly on security topics. Locally, I am a USCCA certified firearms instructor.

I am open to full time roles or contract work. Referrals and introductions are deeply appreciated as Christmas approaches.

#OpenToWork #Cybersecurity #JobSearch #ThreatIntel #OSINT #TechJobs

Porsche in Russland: Autos lassen sich nicht starten https://www.heise.de/news/Porsche-in-Russland-Autos-lassen-sich-nicht-starten-11105814.html?wt_mc=rss.red.ho.top-news.atom.beitrag.beitrag #cybersecurity #infosec

This dumb password rule is from Southwest.

Password must be between 8 and 16 characters in length and include at least one uppercase letter
and one number. Certain special characters are also allowed, but the first character of the password must be alphanumeric.

https://dumbpasswordrules.com/sites/southwest/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from E-learning (Unipd).

Exactly 8 characters for password! There must be at least 1 lowercase
letter, at least 1 uppercase letter, at least 1 number and at least 1
*special* char ( \* , . $ # @ etc...).

https://dumbpasswordrules.com/sites/e-learning-unipd/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Walmart.

Your password must include the following:
- 8-100 characters
- Upper & lowercase letters
- At least one number or special character

https://dumbpasswordrules.com/sites/walmart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

GrapheneOS is leaving France due to government pressure for encryption backdoors 🇫🇷

The move highlights risks to end-to-end encryption and user privacy when authorities demand access to secure data 🔒
Open-source privacy projects may face similar pressures globally 🌐

@GrapheneOS

🔗 https://proton.me/blog/grapheneos-france

#TechNews #Privacy #Security #OpenSource #Encryption #CyberSecurity #DataProtection #DigitalRights #UserRights #Anonymity #Internet #SecurityTech #WebFreedom #E2EE #Android #GrapheneOS #France

This dumb password rule is from Blue Cross Blue Shield Massachusetts.

16 maximum and no special characters. Protecting your US healthcare
information.

https://dumbpasswordrules.com/sites/blue-cross-blue-shield-massachusetts/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from University of Texas at Austin.

Because of the last two rules, which ban dictionary words and any
variants using symbol substitutions, *neither* of the passwords
presented in the [xkcd comic](https://xkcd.com/936/) are allowed.

https://dumbpasswordrules.com/sites/university-of-texas-at-austin/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nelnet (student loan servicer).

8 to 15 characters and no spaces? Why no spaces? Also limited to only these 6 special characters. That could mean that there is some process somewhere that puts this as part of a command line invocation.

https://dumbpasswordrules.com/sites/nelnet-student-loan-servicer/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🔐 Let's Encrypt to Cut Certificate Lifetimes to 45 Days by 2028 // Linuxiac

｢ Shorter certificate lifetimes are intended to limit the impact of compromised keys and improve the effectiveness of revocation mechanisms. Alongside this shift, the authorization reuse period, the window during which previously validated domain control can be reused, will decrease from 30 days to just 7 hours ｣

https://linuxiac.com/lets-encrypt-to-cut-certificate-lifetimes-to-45-days-by-2028/

#letsencrypt #certificates #ssl #cybersecurity

This dumb password rule is from Keimyung University.

Okay, doesn't looks that hard... But wait, there are hidden rules!

Hidden rules: your password can't have 3 times the same character in a row or more than 2 consecutive numbers.
Also if your password is 20 characters or more you won't be able to write it in the mobile app.

https://dumbpasswordrules.com/sites/keimyung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Williams-Sonoma.

25 maximum characters and disallowing some specials.

https://dumbpasswordrules.com/sites/williams-sonoma/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Targobank.

Your password must:
- must not be your username
- must at least eight characters
- must contain at least one number character
- must contain at least one uppercase character and 1 lowercase character
- must not contain spaces
- must not contain three identical characters in a row
- must not conta...

https://dumbpasswordrules.com/sites/targobank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Interactive Brokers.

Usual dumb password restrictions, but this one has incredibly dumb **username**
restrictions too:

**Username:**
- **Length of 8 or 9 letters and numbers**
- **Contain at least 3 letters and 3 numbers**
- Begin with a letter
- Lower case only, no spaces, no special characters

**Password:**
- Can...

https://dumbpasswordrules.com/sites/interactive-brokers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from UL Standards.

- Passwords must be between 8 and 12 characters
- Passwords cannot contain any blank spaces
- Passwords must contain at least one number, one uppercase letter, and one lowercase letter.
- Password Reset will randomly fail for no reason.

https://dumbpasswordrules.com/sites/ul-standards/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LCL.

You have to enter your 6-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/lcl/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There's an epic react server component RCE exploit making the rounds today.

A proof of concept just dropped. Probably wanna patch this rapidly.

https://github.com/ejpir/CVE-2025-55182-poc/tree/main

#React #Javascript #Cybersecurity #breaking

This dumb password rule is from Polytechnique Montreal.

Passwords must have a minimum length of 8 characters

Passwords must have a maximum length of 30 characters

Passwords must contain a minimum of 2 digits

Passwords must contain a minimum of 2 letters

Password must be different than the last one used

Passwords may contain these special characte...

https://dumbpasswordrules.com/sites/polytechnique-montreal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/

#cybersecurity #npm

This dumb password rule is from Dnevnik.ru.

Silently (sic!) trim password to 30 symbols.

That causes the stupid case when you could successfully registrate an account with password length of 52 and can't login with the password.

https://dumbpasswordrules.com/sites/dnevnik-ru/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NetBank (Commonwealth Bank of Australia).

When resetting your NetBank password, the website only informs you that you can create an alphanumeric password, despite the fact that you can use special characters.
And also, it's password strength calculation is shit.
An 155 bits of entropy password is "weak."
Additionally, passwords are case-...

https://dumbpasswordrules.com/sites/netbank-commonwealth-bank-of-australia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Ohh I like this... Aikdo has presented a more detailed analysis of the early steps for the Shai Hulud 2.0 worm.

Attempting to map what steps the original threat actor took to gain a foothold. Useful stuff IMHO

https://www.aikido.dev/blog/shai-hulud-2-0-unknown-wonderer-supply-chain-attack

#Infosec #Cybersecurity #ThreatIntel

🆕 blog! “Responsible Disclosure: Joiners, Movers, and Leavers in NHS BSA”

Many many years ago, I did some work for the NHS. As part of that, I was given access to certain GitHub organisations so that I could contribute to various projects. Once I left that job my access was revoked.

Mostly.

A few weeks ago, I received…

👀 Read more: https://shkspr.mobi/blog/2025/12/responsible-disclosure-joiners-movers-and-leavers-in-nhs-bsa/
⸻
#CyberSecurity #github #nhs #ResponsibleDisclosure

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Gigabyte RMA system.

Your password must contain:
Between 8-12 characters
An upper case letter (A, B, C, etc.)
a lower case letter (a, b, c, etc.)
A number (1, 2, 3, etc.)
A symbol (-, ~, !, #, $, %, &, (, ), +, =, .)

https://dumbpasswordrules.com/sites/gigabyte-rma-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Defguard listed in Dealroom's "Tough Tech" report!

Mapping NATO Eastern Flank innovations, it defines "Tough Tech" as tech that "can't fail."

The only infrastructure that never fails is one you fully control.

We were recognized for:
🔹 European Data Sovereignty
🔹 Privacy & Control (Self-hosted)
🔹 Trust through Open Source

If you build critical infrastructure, don't rent your security. Own it.

More: https://dealroom.co/uploaded/2025/11/Tough-Tech.pdf

#OpenSource #SelfHosted #CyberSecurity #DataSovereignty #ToughTech

Alt...

Defguard featured as STARTUP TO WATCH in Dealroom & NATO Innovation Fund Report TOUGH TECH BY THE TOUGH TEN

Alt...

has been listed in a recent Dealroom report as a "startup to watch".

This dumb password rule is from Mes Services Étudiant.

At least 6 characters, one uppercase letter, one lowercase letter, one digit
and one "special character".

These do not count as "special characters": `` + - = | @ " ' # ( ) [ ] { } < > / \ ` ;``.

https://dumbpasswordrules.com/sites/mes-services-etudiant/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Premera Blue Cross.

Password must contain 8-30 characters, including one letter and one number.
"Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error `-_'.@`

https://dumbpasswordrules.com/sites/premera-blue-cross/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from USAA Bank.

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

https://dumbpasswordrules.com/sites/usaa-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Saturn.

Passwords need to be between 8 and 15 characters.

https://dumbpasswordrules.com/sites/saturn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Interactive Brokers.

Usual dumb password restrictions, but this one has incredibly dumb **username**
restrictions too:

**Username:**
- **Length of 8 or 9 letters and numbers**
- **Contain at least 3 letters and 3 numbers**
- Begin with a letter
- Lower case only, no spaces, no special characters

**Password:**
- Can...

https://dumbpasswordrules.com/sites/interactive-brokers/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Testprep Training.

The max password size is 20 characters

https://dumbpasswordrules.com/sites/testprep-training/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from FACE IT Ltd. (Faceit).

Your password must be 6 - 20 characters. No special characters or numbers required.

https://dumbpasswordrules.com/sites/face-it-ltd-faceit/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Major League Baseball.

When creating a new account they enforce some password rules like: length must be
between 8 and 15 characters and there must be one upper case, one lower case letter
and one number.

https://dumbpasswordrules.com/sites/major-league-baseball/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Taking a second to understand the attack rate. I constructed this query below which shows you essentially an up to date listing of developers/code that's been compromised.

Once your box is infected and PII data has been found the worm then uses your github credentials to upload that content so ANYONE can now steal your credentials.

I'm finding multiple repos being popped every minute. This is an extremely active attack right now.

https://github.com/search?q=%22Sha1-Hulud%3A+The+Second+Coming.%22&type=repositories&s=updated&o=desc

#nodejs #npm #cybersecurity #github

Ok I've downloaded some of the compromised packages and you can search your already downloaded node modules for possibly infected packages using this command:

find ./node_modules -type f -name "bun_environment.js"

You can check your user level node cache using:

find ~/.npm -type f -name "bun_environment.js"

Still sizing this one up but if you get any hits check and see if they are big files (around 10MB) and if so you're likely infected.

#nodejs #npm #cybersecurity

I've spent the last few hours writing down my scripts for detecting this so you can use them!

I'm hitting on two or three ways to detect it and will be adding more.

Watching the attack running I can see developers all over the world still doing their morning `npm i` and getting owned 😭

Maybe let the node developers in your life know about this tool 👇🏿

https://github.com/datapartyjs/walk-without-rhythm

#ShaiHulud #WalkWithoutRhythm #nodejs #javascript #npm #github #cybersecurity

At the end of scanning for obvious compromise the `check-projects` script then builds a listing of all of your dependencies and all of the versions your project files mention.

You can find that info under `reports/`

I'm currently working on improving the `check-projects` script so that it will alert you if ANY of your package.json or package-lock.json mentions a known infected package.

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

Woot ok now that I have the dependency graph crawled I can just ship the listing of known bad NPM packages and just compare directly against that.

I updated the scanning script to alert if you have -any- version of an infected package.

You're gonna want to be very careful if you're not infected but have one of these dependencies present.

https://github.com/datapartyjs/walk-without-rhythm/blob/main/data/infected-pkgs-versions.txt

#ShalHulud #WalkWithoutRhythm #npm #github #javascript #cybersecurity #threatresponse

If time is money and helping the community is good, then this almost completely broke and emotionally damaged open source nerd would dearly appreciate some donations so I can stay focused on helping untangle this worm.

Was planning to spend this week on a mad dash to get my latest apps shipped by turkey day(to you know, make money) but instead I'm doing worm mitigation 😭

https://ko-fi.com/nullagent
https://ko-fi.com/dataparty

#cybersecurity #incidentresponse #ShalHulud #WalkWithoutRhythm