This dumb password rule is from United Parcel Service of America.

Your password must:
- Be between 7 and 26 characters long
- Contain at least 1 lowercase character
- Contain at least 1 uppercase character
- Contain at least 1 number character
- Contain one special character (!@#$%*)
- NOT contain first or last name
- NOT contain UPS user ID
- NOT contain email...

https://dumbpasswordrules.com/sites/united-parcel-service-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

HackerHaus is having an online mini-con tomorrow!

Live streaming via YouTube and the recording will be available after.

https://www.hackerhaus.io/con

#InfoSec #InformationSecurity

This dumb password rule is from Estheticon.

- At least 8 characters but limited to 20 characters at max
- At least 1 digit
- At least one letter (just a letter in general, no specific casing required)
- No special characters at all

https://dumbpasswordrules.com/sites/estheticon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Is this the first time a major service has removed end-to-end encryption instead of adding it? Why Instagram?

#instagram #socialmedia #privacy #infosec #technology #enshittification

Alt...

Screenshot showing, "Instagram's end-to-end encrypted messaging is ending on 8 May"

"We’ve been saying this for years now, and we’re going to keep saying it until the message finally sinks in: mandatory age verification creates massive, centralized honeypots of sensitive biometric data that will inevitably be breached. Every single time. And every single time it happens, the politicians who mandated these systems and the companies that built them act shocked—shocked!—that collecting enormous databases of government IDs, facial scans, and biometric data from millions of people turns out to be a security nightmare."

https://www.techdirt.com/2026/02/25/hackers-expose-the-massive-surveillance-stack-hiding-inside-your-age-verification-check/

#Discord #AgeVerification #Infosec

This dumb password rule is from MobileIron MDM.

You can't make this up - no dictionary words, no more than 2 repeating
characters, no alphabetic sequences, no whitespace, 3 character sets,
maximum of 32 characters.

https://dumbpasswordrules.com/sites/mobileiron-mdm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The line between national security and political surveillance is thinning. Congressional Democrats just launched an inquiry into the Department of Homeland Security regarding its use of administrative subpoenas. Unlike the subpoenas you see in courtroom dramas, these do not require a judge’s signature. They allow federal agencies to demand personal information and internal communications directly from technology companies with almost zero outside oversight.

This investigation follows reports that DHS used these "judge-free" demands to gather data on Americans who criticized the agency on social media. It is a significant moment for anyone in the tech industry. When the government can compel your data without a warrant, the First Amendment starts to look very fragile. You should watch how these tech firms respond to the inquiry, as it will set the standard for how they protect your information from administrative overreach.

🧠 Lawmakers are demanding to know how often DHS uses subpoenas without judicial review.
⚡ The inquiry follows evidence that critics of agency policy were specifically targeted.
🎓 Major tech platforms must now disclose their internal protocols for handling these federal demands.
🔍 Civil liberties groups are pushing for new legislation to require a judge’s approval for all data seizures.

https://www.washingtonpost.com/nation/2026/03/02/subpoenas-free-speech-congress-investigation/
#DataPrivacy #DigitalRights #TechLaw #security #privacy #cloud #infosec #cybersecurity

This dumb password rule is from EON.

By the time I'd finished reading the rules I've forgotten all of them.

https://dumbpasswordrules.com/sites/eon/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Waze.

After you request a password reset and you receive an email with instructions and link to reset your password, you are presented with this password reset form. Your password length is limited between 8 and 16 characters. Additionally the form breaks with an error if you use any special characters...

https://dumbpasswordrules.com/sites/waze/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Whitcoulls.

Your password must:
- be between 7 and 15 characters
- contain a capital letter
- have no spaces (shown only when you go to change it)

https://dumbpasswordrules.com/sites/whitcoulls/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BOINC Bakerlab.

Passwords may only include ASCII characters, not even extended ASCII.

https://dumbpasswordrules.com/sites/boinc-bakerlab/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nintendo.

Password between 8-20 characters, at least two "categories" of characters, and cannot use the same character more than twice in a row. At least it supports MFA.

https://dumbpasswordrules.com/sites/nintendo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Learning about the "bodysnatcher" attack on serviceNow and "ai agents authenticated only by an unverified email address and a well known reused api token" is so great i bet everyone is doing it.

#infosec

This dumb password rule is from LCL.

You have to enter your 6-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/lcl/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Omnivox.

Password length must be 8 to 20 characters long with lower case characters and numbers only.

https://dumbpasswordrules.com/sites/omnivox/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from KPMG Talent Community.

While stating otherwise, the site actually *accepts a backslash* in the password
and displays a forward slash as the example of the disallowed backslash
Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter
- Must contain at least 1 spec...

https://dumbpasswordrules.com/sites/kpmg-talent-community/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Ok finally just about finished, full egress policies.

Well, they already had egress policies, but now apps also have FQDN based policies for any outbound https/DNS, with only a small number of exceptions.

Now to watch the DNS dashboard I created to watch for DNS policy failures to add what I missed.

For sure the most complex policy was Homeassistant and idk what the runner-up is, nothing else is close.

I'm also keenly aware that some of these apps have api.github.com or raw.githubusercontent.com could be directed to almost anything. Good enough for now!
#HomeLab #Kubernetes #SelfHosted #InfoSec

New infosec AI guidance just dropped

#infosec #Shitpost #Shitposting #ShamelesslyStolenFromSomewhereElseOnTheInternetHonestlyICantKeepTrackOfThisStuffAnymore

Alt...

PLEASE Don't Thank you

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🆕 New event added:

📌 BSidesAdelaide
📅 Jul 27-28, 2026
📍 Adelaide (SA) 🇦🇺
🔗 https://www.bsidesadelaide.com.au

#infosec #cybersecurity #conference #Bsidesadelaide #Australia

This dumb password rule is from MarketWatch.

- Cannot be longer than 15 characters.
- Must contain one number.
- Cannot contain spaces, %, & or +.

https://dumbpasswordrules.com/sites/marketwatch/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So I need to test the security properties of a remote TLS server. Normally, I'd use Qualys' TLS server testing tools. However, this server uses an IPv4 allowlist, so Qualys wouldn't be able to reach it.

So, I'm looking for tools I can run locally (Linux, the BSDs, or Windows).

Anyone have any suggestions?

#infosec #pentest

For anyone who still thinks Proton is all that:

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

Many of us have been raising alarm bells because their CEO is a fascist boot licker. Some say that’s hot air, but he continues to fit the M.O.

https://techstory.in/proton-mail-faces-backlash-over-claims-of-political-neutrality-amid-ceos-praise-for-republican-party/

https://mas.to/@markwyner/115199799549199535

https://lgbtqia.space/@alice/113830130669521824

Ditch Proton. You deserve better.

#Proton #Privacy #InfoSec #FBI #ProtonIsNotYourFriend

Once again Proton hand over data on an activist to authorities, this time to the FBI via the Swiss High Court.

Proton is unsafe for use by frontliners.

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

#infosec #opsec

a very cool technique that some #infosec salesfolk are doing now - if you have the iOS phone call screening thing turned on on your phone, they state their reason for calling as

"cybersecurity breach" or "urgent breach detected"

Because they know that'll go to your screen as text.

And by very cool what I mean is "a very cool way of making sure I never talk to you"

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

#ProtonMail Helped #FBI Unmask Anonymous ‘#StopCopCity’ #Protester

by Joseph Cox
Mar 5, 2026 at 3:36 PM

A court record reviewed by 404 Media shows privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.

Read more:
https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

Archived version:
https://archive.ph/8cpN1

#Doxing #USPol #WorldPol #SilencingDissent #Infosec #CriminalizingDissent #StopCopCitiesEverywhere

RE: https://mastodon.social/@404mediaco/116178581339270397

If you're an activist, you can't rely on Proton Mail to keep your identity private unless you figure out how to pay them in a way that can't be linked back to you.
I'm not going to say that Proton was in the wrong here—they didn't do anything that they claim they won't do—but I will say that I think some people may have an inflated sense of the extent to which Proton can/will protect their privacy when the rubber hits the road.
#infosec #privacy

Tim Hergert boosted

404 Media » 🌐 2026-03-05
@404mediaco@mastodon.social

A court record reviewed by 404 Media shows privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

This dumb password rule is from Coppell, TX - Water Utility.

Local Utility with a password restriction of 30 characters. Better than some for sure, but still dumb.

https://dumbpasswordrules.com/sites/coppell-tx-water-utility/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Singapore Airlines.

`/[0-9]{6}/`

https://dumbpasswordrules.com/sites/singapore-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I am seeing a lot – a *lot* – more spam than before. I am not the only one. Seems like some larger phishing campaign got kicked off?

I wonder if this is related to the aggression on Iran.

#InfoSec

This dumb password rule is from Kryterion Webassessor.

I was quite surprised to see this when I was registering for my Google Professional Cloud **Security** Engineer certification. Nice part is that they **don't allow quotes** as special character, so I assume there possibly might be some other issues on their backends. :-)

https://dumbpasswordrules.com/sites/kryterion-webassessor/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Think you’re an anonymous on-line with your fake user name? Recent studies demonstrate that Large Language Models are becoming highly efficient at de-anonymizing internet users. By analyzing linguistic patterns, these models can link pseudonymous accounts to real identities with 85% accuracy. This process does not rely on leaked databases or IP addresses. It focuses entirely on the unique way you construct sentences and use specific vocabulary across different platforms.

The era of hiding behind a screen name is effectively over because your writing style is a biometric marker. A model can scan millions of posts to find a match between an anonymous whistleblower and a public profile. This capability transforms stylometry from a niche forensic tool into a scalable method of mass surveillance.Time to rethink digital privacy when our own habits of expression become the very data points that betray us.

🧠 LLMs identify users by matching unique linguistic fingerprints.
⚡ The accuracy rate for identifying individuals across platforms is 85%.
🎓 Anonymity now requires actively masking your natural prose.
🔍 Automated deanonymization poses a direct threat to journalists and whistleblowers.

https://arstechnica.com/security/2026/03/llms-can-unmask-pseudonymous-users-at-scale-with-surprising-accuracy/
#Privacy #Cybersecurity #AI #DataProtection #security #cloud #infosec

There are scam notifications about "monetization" on here going around.

👉 Don't fall for them.
👉 Don't click the link.
👉 Report and block on sight.

There is no monetization scheme on mastodon.social, nor any other fedi instance I know of.

Stay safe!

#Fediverse #InfoSec

Alt...

Screenshot of a message from a scam account, @MonetizationNotification@mstdn.ca (already blocked on my instance). I altered the phishing link in the description below on purpose, to make it harder to click on it. @rysiek Mastodon Sent You Message Important notification for your account! The Mastodon team has noticed your activity on our forum and we would like to offer you a partnership. Partnering with us means that monetization will be enabled for your account. To begin collaborating with our team, please confirm that you are the owner of this account by following the link below. Verify now: https://lyzo[.]io/icLJa If you attempt to avoid verification, our system will freeze your account indefinitely. Thank you for staying with us. Mastodon.social

This dumb password rule is from Fidelity.

No more than 20 characters and leave out characters commonly used by
programmers. We don't want you to hack the mainframe.

https://dumbpasswordrules.com/sites/fidelity/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Mini Blue Team Diaries story:

An alert came into our team because a machine was making a series of unexpected connections to abnormal destinations. Specifically, the connection that triggered the alert was SSH to an IP in Singapore.

Investigated the machine and found that it was used to self host Atlassian Confluence.

That same day, some 0day in Confluence was making the rounds, and it didn’t take long to determine that the exploit was how the machine got compromised.

Working with the team that owned the server, we were helping clean it up, when we noticed something strange - the attackers had managed to elevate themselves to root, which of course, made their lives much easier.

But how? The Atlassian 0day would’ve given them access for sure, but not as root. They would’ve inherited the permissions confluence was running under.

We began to try and understand what local priv escalation vulnerability they’d used to become root on the machine - but we couldn’t find anything.

Finally, I asked outright, “folks, was the web facing Confluence app running as root this whole time?”

“Yes. It was the only way we could get it to run,” came the answer.

It was at this point I ordered that server burnt to the ground, and a hastily arranged migration to hosted confluence took place.

For more, less mini stories like this one, check out the Blue Team Diaries series of stories, part of the Infosec Diaries series.

https://infosecdiaries.com

#infosec #dfir #blueteam

This dumb password rule is from Benergy4.

12 to 25 characters, only these special chars allowed: @+/'!#$^?:,.(){}[]~-.
Also, security questions.

https://dumbpasswordrules.com/sites/benergy4/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@nixCraft #ImpactedByObjects
the new #privacy #infosec threat
#iranwar

my laptop was impacted by objects
my datacenter was impacted by objects

Alt...

news item where Amazon datacenter in use being impacted by objects je catching fire