There's this guy that sits next to me in a class.

Guy: Hey, you're a hacker right?
Me: I'm a programmer.
Guy: Can you hack into my email account?
Me: Nope, I work in a different field of computer science.

In reality, I want to give him a piece of my mind.

I already know his email so I open up the login page and enter it. I click "forgot password", and it asks for his favorite teacher's name. Keep in mind that he made this account this year.

Me: So anyways, who's your favorite teacher?
Guy: *proceeds to give me favorite teacher's name*
Me: 🤦‍♂️

I change his password and log into his account. After that, I show him and tell him about how he should keep his account secure.

He left class with a priceless look on his face.

At my company we need to change our passwords every month and every month I add a an extra exclamation mark at the end of my password. Now after 5 years there is an unbearable amount of exclamation marks so I tried to change my my password to 'beefstew'.

Apparently it wasn't stroganoff.

Me - "Has anyone changed the password on the print computer"
Him - "It's the same one."
Me - "Carrots99?"
Him - "Yeah, what's the message that comes up?
Me - "Password is incorrect."

The dumbest conversation I've ever had in my fucking life. You little shit, I know you changed the password just to fuck with people. You've been reading too many books on elevating yourself, tried to be important for something. It means fuck all if you can't remember what you changed it to. So you held up two hours of my work, not to mention everyone else, because you can't help but stick your beak in shit. You dont think people can't see what youre doing? Watching you scurry over to the computer with a big smile, only a to fuck off silent as a mouse not to be seen mumbling some shit about a system administrator. Yeah you forgot it you prick.

Stop sucking up to the boss, and commanding people on what to do, when you're as junior as junior gets. Don't change our fucking passwords, just so you can have the whole team approach you the next day asking for you, then not remember them. You cunt.

!rant
I found ftp server login creditals from a company on google, wrote them they should change their password and they sent me a 20€ Amazon gift card.

Password is not case sensitive, but requires at least two uppercase and two lowercase letters

I get that fingerprint authentication is very convenient but I'd never use it (not even for privacy reasons that much).

When someone guesses/gets your password you can just say "alright let's change my password"

Imagine that with fingerprints: "yeah sure let me change my fingers"

😆

This is super childish but it's the gameserver insidstry and karma is a bitch.

TLDR: I hacked my boss

I was working for a gameserver and I did development for about 3 months and was promised pay after the network was released. I followed through with a bunch of dev friends and the guy ended up selling our work. He didn't know that I was aware of this as he tried to tell people to not tell us but one honest person came forward and said he sold our work for about 8x the price of what he owed ALL OF US collectively.

I proceeded to change the server password and when he asked why he couldn't log in I sent him an executable (a crypted remote access tool) and told him it was an "encryption tunnel" that makes ssh and file transfers secure. Being the idiot that he is he opened it and I snagged all of his passwords including his email and I changed them through a proxy on his machine to ensure I wouldn't get two factored with Google. After I was done I deleted system 32 :3

!rant
So it turns out that my dad accidentally took my spare laptop on a work trip. He's about as non-tech as you can get, and that laptop runs...Arch Linux. Yeah.

(call from dad)
M: hi dad
D: what's your desktop password?
M: (confused) {Password}
D: okay.
(cuts the call)

M: *shrug*

(call from dad)
M: hi dad
D: so where is PowerPoint?! where's the Windows button?! I've been at this for half an hour now and I have to edit a presentation for tomorrow!!
M: (realizes what's happened) oh...uh...dad...that's.. Linux...
D: don't you people do anything the way it's supposed to be done?
M: uh...
D: ugh! So you can't edit PPTs on this?
M: (processing...LibreOffice isn't installed on the laptop, and he will have to use the command line to connect to the internet to use Office Online or Google Slides since the Deepin WiFi module keeps fucking up for some reason)
D: well?
M: (internal sigh) No, you can't edit PPTs on that.
D: wow.
(cuts the call)

He either thinks we're all useless or that we have godlike computer skills to be able to edit PPTs on Linux. Oh well.

(He managed to use the hotel's "workstation" to get it done, so all is well. I should tell him to change his password though, hotel computers have rubbish security.)

Trying to login...
"Sorry your password is expired. You have to change the password every 60 days".

«Oooh, c'mon...» Inserting a new password...
"The password must contain at least 1 lowercase letter, 1 uppercase letter, 2 numbers and 1 non-alphanumeric character.

«Please, fuck off and die...» Typing again and eventually entering to private area...

My phone vibrate, there is a new SMS: "Your new password is H0lySh1t!"

WTF. Are you serious?

Sister = bee ( who isn't a stranger to Ubuntu)
Me = Cee

Bee: can I use your laptop?
Cee : why ? Use yours ,it's works fine.
Bee : no I want to use yours and I need to work with windows.
Cee: 🤯
Bee : my work can only be done using windows.
Cee : fine do whatever ( doesn't want to argue )
* Le bee opens MS word, and starts her work *
Cee : 😤😤Seriously?
Bee : I don't like libre
Cee : 😑😑😑^∞
* Few moments later *
Bee : my work is done ,you can have your laptop,btw it's updating.
Cee : 😑😑😑😑😑
* 2000 years later *
*Opens Ubuntu *
*Getting a weird bug*
*Tried to fix *
*Can't open OS files * 👏👏👏🎆
* Windows not shutdown properly *
* Opens windows *
* Not able to login via pin *
* Password ? not accepted *
* Changes outlook password *
* Please chose a password you haven't chosen before *
* Logs in *
* types old pin to change pin *
*You've entered wrong pin too many times *
*System hanging a lot *
* Removes pin *
* Gets huge mcAfee restart system popups , every 10 sec *
* Just shutdown , feels irritated for the rest of the day*

* Regrets dual booting, shd have wiped the windows partition 😫😫*

*Wonders,what the hell did my sister even do to my laptop ?*

My local MySql: "root"/""

Project Manager: You used a hash/salt to encrypt the password in our customer database?

Me: Yes.

Project Manager: That's mean we will not be able to see the password?

Me: That's the whole point. Why would you want to see what password customer is choosing?

Project Manager: Change it. Use random encryption method.

haveibeenpwned: MASSIVE SECURITY BREACH AT COMPANY X, MILLIONS OF RECORDS EXPOSED AND SOLD, YOUR DATA IS AT RISK, please change your password!

Company X website: Hey your password expired! Please change it. Everything's fine, wanna buy premium? The sun is shining. Great day.

I wonder why banks are always so terribly insecure, given how much money there's for grabs in there for hackers.

Just a while ago I got a new prepaid credit card from bpost, our local postal service that for some reason also does banking. The reason for that being that - thank you 'Murica! - a lot of websites out there don't accept anything but credit cards and PayPal. Because who in their right mind wouldn't use credit cards, right?! As it turns out, it's pretty much every European I've spoken to so far.

That aside, I got that card, all fine and dandy, it's part of the Mastercard network so at least I can get my purchases from those shitty American sites that don't accept anything else now. Looked into the manual of it because bpost's FAQ isn't very clear about what my login data for their online customer area now actually is. Not that their instruction manual was either.

I noticed in that manual that apparently the PIN code can't be changed (for "security reasons", totally not the alternative that probably they didn't want to implement it), and that requesting a forgotten PIN code can be done with as little as calling them up, and they'll then send the password - not a reset form, the password itself! IN THE FUCKING MAIL.

Because that's apparently how financial institutions manage their passwords. The fact that they know your password means that they're storing it in plain text, probably in a database with all the card numbers and CVC's next to it. Wouldn't that be a treasure trove for cybercriminals, I wonder? But YOU the customer can't change your password, because obviously YOU wouldn't be able to maintain a secure password, yet THEY are obviously the ones with all the security and should be the ones to take out of YOUR hands the responsibility to maintain YOUR OWN password.

Banking logic. I fucking love it.

As for their database.. I reckon that that's probably written in COBOL too. Because why wouldn't you.

'Incorrect password.'

"I must've forgotten the password. Let me change it".

'Old and new passwords cannot be same'

o_O

User: I can't access the system, it keeps asking me to change my password!
Me: ....
Me: Tried changing your password?
User: Not yet

I'm trying to sign up for insurance benefits at work.

Step 1: Trying to find the website link -- it's non-existent. I don't know where I found it, but I saved it in keepassxc so I wouldn't have to search again. Time wasted: 30 minutes.

Step 2: Trying to log in. Ostensibly, this uses my work account. It does not. Time wasted: 10 minutes.

Step 3: Creating an account. Username and Password requirements are stupid, and the page doesn't show all of them. The username must be /[A-Za-z0-9]{8,60}/. The maximum password length is VARCHAR(20), and must include upper/lower case, number, special symbol, etc. and cannot include "password", repeated charcters, your username, etc. There is also a (required!) hint with /[A-Za-z0-9 ]{8,60}/ validation. Want to type a sentence? better not use any punctuation!

I find it hilarious that both my username and password hint can be three times longer than my actual password -- and can contain the password. Such brilliant security.

My typical username is less than 8 characters. All of my typical password formats are >25 characters. Trying to figure out memorable credentials and figuring out the hidden complexity/validation requirements for all of these and the hint... Time wasted: 30 minutes.

Step 4: Post-login. The website, post-login, does not work in firefox. I assumed it was one of my many ad/tracker/header/etc. blockers, and systematically disabled every one of them. After enabling ad and tracker networks, more and more of the site loaded, but it always failed. After disabling bloody everything, the site still refused to work. Why? It was fetching deeply-nested markup, plus styling and javascript, encoded in xml, via api. And that xml wasn't valid xml (missing root element). The failure wasn't due to blocking a vitally-important ad or tracker (as apparently they're all vital and the site chain-loads them off one another before loading content), it's due to shoddy development and lack of testing. Matches the rest of the site perfectly. Anyway, I eventually managed to get the site to load in Safari, of all browsers, on a different computer. Time wasted: 40 minutes.

Step 5: Contact info. After getting the site to work, I clicked the [Enroll] button. "Please allow about 10 minutes to enroll," it says. I'm up to an hour and 50 minutes by now. The first thing it asks for is contact info, such as email, phone, address, etc. It gives me a warning next to phone, saying I'm not set up for notifications yet. I think that's great. I select "change" next to the email, and try to give it my work email. There are two "preferred" radio buttons, one next to "Work email," one next to "Personal email" -- but there is only one textbox. Fine, I select the "Work" preferred button, sign up for a faux-personal tutanota email for work, and type it in. The site complains that I selected "Work" but only entered a personal email. Seriously serious. Out of curiosity, I select the "change" next to the phone number, and see that it gives me four options (home, work, cell, personal?), but only one set of inputs -- next to personal. Yep. That's amazing. Time spent: 10 minutes.

Step 6: Ranting. I started going through the benefits, realized it would take an hour+ to add dependents, research the various options, pick which benefits I want, etc. I'm already up to two hours by now, so instead I decided to stop and rant about how ridiculous this entire thing is. While typing this up, the site (unsurprisingly) automatically logged me out. Fine, I'll just log in again... and get an error saying my credentials are invalid. Okay... I very carefully type them in again. error: invalid credentials. sajfkasdjf.

Step 7 is going to be: Try to figure out how to log in again. Ugh.

"Please allow about 10 minutes" it said. Where's that facepalm emoji?

But like, seriously. How does someone even build a website THIS bad?

If I were in charge of the company's upcoming-required-password-change notification system, during the month of October users wouldn't get an email.

Instead, the phone would ring.

When they answer, at first there'd just be hissing and crackling.

Then after a few seconds, a kid's voice would whisper,

"Three daysss..."

TL;DR: Fuck you Apple.

10:30 PM, parent needs iPhone update to update Messenger. How hard can this be?
Need to update iPhone from 9.x to latest, which is so outdated it still required iTunes. Fk.

Boot iTunes on Windows 10 pc that is at least 10 years old.
Completely unresponsive
Crash in task manager
Launch and is completely unresponsive. (Also starts playing unrequested music.. Oh joy..)
Fuck this, go to apple.com to download iTunes exe
Gives me some Microsoft store link. Fuck that shit, just give me the executable
Google “iTunes download”. click around on shitty Apple website. Success.
Control panel. Uninstall iTunes. (Takes forever, but it works)
Restart required (of fucking course).
2 eternities later. Run iTunes exe. Restart required. Fk.
Only 1 eternity later. Run iTunes, connect iPhone.
Actually detects the device. (holy shit, a miracle)
Starts syncing an empty library to the phone. Ya, fuck that.
Google. Disable option. Connect phone. Find option to update.
Update started. Going nowhere fast. Time for a walk at 1:00 AM punching the air.
Come back. Generic error message: Update failed (-1). Phone is stuck installing update. (O shit)
1x hard reset
2x hard reset
Google. Find Apple forum with exact question. Absolutely useless replies. (I expected no less)
Google recovery mode. Get into recovery mode.
Receive message: “You can update, but if it fails, you will have to reset to factory settings”. Fuck it, here we go.
Update runs (faster this time). Fails again. Same bullshit error message. (Goddammit, fuck. This might actually be bad.)
Disconnect phone.
… It boots latest iOS version. (holy shit, there is a god)
Immediately kill iTunes. Fuck that shit.
Parents share Apple account
Sign in, 2FA required.
Fat finger the code.
Restart “welcome” process.
Will not send code. What. The. Fuck.
Requests access code on other parent’s iPhone.
No code present. What???
Try restarting welcome process again. No dice. (Of course)
Set code on other parent’s iPhone.
Get message “Code is easy to guess”. Ya. IDGAF
Use code on newly updated iPhone. Some success.
Requires reset of password.
Password cannot be the same as old password (Goddammit)
Change password.
Welcome process done.
Sign in again on same phone after welcome process done in settings. (Nice.)
Sign in again on other phone with updated password
Update Messenger.
Update hangs. Needs more space.
Delete shit.
Update frozen in App Store (Really??)
Restart iPhone.
Update Messenger.
Update complete past 2. Well that was easy.

Apple, fuck you.
Some call Android unintuitive, but I look at the settings app on iPhone and realize you aren’t any better.
This company hasn’t been innovative since 2007. Over 1000 USD for a phone? Are you fucking kidding me?
Updating an iPhone from iOS 9.x is probably uncommon anymore. But this is a fucking joke. Fix your shit.
Shit like this is why I’ll never again own an Apple product. I have HAD IT with the joke of a business.

Thanks for reading.

Bank forces me to change my password. Figured I'd use Safari's strong password generation. Submit. Password changed.

Go to log in with new password. Password not saved because I had previously told Safari not to save this site's password.

Okay… so the strong password you JUST generated and submitted without showing me is now my banking password but neither of us knows what it is?

Fucking brilliant. I mean at least let me fucking copy it so I can store it in my password manager. The most hilarious thing is the message that appeared on the generated password saying my password would be available from Safari preferences. Yup, nope. Nothing there except a note saying no passwords will be stored for this site.

This is the state of Apple in 2018, folks. Fucking sad.

I have bank accounts with 5 different banks.
I HAVE TO use 4-5 different government websites.

Every fucking place: you cannot use these "~-/;^"(some others too) symbols in your password.

Are you freaking fucking kidding me!! And all of them have a limit of 12or15 characters.

If this wasn't mind numbingly stupid enough, they fucking go ahead and force you to change password every fucking month or two.

THIS IS NOT SECURITY. YOU SHOULDN'T FORCE SOMEONE TO LIMIT THERE PASSWORDS TO:
- CERTAIN CHARACTERS
- A 15 CHARACTER SIZE LIMIT
- THRN OVERTHAT, FORCE TO CHANGE PASSWPRDS PERIODICALLY.

ALL THE 5 MAJOR FUCKING BANKS IN INDIA.

FUUUUUCCCCKKKKK YOUU 🖕

Really!? WTF would you even write a confirmation message reminding me to contact the admin if I didn't request my password change on this screen!?!? Of course I wanted my password changed, I just entered my new password. That type of crap is what you should e-mail me AFTER my password changes.

Registered for a job application website and on profile page I see my password in clear type! ...

Time to change password to an easy one and remove profile as fast as possible...

Story goes on: changed password which included a special char successfully.
Tried to remove the account but was told password has invalid chars.

Logged off to see if the password still works. Can't login anymore...

Instant rant mail to admit.

So, a rather unfortunate bug on the Minecraft website.

Minecraft allows you to change your name every 30 days. I was reverse engineering their API so I could use it personally.

On the username change form there are two fields: your desired username, and your password.

To protect myself from actually changing my name, I purposefully put in password123 so that it would fail. Then, I clicked "Change name" to monitor the network traffic.

Well that's when two unfortunate things combined.

#1: I used my last name to test. It's a unique word that is relatively short and very easy for me to type out of habit.

#2: That password field doesn't actually get validated.

So imagine my shock when I clicked "change username" and it WORKED.

And now my username is doxxing me for at least 30 days + the permanent name history

FUCK me

Sometimes I wonder how compromised my parents online security would be without my intervention.

My mom logged into her gmail and there was an red bar on top informing about Google preventing an attempted login from an unknown device.

Like typical parents / old people, that red bar didn't caught her attention but I noticed it immediately. I took over and looked into it. It showed an IP address and a location that was quite odd.

I went ahead with the Account security review and I was shocked to find that she had set her work email address as the recovery email!!

I explained her that work email accounts cannot be trusted and IT department of the workplace can easily snoop emails and other info on that email address and should not be related to personal accounts.

After fixing that issue, me being a typical skeptic and curious guy, I decided to find more info about that IP address.

I looked up the IP address on a lookup website and it showed an ISP that was related to the corporate office of her workplace. I noticed the location Google reported also matched with the corporate office location of her work.

Prior to this event, few days ago, I had made her change her gmail account password to a more secure one. ( Her previous password was her name followed by birth date!! ). This must have sent a notification to the recovery mail address.

All these events are connected. It is very obvious that someone at corporate office goes through employees email addresses and maybe even abuse those information.

My initial skeptism of someone snooping throguh work email addresses was right.

You're welcome mom!

The gym I go to has an app for user's to scan a QR code when they arrive and it has multiple HUGE issues.

This app shows the credit card info used for the direct debit without anything being redacted.

When the gym is signing up someone they give them a password so they can login, not too bad except the password is always the person's first name with the first letter capitalised.

This gets worse when you figure out that their is no way to change the password given to you AT ALL.

And just to top it all off, when you click the "Forgot Password" link on the login screen, the app just sends you an email with your password (your first name) in plain text.

The app also doesn't log you out or notify you if your login is used on a different device.

So I have tested this with 2 of my friends that go to the same gym and, with only knowing their email and first name (which I could have gotten from their email if I didn't know them), I can get into their app and see their credit card info without them being any the wiser.

"The default password is your birthday"
They don't even make you change it

Best part about the covid19 manufactured crisis?
Liquor stores deliver. Worst part about liquor stores delivering? Needing to use their shoddy websites.

I've been using a particular store (Total Wines) since they're cheaper than the rest and have better selection; it's quite literally a large warehouse made to look like a store.

Their website tries really hard to look professional, too, but it's just not. It took me two days to order, and not just from lack of time -- though from working 14 hour days, that's a factor.

Signing up was difficult. Your username is an email address, but you can't use comments because the server 500s, making the ajax call produce a wonderfully ambiguous error message. It also fades the page out like it's waiting on something, but that fade is on top of the error modal too. Similar error with the password field, though I don't remember how I triggered it.

Signing up also requires agreeing to subscribe to their newsletter. it's technically an opt-in, but not opting-in doesn't allow you to proceed. Same with opting-in to receiving a text notification when your order is ready for pickup -- you also opt-in to reciving SMS spam.

Another issue: After signing up, you start to navigate through the paginated product list. Every page change scrolls you to the exact middle of the next page. Not deliberatly; the UI loads first, and the browser gets as close as it can to your previous position -- which was below that as the pagination is at the bottom -- and then the products populate after. But regardless of why, there is no worse place to start because now you must scroll in both directions to view the products. If it stayed at the very bottom, it would at least mean you only need to scroll upwards to look at everything on the page. Minor, but increasingly irritating.

Also, they have like 198 pages of spirits alone because each size is unique entry. A 50ml, 350ml, 500ml, 750ml, 1000ml, and 1750ml bottle of e.g. Tito's vodka isn't one product, it's six. and they're sorted seemingly randomly. I think it's by available stock, looking back.

If you fancy a product, you can click on it for a detail page. Said detail page lists the various sizes in a dropdown, but they're not sorted correctly either, and changing sizes triggers a page reload, which leads to another problem:

if you navigate to more than a few pages within a 10 or so second window, the site accuses you of using browser automation. No captcha here, just a "click me for five seconds" button. However, it (usually) also triggers the check on every other tab you have open after its next nagivation.

That product page also randomly doesn't work. I haven't narrowed it down, but it will randomly decide to start failing, and won't stop failing for hours. It renders the page just fine, then immediately replaces it with a blank page. When it's failing, the only way to interact with the page is a perfectly-timed [esc], which can (and usually does) break all other page functionality, too. Absolutely great when you need to re-add everything from a stale copy of your signed-out cart living in another tab. More on that later. And don't forget to slow down to bypass the "browser automation" check, too!

Oh, and if you're using container tabs, make sure to open new tabs in the SAME container, as any request from the same IP without the login cookie will usually trigger that "browser automation" response, too.

The site also randomly signs you out, but allows you to continue amassing your cart. You'd think this is a good thing until you choose to sign in again... which empties your cart. It's like they don't want to make a sale at all.

The site also randomly forgets your name, replacing it with "null." My screen currently says "Hello, null". Hello, cruft!

It took me two days to order.
Mostly from lack of time, as i've been pulling 14 hour shifts lately trying to get everything done. but the sheer number of bugs certainly wasted most of what little time i had left. Now I definitely need a drink.

But maybe putting up with all of this is worthwhile because of their loyalty program? Apparently if you spend $500, you can take $5 off your next purchase! Yay! 1%! And your points expire! There are three levels; maybe it gets better. Level zero is for everyone; $0 requirement. There are also levels at $500 and $2500. That last one is seriously 5x more than the first paid level. and what does it earn you? A 'free' magazine subscription, 'free' classes (they're usually like $20-$50 iirc), and a 'free' grab bag (a $2.99 value!) twice per month. All for spending $2500. What a steal. It reminds me of Candy Crush's 3-star system where the first two stars are trivial, and the third is usually a difficult stretch goal. But here it's just thinly-veiled manipulation with no benefit.

I can tell they're employing some "smarketing" people with big ideas (read: stolen mistakes), but it's just such a fail.

The whole thing is a fail.

My argument: Password change policies (every 3, 6 moths, etc.) are a detriment to security because users will either come up with simple, throw-away passwords (knowing they will need to change them soon anyways) or use the same password anyways with a few variations.

Discuss.

Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.

Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.

Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.

Just received a mail from my college that my college's student account password does not contain any special characters and I should change it immediately. Wtf? How did they know that?

The "Change Password" function autofilled the old password. Dev told be it didn't matter because "if you set the field type to password you can't see it".

My mobile provider doesn't allow me to set a password that contains any other symbol than letters and numbers for the website where you can look at how much data you consumed (and can order new data, change plans, etc.). Are you kidding me. This is making shit insecure, you fucks!

CR: "Add x here (to y) so it fits our code standards"
> No other Y has an X. None.

CR: "Don't ever use .html_safe"
> ... Can't render html without it. Also, it's already been sanitized, literally by sanitize(), written by the security team.

CR: "Haven't seen the code yet; does X change when resetting the password?"
> The feature doesn't have or reference passwords. It doesn't touch anything even tangentially related to passwords.
> Also: GO READ THE CODE! THAT'S YOUR BLOODY JOB!

CR: "Add an 'expired?' method that returns '!active'?"
> Inactive doesn't mean expired. Yellow doesn't mean sour. There's already an 'is_expired?' method.

CR: "For logging, always use json so we can parse it. Doesn't matter if we can't read it; tools can."
CR: "For logging, never link log entries to user-readable code references; it's a security concern."
CR: "Make sure logging is human-readable and text-searchable and points back to the code."
> Confused asian guy, his hands raised.

CR: "Move this data formatting from the view into the model."
> No. Views are for formatting.

CR: "Use .html() here since you're working with html"
> .html() does not support html. It converts arrays into html.

NONE OF THIS IS USEFUL! WHY ARE YOU WASTING MY TIME IF YOU HAVEN'T EVEN READ MY CODE!?

dfjasklfagjklewrjakfljasdf

The cleaning lady saga continues yet again..

Here in Belgium, cleaning ladies are paid with cheques. All fine and dandy, and apparently the parent organization (Sodexo) even migrated to digital cheques. Amazing!!!

If only they did it properly.

Just now I received an email with my login data.
Login: ${FIRSTNAME}${FIRST2CHARSOFLASTNAME}
Password: I won't reveal the amount of characters.. but it's not even hex. It's just uppercase letters, and far from what I'd deem even remotely secure. Hopefully I'll be able to change that shitty password shortly, and not get it mailed back, even when I ask for recovery. Guess I'll have to check that later - the person who made that account was pretty incompetent when it comes to tech after all. Don't ask me why they did it instead of me. I honestly don't really know either.

With that said, this is a government organization after all... Can I really expect them to hash their passwords?

Real fact: 1999

IT: IT, how can I help?
MrB: I'm Butcheek. This program is shit, I can't even log-in!
IT: oh.. Ok Mr. Butcheek, let’s see if I can help...
MrB: of course you can: fix this shitty program and made me log in!
IT: I’ll try to do my best to assist you, can you...
MrB: I just want to log in! Can you speak my language? This new program is ridiculous, I wonder why you IT guys changed the old one, it was a mess but at least I could log in...
IT: I'm sorry you are experiencing this problem, but to assist you I need to know exactly what's the problem
MrB: I CANT LOG IN!!!
IT: ok, I understand this, but can you please provide some more information? Do you receive any particular error messages?
MrB: it says “wrong password” but it's not true!
IT: Ok, that's strange. Look, I'm resetting your password and then you will try again. At the first log in you will be asked to change it again, ok?
MrB: just be quick, I can't waste any more time on this!
IT: sure... Ok done. Please, can you try again? The password is “butcheek”
MrB: it asks for the username. What am I supposed to write here?
IT: “butcheek”
MrB: oh... Ok. And what's the password?
IT: “butcheek”
MrB:... No... Wait... Ok, “butcheek” is the password but what's the username?
IT: “butcheek”!
MrB: you don't understand, I have to put both username AND password!
IT: I know! “butcheek”! For both username AND password!
MrB: so I have to write “butcheek”-”butcheek”?
IT: yes, “butcheek”-”butcheek”!
MrB: so... “butcheek”...twice? Sounds weird... are you sure?
IT: yes I'm sure! However, you can choose either to write “butcheek” twice or “ASS” once, if you prefer...

Not really hacking, but my roommate says otherwise. So we share a router in the apartment and I’m the only one that really knows how to access it, so of course I change the password and tell no one (not like they’ll try to get in anyway).
Occasionally set roommate likes to get blackout and play music very loud at 2am. To be petty, on those occasions I set up an RPi Zero to connect to the WiFi, restart it, and sleep for a minute, and repeat. He’s still convinced we are getting DDOSd, and suspects nothing.

Reason I don’t just set parental controls - he gets more frustrated when the WiFi appears for 10secs, the music is just about to start and shuts off again. So he gives up quicker. Otherwise, he resets the router and I have to set up everything from the start.

!dev but actual long rant - about the students in my grade.

TL;DR: 1 asshole in 10 people can ruin everything. Mobbing sucks. I dislike parties.

There's the word "Jahrgang" in Germany which means the people in the same school year as you. I'll refer to it as "my (collective) classmates" although we don't have classes anymore, rather courses and I also mean those I do not have courses with.

With that out of the way, let the rant begin.

It's often the case that people with high logical and intellectual skills (no being arrogant, other people categorize me like that) have a lack of social skills - or empathy.

I'm a kind of an outsider in a way that since 10th grade I stopped trying to attach myself to certain groups since I do not fit in there. I'm fine with that now. Nowadays I can at least socialize with other nerds.

Here's why I dislike the collective of my classmates. This year is my last school year and as always, a big group forms a spirit. They have a theme (superheroes - super boring). I didn't go to any party they threw and I don't plan to go to the graduation ceremony as well since it's an unofficial party and not a school event. I hate parties. I hate alc and drunken teenagers. I didn't attend the "Kursfahrt" - a kind of excursion that's like holidays with your course - mainly because I dislike my "Stammkurs" (main course).

Why? I had a friend in this course. She was short, geeky and I could actually talk to her. Yet some jerks (not intensely) bullied her because "she was awkward" and in the end, she switched school - also because of other reasons.
When she was gone, even those who didn't bully her and who are considered "nice" made fun of her and talked badly about her - and me hanging around with her. So since then, I avoid anything with them that's not 100% school related.

Now they're planning what we call "Abigag" - it's a joke/prank the graduates pull on the school and younger students, something funny like an entrance room full of balloons and many other things. Also, the "Abizeitung", the yearbook the graduates put out with articles about their courses, teacher ranking and quotes etc. Also, a cabaret evening from the graduates to collect money for the graduation party. Cool stuff actually. I thought about taking part.

I'd say my talents are creativity and computer stuff. So a friend chatted with me about nerdy pranks like a school-wide wallpaper change. Or releasing a fake password list of the teachers - claiming we hacked them - with puns and insiders about the teaches. He said he gotta invite me into the WhatsApp group of the Abi prank. Disclaimer: He's one of those people who are socialized but still able to talk with me. He's fine.

Well guess what he told me later:

They don't want me on the team since I distance myself from my classmates. I should either be fully one of them or not at all.

That's enough. Who distances whom? I thought they were happy to have me on board but horse shit! Stuck with ideologies from the 19th century.
They can lick my ***. I don't have anything against most of them in person but as a collective, they're just fucking stupid. I guess it wasn't even the majority saying they don't want me to help. It was probably just the small crew of leading and loud jerks. And no one would disagree with them saying "Why not? He wants to help?" (even if it was their opinion) - they don't have the brain or balls to say anything against the strong idiot leaders. They'll do great later in politics as an adult - they wouldn't criticize Hitler if they were under his "protection".

So I won't take part in making Abi pranks, - but also not the Paper and cabaret eve. They can go jerk off to being part of a huge collection of assholes - which I, in all my pride, am not part of other than on paper.

(Disclaimer: No critics to other outsiders but those who were engaged and responsible for the choice of not letting me help)

If anyone actually read this:
Who were/are you in school times?
A proud outsider like me? Party boi/girl? Engaged striver?

So today I decided to change the passwords on some online accounts...

Sony: "Don't use the same symbol twice in a row. Oh, and how about 4 reset emails because the first 3 times it won't work?"

Me: "Okay, this password meets all requirements"

Sony: "I don't believe you lol."

Twitch: "Error: Your password length must be between 8 and 40 symbols!"

Me: "But mine has 24 symbols and the password field shows a green checkbox"

Twitch: "Error: Your password length must be between 8 and 40 symbols!"

Aaaargh! Did they hire toddlers as interns or something?

CAN YOU PLEASE UPDATE TO 2018!!!

My bank just sent me a message, that they have a new service where you can send a private message to your banker.

I needed to transfer money, and didn't have my cheque book on me, so I sent him a message to please transfer XX dollars to account YY.

His response?
Please send us a fax.

A FAX?? ARE YOU SERIOUS??

And that is supposed to be more secure than a private message from your website, after you force me to change my password every 90 days with crazy requirements that only satisfy hackers???

I told my friend that he will get his money when the bank updates the century they live in ...

Amazon: you're logged into 53 devices.

Me: ooooh Kay, since when do I have that many devices. let's sign out of em all and change the password for some piece of mind.

Spongebob: * a few hours past *

Spam email: someone in the US has logged into your account - click here to verify through some random URL that doesn't even contain "Amazon" in it 🥳

-

I suddenly have that feeling Amazon sells you're account setting changes and not just your personal details.

On a 5 hour bus ride for which the company advertised that they have WiFi. Technically they did, it just didn't seem to be connected to anything. (it was but it was unusable). I tried logging into the router as i always do and one default "admin" password later i was in.
I didn't want to mess up anything too badly, however i did change the wpa password to "YouShouldMakeThisABitMoreSecure"

I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.

But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:

1) a notification you’re account is no longer secure,

And,

2) an immediate ability to change passwords before any access is granted.

Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.

PS: Fuck you, you low life shithead!

Worst one I’ve seen so far is when I was working for my previous community another developer joined to help me, without the permission of me or the other lead developer he pushed a client-side update. We didn’t think it was a big deal, but once we began reviewing the code it became a big deal... he had placed our SQL credentials into that file that every client downloads. All the person had to do was open the file and could connect to our SQL which contained 50k+ players info, primarily all in-game stuff except IPs which we want to protect at all costs.

Issue becomes, what he was trying to do required the games local database on the client-side, but instead he tried connecting to it as an external database so he decided to copy server-side code and used on the client.

Anyways, the database had a firewall that blocked all connections except the server and the other lead dev and myself. We managed to change the credentials and pull the file away before any harm was done to it, about 300 people had downloaded the file within an hours period, but nothing happened luckily. IP to the DB, username, password, etc, were all changed just to keep it protected.

So far this is the worst, hopefully it doesn’t get worse than this :/

I had security reopen our test-user last week. I could run the tests once, then they started failing with "blocked user due to too many attempts at logging in". Huh, that's weird. I go through everything, every script, every scheduled task, every nook and cranny of every drive on every machine I could reach, and make sure the password is updated everywhere. Reopen account. Same shit.

I email around to some people, they don't use it, one guy asks if I checked x, y and z, I did. Then he's sure we don't use it anywhere else.

It's one of our fucking contractors that took one of our scripts (that they're supposed to have duplicate copies of) and forgot to change to their own credentials. That's literally the agreement, take our scripts and change the user and run them on your machines.

Afhfjdkdhdjdbd stop locking me out of everything with your incompetence. I email them, some cunt gets back to me asking for the new password. NO. USE. YOUR. OWN. CREDENTIALS. I KNOW YOU HAVE THEM, THEY'RE HERE IN THE LIST AND BEING USED IN ALL OTHER SCRIPTS AAAAAAAAAHHH

I think my server got hacked, yesterday I made a new server on scaleway for the sake of testing I made a user called dev, with password dev. Forgot to change password before I went to bed.

Logged in today to find that load is 5x.x and this (image) in my crontab

Note to self: You are a disgrace, who the hell uses 'dev' as password for ssh on port 22 -_-

NO FUCKING GOOD NIGHT FOR FLOYD.

THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.

So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.

But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.

Well, post reinstalling, the app does not detect the linked Org account.

I was cool, when I'll login, the system will throw a prompt to map the phone.

So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.

But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.

What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?

So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.

Cool. Let's do that.

I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.

I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.

Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.

If this is the most common use case then why the fuck not add a feature to help people overcome this shit?

And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.

Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.

So I Bought this bio metric pad lock for my daughter. She excitedly tried to set it up without following the directions( they actually have good directions on line) first thing you do is set the "master print" she buggered that up setting her print. So when I got home I was thinking, no problem I'll just do a reset and then we cant start again.

NOPE !!! you only have one chance to set the master print! after that if you want to reset the thing you need to use the master print along with a physical key that comes with it.

What sort if Moron designs hardware / software that is unable to be reset. Imagine how much fun it would be if once you set your router admin password it was permanent unless you can long back in to change it. Yea nobody has ever forgotten a password.

Well they are about to learn a valuable financial lesson about how user friendly design will influence your bottom line. people (me) will just return the lock to the store where they bought it, and it will have to be shipped back to the factory and will be very expensive for them paying for all of the shipping to and from and resetting and repackaging of the locks and finally shipping again to another store. Meanwhile I'll keep getting new locks until at no cost until she gets it right.

poor design

When you forget your password, go to change it and get greeted with:

"Your new password cannot be the same as your current password!"

Thanks to mandatory password change, today:

- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.

All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"

*logs in to pc*
- Your password will expire in 3 days. Consider changing it.
+ yeah sure...
*tries to change password*
- Your password must be different from your old 25 passwords
+ ....
+ What the fuck?!? I mean, really, what the fuck is this bullshit? You force me to use EXACTLY 8 char long passwords and this? Fuck you!

So we are implementing a big and very complete localization management system on my company. The system has great features, indeed, but:

1. We cannot use the browser back button, because it is js and it appears no one cared about it (I am not a js Dev, but you can UAE the back button on my site that has js);

2. It is very customizable, but not intuitive. So you have one million options and you never know where to change what you need;

3. It has a save button everywhere, but most options are saved automatically, so you never know when you need to save. Actually, people from the webapp company use the save button as refresh, once we cannot use the browser refresh button;

4. Combo boxes load the elements while you scroll them, so to scroll to the bottom, you need to keep scrolling several times, waiting it to load the elements;

5. It does not allow you to open more than one tab of it at the same time. So if you need to see more than one information from different items, you need to navigate and wait the loading times to see what you need;

6. Emails are not sent in a different thread. So each action that send emails you need to keep waiting until the emails are sent (sometimes there are several emails sent in one action) to continue using it;

7. They not only store and send back your password by email if you loose it, but, as admin, if I click the button to send the user password to him/her, it keeps a copy of the email with the user password in my sent items;

8. To be able to send emails (they are really necessary), I need to include my SMTP info with login and password. So they have not only the system password saved, but everyone email login and password as well.

I am sure there is more, but I can't remember for now, and we are still trying to figure it out how to back our data, as it appears the only possible backup is their own.

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

Why the fuck did Oracle change their policies on the official JDK and made the website nigh impossible to use?!

It was shit from the 90s before, and now its still shit just modern.

Why do I have to register do get the JDK, you know Im going to use the fucking 10min mail. I just wanted to setup a freaking build server and I had to go over your retarded website that for some reason *refreshes* and erases the username field everytime I put in the wrong password. Why?

Why is oracle just outright bad at making websites?! Its always a maze to navigate and now it also takes seconds to even load...

This shit is why everyone uses openJDK and adopt. 3 billion devices running java?! Not with your jre/jdk they are not, because It's a pain to get... Don't me even get started on the mess it does on windows server. Why wasn't my JAVA_HOME set automatically?! I lost almost 2 hours because I trusted your piece of shit software to so the one job it has, even reinstalled it completely...

Get your shit together Oracle, this was unacceptable 10 years ago, let alone now

Tl;dr stupid password requirements

Begin quote

Password must not contain any non-alphanumeric characters.

Your Password change was not accepted. Enter your current Password correctly following the rules for New Passwords. Please try again.

Passwords must be between 8 and 12 characters in length and MUST contain each of the following:

At least 1 lower case character (a-z)
At least 1 upper case character (A-Z)
At least 1 numeric digit (0-9)

But, MUST NOT contain:

more than five repeating characters in a row (e.g. 111111356 would not be valid, but 112233445 would be valid)
spaces or other special characters

NOTE: Your new password cannot be the same as any of your 10 previous passwords.

End quote

Are you fucking kidding me? Only (26+26+10)^8 through
(26+26+10)^12 different passwords to go through? It's like the oxygen wasters that built this website give zero fucks about security.

Why? This is the site that manages money and investments. Just allow passwords up to 64 characters, allow any ascii character and just fucking encod the characters to prevent any Injunction.

I had to make an account for my kid's school.

Last night I start. I put in a username, then it has a quality meter for the password. I put one in and it goes to like 90%. Ok, fine. I submit and...

Validation error on the username field. Message? [object Object].

Try all different kinds of username: no numbers, all caps, etc. But no luck so I give up.

Today I try again and get stuck again. Then I think... "Maybe the devs suck worse than I think..."

I change the password so that it's rated 100% and submit... Success.

Fucking devs.

Ladies and gentleman, I've done it.
Remove your hacker game trophies from your wall.
That nasty bug you fixed a couple of nights ago? Meh.
Your top devRant post? You'll delete it after reading this.
Every awesome accomplishment you can think of: it all means shit now.

>> I have SUCCESSFULLY changed my business Microsoft account password into something I can remember AND Microsoft accepted it in under an hour of trying!!!!! <<

I want to say a big FUCK YOU to MICROSOFT for WASTING MY BLOODY TIME.

FUCK YOU for giving me a max of 16 characters. DASB&(*(&G*HH*& for telling me every time my password is 100% strength and then after every submit tell me I have to change it AGAIN because it should be harder to guess. WUT?! It was 16 characters including a (capital) letter, number and multiple special characters, WHAT ELSE DO YOU WANT FROM ME?! UNICODE EMOJI'S???!!! ALLOW ME TO USE MORE CHARACTERS SO I WILL MAKE IT HARDER TO GUESS IT, IT'S 2018 FFS.
I don't even understand why my new password is accepted compared to the other one, but fuck it I can access my account again.
Now I might have to find a new job before the company password policy kicks in again.

/me drops everything and walks out of the office to get wasted (not sure if celebrating or just really pissed off)

tl;dr:
The Debian 10 live disc and installer say: Heavens me, just look at the time! I’m late for my <segmentation fault

—————

tl:
The Debian 10 live cd and its new “calamares” installer are both complete crap. I’ve never had any issues with installing Debian prior to this, save with getting WiFi to work (as expected). But this version? Ugh. Here are the things I’ve run into:

Unknown root password; easy enough to get around as there is no user password; still annoying after the 10th time.

Also, the login screen doesn’t work off-disc because it won’t accept a blank password, so don’t idle or you’ll get locked out.

The lock screen is overzealous and hard-locks the computer after awhile; not even the magic kernel keys work!

The live disc doesn’t have many standard utilities, or a graphical partition editor. Thankfully I’m comfortable with fdisk.

The graphical installer (calamares) randomly segfaults, even from innocuous things like clicking [change partition] when you don’t have a partition selected. Derp.

It also randomly segfaults while writing partitions to disk — usually on the second partition.

It strangely seems less likely to segfault if the partitions are already there, even if it needs to “reformat” (recreate) them.

It also defaults to using MBR instead of GPT for the partition table, despite the tooltip telling you that MBR is deprecated and limited, and that GPT is recommended for new systems. You cannot change this without doing the partitions manually.

If you do the partitions manually and it can’t figure out where to install things, it just crashes. This is great because you can’t tell it where to install things, and specifying mount points like /boot, /, and /home don’t seem to be enough.

It also tries installing 32bit grub instead of 64bit, causing the grub installer to fail.

If you tell it to install grub on /boot, it complains when that partition isn’t encrypted — fair — but if you tell it to encrypt /boot like it wants you to, it then tries installing grub on the encrypted partition it just created, apparently without decrypting it, so that obviously fails — specific error: cannot read file system.

On the rare chance that everything else goes correctly, the install process can still segfault.

The log does include entries for errors, but doesn’t include an error message. Literally: “ERROR: Installation failed:” and the log ends. Helpful!

If the installer doesn’t segfault and the install process manages to complete, the resulting install might not even boot, even when installed without any drive encryption. Why? My guess is it never bothered to install Grub, or put it in the wrong place, or didn’t mark it as bootable, or who knows what.

Even when using the live disc that includes non-free firmware (including Ath9k) it still cannot detect my wlan card (that uses Ath9k).

I’ve attempted to install thirty plus times now, and only managed to get a working install once — where I neglected to include the Ath9k firmware.

I’m now trying the cli-only installer option instead of the live session; it seems to behave at least. I’m just terrified that the resulting install will be just as unstable as the live session.

All of this to copy the contents of my encrypted disks over so I can use them on a different system. =/

I haven’t decided which I’m going with next, but likely Arch, Void, or Gentoo. I’d go with Qubes if I had more time to experiment.

But in all seriousness, the Debian devs need some serious help. I would be embarrassed if I released this quality of hot garbage.

(This same system ran both Debian 8 and 9 flawlessly for years)

My mum just had to call me to change our home WiFi password, because she can't change it on her laptop.

She's pretty bad with technology, but she had to call me to do it, because no one else knew how to. Including my brother-in-law who designs IT systems for major banks and system admins working for the government.

She had to call me, from Hungary to do it. I live in Scotland.

More than 2 years ago I alerted management that the default password we use for client accounts (and two of the variations) were pwned in database breaches. Today we receive an all-staff email that management "has reason to believe this password may have been compromised" and that we needed to change it across the 1200+ accounts where it's being used (200+ clients, several accounts per client).

Is it unprofessional to send a few "I told you so" memes and gifs?

On chat today.
Dude: can you run a script for me? We don't have permission.
Me: what kind of script? Who wrote it?
Dude: posts screenshot of DML select/update statement he tried to run.
Me: I'm a DBA. We don't run DML for people.
Dude: Oh. Can you give me the password?
Me: examine script and notice he tried to run it on QA DB.
Me: No. We don't memorize passwords, and this is QA; you need to check the password out of the safe. You also need a change ticket to DevOps, and they will run it for you.

At that point I ended the discussion, because running anything in QA or Prod without a change ticket gets you fired. And I like my job. Really annoyed.

Hey Citrix:

FUCK YOU.

Learn to make an accessible log in page you fucks.

Maybe instead of vague fucking "you're user name and password is wrong" say things like "your account is locked because we somehow decided we don't like your password anymore. . . . without telling you"

Fucking 2 hours of my day wasted trying to log into my company's VM because first it wouldn't take my password (that I've had for over a month and doesn't expire for another month) over and over again. I changed it, logged in. Got up to do something that'd take less than 5 minutes. And OF COURSE the people who set up the VM made them log you out if you're gone for more than 3 minutes (fuck that guy too). Come back to a log in screen and it won't accept my new password.

Change it again. Except this time it won't accept my new password because it's "like my old password." It is in that it uses the alphabet and numbers, but it's also different in that those alphanumeric characters are LITERALLY DIFFERENT IN EVERY PLACE. I finally get it to accept a new password.

I'm also loving the whole "answer these security questions that literally anyone who does minimal research on you can answer" before I get to change my password. Yeah. Because finding my mother's maiden name or the city I was born in is so fucking hard. Literally impossible to find out what my Dad's dad's name is. Shit like that isn't publically available. Nope. Why the fuck are we still using "security" questions?

I log into Citrix again. And it takes me to . . . the log in for Citrix.

There is no word in elvish, entish or the tongues of men for this stupidity.

Fuck Citrix. Fuck the people behind the password manager (Aviator or something like that), and fuck whatever administrator setting turns my computer off due to inactivity in such a stupid short amount of time. 10 minutes, 15 minutes, that'd be fine. But it's more like 3 or 5, like wtf.

So I was logging into google today and my password is very long so I often make mistakes while typing it so I went to inspect element to change input type to text so that I can check the password and I see that Firefox is storing my password already as plain text. Wtf Firefox???

Just another big rant story full of WTFs and completely true.

The company I work for atm is like the landlord for a big german city. We build houses and flats and rent them to normal people, just that we want to be very cheap and most nearly all our tenants are jobless.
So the company hired a lot of software-dev-companies to manage everything.

The company I want to talk about is "ABI...", a 40-man big software company. ABI sold us different software, e.g. a datawarehouse for our ERP System they "invented" for 300K or the software we talk about today: a document management system. It has workflows, a 100 year-save archive system, a history feature etc.
The software itself, called ELO (you can google it if you want) is a component based software in which every company that is a "partner" can develop things into, like ABI did for our company.

Since 2013 we pay ABI 150€ / hour (most of the time it feels like 300€ / hour, because if you want something done from a dev from ABI you first have to talk to the project manager of him and of course pay him too). They did thousand of hours in all that years for my company.

In 2017 they started to talk about a module in ELO called Invoice-Module. With that you can manage all your paper invoices digital, like scan that piece of paper, then OCR it, then fill formular data, add data and at the end you can send it to the ERP system automatically and we can pay the invoice automatically. "Digitization" is the key word.

After 1.5 years of project planning and a 3 month test phase, we talked to them and decided to go live at 01.01.2019. We are talking about already ~ 200 hours planning and work just from ABI for this (do the math. No. Please dont...).

I joined my actual company in October 2018 and I should "just overview" the project a bit, I mean, hey, they planned it since 1.5 years - how bad can it be, right?

In the first week of 2019 we found 25 bugs and users reporting around 50 feature requests, around 30 of them of such high need that they can't do their daily work with the invoices like they did before without ELO.
In the first three weeks of 2019 we where around 70 bugs deep, 20 of them fixed, with nearly 70 feature requests, 5 done. Around 10 bugs where so high, that the complete system would not work any more if they dont get fixed.

Want examples?
- Delete a Invoice (right click -> delete, no super deep hiding menu), and the server crashed until someone restarts it.
- missing dropdown of tax rate, everything was 19% (in germany 99,9% of all invoices are 19%, 7% or 0%).

But the biggest thing was, that the complete webservice send to ERP wasn't even finished in the code.
So that means we had around 600 invoices to pay with nearly 300.000€ of cash in the first 3 weeks and we couldn't even pay 1 cent - as a urban company!

Shortly after receiving and starting to discussing this high prio request with ABI the project manager of my assigned dev told me he will be gone the next day. He is getting married. And honeymoon. 1 Week. So: Wish him luck, when will his replacement here?

Deep breath.
Deep breath.

There was no replacement. They just had 1 developer. As a 40-people-software-house they had exactly one developer which knows ELO, which they sold to A LOT of companies.

He came back, 1 week gone, we asked for a meeting, they told us "oh, he is now in other ELO projects planned, we can offer you time from him in 4 weeks earliest".

To cut a long story short (it's to late for that, right?) we fought around 3 month with ABI to even rescue this project in any thinkable way. The solution mid February was, that I (software dev) would visit crash courses in ELO to be the second developer ABI didnt had, even without working for ABI....

Now its may and we decided to cut strings with ABI in ELO and switch to a new company who knows ELO. There where around 10 meetings on CEO-level to make this a "good" cut and not a bad cut, because we can't afford to scare them (think about the 300K tool they sold us...).

01.06.2019 we should start with the new company. 2 days before I found out, by accident, that there was a password on the project file on the server for one of the ELO services. I called my boss and my CEO. No one knows anything about it. I found out, that ABI sneaked into this folder, while working on another thing a week ago, and set this password to lock us out. OF OUR OWN FCKING FILE.
Without this password we are not able to fix any bug, develop any feature or even change an image within ELO, regardless, that we paid thausend of hours for that.

When we asked ABI about this, his CEO told us, it is "their property" and they will not remove it.
When I asked my CEO about it, they told me to do nothing, we can't scare them, we need them for the 300K tool.

No punt.
No finish.

Just the project file with a password still there today

I wanna make you feel what you have brought into my house!!

I was working with security cameras once in a home automation project. One of those camera particularly stand out by offering a cgi without password request to view and change the current passwort and username.

Seriously wtf is wrong with you? I mean this thing automatically connects to an internet service offering everyone to connect to it with that passwort and username. And I know some of you might say "hey chill the cgi is only available on the wifi" - dammit no. Security is a lifestyle do it complete or get the fuck out. God knows what other mistakes there might be hidden in that thing screaming out to everyone to watch me taking a shit.

But that's not the end of it. My company arranged a call to the technical support of that camera so that I can explain the problem and a patch gets released. Those guys didn't give a shit about it and were even laughing at me. Fuck you!

So whoever is responsible - I will find you - and you will never see me coming.

Client wants a webapp where every label on all form inputs are configurable, even the fucking login form ("Login" and "Password" text)

They also want it to send emails where the message is configurable too (they can insert your own HTML)

so basically they want the entire fucking webapp to be configurable, all without requiring any code change.

I could use a "configurable" torture device right now.

Anyone know how to change your devrant password? I can't find it in settings

Long story short: University fucked up single sign on.

For every online service I have, I set a different password, randomly generated ~ 20 characters long. At our university we have multiple systems but they offer a single sign on service which is quite nice because it is so non-transparent which service now uses which authorization. I changed my password a while ago and around the same time they also updated our mail client. Since then I am not able to log in which is not a big deal for me because I have mail forwarding.

Yesterday however I needed another service and also got rejected with my password. I knew from a friend that the passwords are fucked up and that some services have different restrictions (only 12 chars max.), so I decided to search how to reset my password. What the fuck was wrong with these people? It takes you five different pages to get the tiniest bit of information how to reset the password. Then on one page you can login with your single sign on and change the password. On that page you can also set the single sign on password, but if you enter an invalid password (in respect of the the other services) guess what? No feedback that you just locked yourself out of half the systems. Nice job. Also the password requirements are not next to the input fields where you change the password. Noo. That would be way to easy, remember the little small one line on the wall of text three pages ago? There you go.

Ok step one done. Now it should work, shouldn't it? Ohh no not so fast. One needs to activate the seperate service. Where you ask? Perfectly fine question. On the top of page four is a fucking one line table which looks like some five year old had some fun in excel. The button which takes you to the activation page is nearly invisible because of the non existing contrast. Also it is not a button but some arrow pointer thingy. Behind set arrow you have a page listing all differnt kinds of services, the description which you find on page two btw. No padding to decipher this shit what so ever. Nearly on the bottom is your needed button. Yes finally.

Finally I want to login, no good. Try again. Still no good. Go back to the fucked up excel table look at my username and think to myself what's the difference here? The table is so small and again no margin or padding. Apparently they cut of the last character of my normal username which i have which is fucking ridiculous.

What is wrong with you people, we are a TECHNICAL UNIVERSITY, is it so hard for you to find someone decend to unify this shit?

Fuck you Intel.
Fucking admit that you're Hardware has a problem!

"Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data"

With Meltdown one process can fucking read everything that is in memory. Every password and every other sensible bit. Of course you can't change sensible data directly. You have to use the sensible data you gathered... Big fucking difference you dumb shits.

Meltown occurs because of hardware implemented speculative execution.
The solution is to fucking separate kernel- and user-adress space.
And you're saying that your hardware works how it should.
Shame on you.

I'm not saying that I don't tolerate mistakes like this. Shit happens.
But not having the balls to admit that it is because of the hardware makes me fucking angry.

Fun though practical question.

You've accidentaly pasted and sent some internally used password, let it be your account pw or some server's root pw, into a company's chat channel with 100+ other employees. What do you do next? :)

P.S. deleting the message is not possible
P.P.S. this happens. Thanks to windows "Let me just quickly change window focus from putty to chat window" _FEATURE_ I've accidentally shared like a dozen of root passwords with others.

I don't want to put anyone to shame here, but this has been the most hilarious password reset in my life.

P.S.
It's an early service with no sensitive data, so I'm not concerned so much, but still, a system for automatic password reset, with the ability to change the temporary one, should be one of the first things in place before you go public. lol

Once we got an urgent requirement to add double hashing the password in a web application. It had to go to the production ASAP. The developer which was working on it, added 2 alerts in Javascript to display entered password and encrypted password. Finally change was ready to deploy but in hurry she forgot to remove the alerts. In rush and excitement, that change was shipped to the production. The alert says 'your password is 123', 'your password is xyz'.

After some time got phone calls from users and manager. Manager said, 'how the hell our application got HACKED? If anything happens to..........'. To cut it short, he was furious. We knew exact reason and solution. Didn't take couple of minutes to resolve this issue.

But it was funny mistake and that released that days pressure off.

I can troll all day by opening Devtools on a browser and change <input type=“password“> to <input type=“text“> they think i hacked google, facebook and their email acoount

Devrant doesnt log you out on one platform when you change your password on other platforms

I can't figure out how to get in contact with Firefox to figure out why every time i log into a website i need for work on Nightly, it states that my username or password aren't on record, and i have to change my password (even when switching browsers). Only started after their last update today, and now that I'm testing other sites, it's multiple sites, but not all.

Ideas? help?

My company email:

- It's time for the monthly password change!
<writes the usual passwod>
- The password must be over 50 characters long!
<adds more letters>
- The password must have numbers!
<adds some numbers, though it's getting irritating>
- The password must have special characters!
<wtf?? Adds a pound character>
- The password must have at least 20 different special characters!
<da fuq???>
- The password must be at least 50 characters, only special characters and invisible tab/LF/CR characters and it must be changed daily!
<head explodes>
- Thank you! Now please sign in with your new password for 200 times per day.
<closes the laptop and starts using Remington type writer>

Usually these remainders start popping up during the 1st vacation day. When you return to the office, the account is already locked.

And then you wonder why people have the passwords written on a post-it or as a plain txt file in SkyDrive.

Fucking Square Enix Website is just a huge pile of shit. NOTHING WORKS!

Wanna change your password? Nah sorry an error occured.

Wanna change your username? Nah sorry I'll just show you a loading symbol forever.

Wanna add a game to your collection? Nah sorry the "add" button is on fucking holiday and doesn't do anything.

Wanna change your avatar? Nah sorry I'll just redirect you and don't do anything.

Most amazing part is where you log in, then get redirected to the home page but it still shows the "Log in" button. Then you click on that "Log In" button and wosh! Home page reloads and tada! You're logged in!

Seriously who let this code into production? Also I know that you're using GraphQL now, due to an error message. Thank you!

Fucking bullshit...

Creating username / password first time - checked
Storing password in plaintext - checked
Messaging password in plain text after a password change - whaaattt????

Probably the worst security I've ever seen is a website I used to visit that had their "Forgot your password?" system change the password of the account to the user's username and didn't even send an email confirmation before doing it.

Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|

Not as much of a rant as a share of my exasperation you might breathe a bit more heavily out your nose at.

My work has dealt out new laptops to devs. Such shiny, very wow. They're also famously easy to use.
.
.
.
My arse.
.
.
.
I got the laptop, transferred the necessary files and settings over, then got to work. Delivered ticket i, delivered ticket j, delivered the tests (tests first *cough*) then delivered Mr Bullet to Mr Foot.

Day 4 of using the temporary passwords support gave me I thought it was time to get with department policy and change my myriad passwords to a single one. Maybe it's not as secure but oh hell, would having a single sign-on have saved me from this.

I went for my new machine's password first because why not? It's the one I'll use the most, and I definitely won't forget it. I didn't. (I didn't.) I plopped in my memorable password, including special characters, caps, and numbers, again (carefully typed) in the second password field, then nearly confirmed. Curiosity, you bastard.

There's a key icon by the password field and I still had milk teeth left to chew any and all new features with.
Naturally I click on it. I'm greeted by a window showing me a password generating tool. So many features, options for choosing length, character types, and tons of others but thinking back on it, I only remember those two. I had a cheeky peek at the different passwords generated by it, including playing with the length slider. My curiosity sated, I closed that window and confirmed that my password was in.

You probably know where this is going. I say probably to give room for those of you like me who certifiably. did. not.

Time to test my new password.
*Smacks the power button to log off*
Time to put it in (ooer)
*Smacks in the password*
I N C O R R E C T L O G I N D E T A I L S.

Whoops, typo probably.
Do it again.
I N C O R R E C T L O G I N D E T A I L S.

No u.
Try again.
I N C O R R E C T L O G I N D E T A I L S.

Try my previous password.
Well, SUCCESS... but actually, no.

Tried the previous previous password.
T O O M A N Y A T T E M P T S

Ahh fuck, I can't believe I've done this, but going to support is for pussies. I'll put this by the rest of the fire, I can work on my old laptop.

Day starts getting late, gotta go swimming soonish. Should probably solve the problem. Cue a whole 40 minutes trying my 15 or so different passwords and their permutations because oh heck I hope it's one of them.
I talk to a colleague because by now the "days since last incident" counter has been reset.

"Hello there Ryan, would you kindly go on a voyage with me that I may retrace my steps and perhaps discover the source of this mystery?"

"A man chooses, a slave obeys. I choose... lmao ye sure m8, but I'm driving"

We went straight for the password generator, then the length slider, because who doesn't love sliding a slidey boi. Soon as we moved it my upside down frown turned back around. Down in the 'new password' and the 'confirm new password' IT WAS FUCKING AUTOCOMPLETING. The slidey boi was changing the number of asterisks in both bars as we moved it. Mystery solved, password generator arrested, shit's still fucked.

Bite the bullet, call support.
"Hi, I need my password resetting. I dun goofed"
*details tech support needs*
*It can be sorted but the tech is ages away*
Gotta be punctual for swimming, got two whole lengths to do and a sauna to sit in.
"I'm off soon, can it happen tomorrow?"
"Yeah no problem someone will be down in the morning."

Next day. Friday. 3 hours later, still no contact. Go to support room myself.
The guy really tries, goes through everything he can, gets informed that he needs a code from Derek. Where's Derek? Ah shet. He's on holiday.

There goes my weekend (looong weekend, bank holiday plus day flexi-time) where I could have shown off to my girlfriend the quality at which this laptop can play all our favourite animé, and probably get remind by her that my personal laptop has an i2350u with integrated graphics.

TODAY. (Part is unrelated, but still, ugh.)
Go to work. Ten minutes away realise I forgot my door pass.
Bollocks.
Go get a temporary pass (of shame).
Go to clock in. My fob was with my REAL pass.
What the wank.
Get to my desk, nobody notices my shame. I'm thirsty. I'll have the bottle from my drawer. But wait, what's this? No key that usually lives with my pass? Can't even unlock it?
No thanks.

Support might be able to cheer me up. Support is now for manly men too.
*Knock knock*
"Me again"
"Yeah give it here, I've got the code"
He fixes it, I reset my pass, sensibly change my other passwords.
Or I would, if the internet would work.

It connects, but no traffic? Ryan from earlier helps, we solve it after a while.

My passwords are now sorted, machine is okay, crisis resolved.

*THE END*

If you skipped the whole thing and were expecting a tl;dr, you just lost the game.

Otherwise, I absolve you of having lost the game.

Exactly at the char limit

A lot of larger companies seem to be a happy about forcing employees to change their password every three months or so. They do it for security measures so that it is more difficult to break through the system, however most people end up making the worst passwords.
Instead of forcing a very good password on them every year or two maybe, they all end up having passwords like: "Summer16", "Qwer1234", "London15".
I used to work for our national police, and this was the case there as well...

Seems someone from China was trying to hack my Apple ID. Due to 2-factor verification, was able to deny access and then I quickly changed password and forced sign-out of all accounts. Perhaps my password appeared in some data leak— it was not changed since 2 years.

Y’all make sure to enable 2-factor authentication and change passwords from time to time.

Everyone here deserves the worst.

No, really, you all deserve those dark juicy stories. So here's why I hate password systems that don't have the user experience in mind.

Recently my university went under a huge update, most of it good, but this is DevRant, so let me tell you what's just the worst.

They asked me to change my password, they do this every month or two. So I did it, but as I clicked "Ok" a wild error appeared! It told me I had to use a password that was not one of the FIFTEEN that I'd used previously...

I tried everything, and despite everything else being poorly programmed, or what not, I thought it would be easy to spoof. Nope. Unfortunately this seems to be the ONE thing they did right. Looks like I'll have to go back to basics. Just add a number on the end of my previous password, up to fifteen, and reset :]

I think this rant needs to turn into an email headed straight to them :)

F*ck WIX!!!

POS of software.

Was working with a client to change one email to contact and that shite kicked me out with no warning on changes. Reset the password and now I can't even login.

Someone just guessed my 20+ character one time password on Microsoft 🤔 2 factor authentication and Geo IP checking are definitely good features.

Well, time to change all my passwords.

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

The TA for my computing lab in uni consistently shows up 45 minutes late. I'm usually done in 20 because I use the rest of the time to work on the next lab.

He walks through the door, lets out the biggest sigh, sits down, sighs again, opens up his laptop, and sighs once more. When someone asks for help, he sighs so hard you can see his lungs shrivel up as he exhales, and then provides them with a pointless answer.

The best part about the cs department here is that when you join cs, you are given an account to use with the ubuntu machines in the computer labs. They send you the password over school email, and you can't change it on any system they provide.

Am I the only guy using the GDPR emails as a to-do list? For each email I either delete the account with that service OR I take the opportunity to change the password. Tedious? Yeah. Satisfying? You bet!

I see all these people complaining about their inbox blowing up with "spam" but how many of those accounts or services do you still use? I bet over half of them were only signed up for to try their demo and then forgotten about.

Recent conversation with a client for our SaaS product.

Client: So why can't we delete this information.

Me: We want to able to know who made a change to the data to avoid getting into trouble with the law.

Client: Does that mean you can see all the data on our account?

Me: (I know where she is going but let me stall)..You are the only one with access to your account. If I don't know your password, I can't access your data.

Client: But you sound like you can see the information in the cloud.

Me: (Laughs softly and segued).. The additional features you requested would be.......

Someone needs to read the T&C...

Customers are so fucking stupid.

You're already on the page with a form with a "password" field and a fucking "save" button. WHY ARE YOU STILL ASKING ME HOW TO CHANGE YOUR FUCKING PASSWORD???

FUCKING STUPID CUSTOMER WHY DON'T YOUR FUCKING KILL YOURSELF???

FUCK!

The 1x1 to lock you out of your Mediafire-Account:
- Change password to a new one with more than chars (works)
- Try to login with it. 😂 (too long)

Had to reset it and set a new new one with 30 chars.

I went to uni for CompSci with knowing no prior knowledge.

In my first year of uni I created a DigitalOcean droplet to host an SQL server. I didn't change the root password or disable password login out of convenience and as I didn't think anyone would be able to find the IP address to be able to hack it.

Within 3 hours DigitalOcean had locked my account for using my droplet to send DDoS attacks. Support contacted me to ask what was going on. I knew nothing at the time so I was a bit 🤷‍♂️.

And that's when I learned the importance of changing your root password.

I thought maybe it's time to change my Services NSW password, and chose =onWl?$2w/bxJ"UU as my new password...

I guess there's no escaping it. Aussies are dumb

"You have to change your password, because you've either just registred or your password doesn't comply with our guidelines anymore."

I've not made my account recently.
The question beeing: How can they know if they "should" decently hash it? 👿

Had to change password on computer for administrative reasons (sysadmins and infosec make us change our pass every quarter). Changes didn't sync to everything so now I can't even log into my computer.
Need to go to the office tomorrow so some guy can type in an admin password on my pc and do stuff to it. If that doesn't work I will just be given a new laptop.

Seriously fuck this week

Other staff: I’m having trouble logging in to website A. My password doesn’t work.

[Me thinking: That’s weird. When I set up your account, the password worked. I told you to change it. So maybe you forgot your new password. We haven’t changed anything to about the login process.]

Me: I reset your password. [sends new password]

Other Staff: The new password doesn’t work. But I can log in with Google.

Me: 😶 Website A does not have sign in with Google. What website are you actually on???

Oh man, I fucked up...
I was doing after hours work for client, setup website with https.

Can't work over sftp with current user,so I give it the same user ID as apache, get files transferred and shit.
Go back to change uid, set wrong uid, now my user is ntp, I can't get into root, can't set password...
I fucked up

Tail between the legs, sent email to clients support, asking them to fix my user fuck up, waiting for reply

!rant

Need some opinions. Joined a new company recently (yippee!!!). Just getting to grips with everything at the minute. I'm working on mobile and I will be setting up a new team to take over a project from a remote team. Looking at their iOS and Android code and they are using RxSwift and RxJava in them.

Don't know a whole lot about the Android space yet, but on iOS I did look into Reactive Cocoa at one point, and really didn't like it. Does anyone here use Rx, or have an opinion about them, good or bad? I can learn them myself, i'm not looking for help with that, i'm more interested in opinions on the tools themselves.

My initial view (with a lack of experience in the area):

- I'm not a huge fan of frameworks like this that attempt to change the entire flow or structure of a language / platform. I like using third party libraries, but to me, its excessive to include something like this rather than just learning the in's / out's of the platform. I think the reactive approach has its use cases and i'm not knocking the it all together. I just feel like this is a little bit of forcing a square peg into a round hole. Swift wasn't designed to work like that and a big layer will need to be added in, in order to change it. I would want to see tremendous gains in order to justify it, and frankly I don't see it compared to other approaches.

- I do like the MVVM approach included with it, but i've easily managed to do similar with a handful of protocols that didn't require a new architecture and approach.

- Not sure if this is an RxSwift thing, or just how its implemented here. But all ViewControllers need to be created by using a coordinator first. This really bugs me because it means changing everything again. When I first opened this app, login was being skipped, trying to add it back in by selecting the default storyboard gave me "unwrapping a nil optional" errors, which took a little while to figure out what was going on. This, to me, again is changing too much in the platform that even the basic launching of a screen now needs to be changed. It will be confusing while trying to build a new team who may or may not know the tech.

- I'm concerned about hiring new staff and having to make sure that they know this, can learn it or are even happy to do so.

- I'm concerned about having a decrease in the community size to debug issues. Had horrible experiences with this in the past with hybrid tech.

- I'm concerned with bugs being introduced or patterns being changed in the tool itself. Because it changes and touches everything, it will be a nightmare to rip it out or use something else and we'll be stuck with the issue. This seems to have happened with ReactiveCocoa where they made a change to their approach that seems to have caused a divide in the community, with people splitting off into other tech.

- In this app we have base Swift, with RxSwift and RxCocoa on top, with AlamoFire on top of that, with Moya on that and RxMoya on top again. This to me is too much when only looking at basic screens and networking. I would be concerned that moving to something more complex that we might end up with a tonne of dependencies.

- There seems to be issues with the server (nothing to do with RxSwift) but the errors seem to be getting caught by RxSwift and turned into very vague and difficult to debug console logs. "RxSwift.RxError error 4" is not great. Now again this could be a "way its being used" issue as oppose to an issue with RxSwift itself. But again were back to a big middle layer sitting between me and what I want to access. I've already had issues with login seeming to have 2 states, success or wrong password, meaning its not telling the user whats actually wrong. Now i'm not sure if this is bad dev or bad tools, but I get a sense RxSwift is contributing to it in some fashion, at least in this specific use of it.

I'll leave it there for now, any opinions or advice would be appreciated.

Some Project Manager outsourced a redundant RADIUS setup with MySQL backend. We got 2 copies of a daloradius appliance running on Ubuntu 10.04. Once I saw this, I started to get a bit suspicious and requested to audit the system and database redundancy. With the system in production, and without getting back any documentation, I got into the VMs using the default root password. This was not even the worst part, as I found. One server was using a local MySQL instance, while the other was also using the first one's MySQL instance. When I reported this, I was told to comment clearly any changes to the configuration files, which resulted in commenting the word SHAME above each change.

I just realised there is no option to change the password on devRant. 🤔

Per company policy, needed to change my password again.

Usually I just increment a counter and reset to 1 after 9 but seems now they keep the last 10 passwords used...

OK, time to add an extra symbol

Buy google suite service from us. Don't know how to change password. :feelsad:

> attempt to change password on laptop
> try sudoing to test if it changed
> it hasn't
> assume i was ssh'd into my server
> try the password, along with like 10 other permutations of it
> get ip-banned from ssh to my server :/
> try an online ssh client
> use old password
> it works!
> so what did i change?

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

oh FFS my university pissed me off so bad right now that I had to wait 20 min to cool down to be able to write a rant about it...

so, one of the university department offer an email address which is the official university approved email for student packs like jetbrain's. I wanted to renew my jetbrains subscription, but for that I have to get a verification email on that address..
But since the only time I use it is this annual renewal I dont know the webmail's url..
So I search for it on the department pages, services and its nowhere to be found. Finaly I found it on a student maintained wiki page.
I try to log in.. no luck. try another password, still not it. Try all of the passwords that I remember using in the previous 3 year and no luck.
well fck it the password change is managed by a website where I can log in with a different method, so I change the password and try to log in again.
No fcking luck! And at this point I bashed my head against the wall because I found out that the password change takes them about 1 or 2 hours... hours! wtf...

I DIDN'T SIGN UP FOR THIS !!!

After seeing bunch of posts about Enki, decided to give it a try,

enters my info on the sign up page
*email address is already taken* : WHAT !!

changes email address
*your username is already taken* : WHAT !!

goes back and search if there's any mails from Enki
*no results found* : Dafuq !!

Requests password reset
*Receives first mail from enki ever, with a reset link*

Did they change their name from something else to Enki or they have bunch of emails in their database to showoff user base ?

Can anyone shed some light on this, cause I'm 100% sure i didn't sign up for this before.

after resetting the password I'm able to login, but in the Notification section it says
*your email is not confirmed*

well i would confirm it, WHEN I GET IT !!

*leaning back in the story chair*

One night, a long time ago, I was playing computer games with my closest friends through the night. We would meet for a whole weekend extended through some holiday to excessively celebrate our collaborative and competitive gaming skills. In other words we would definitely kick our asses all the time. Laughing at each other for every kill we made and game we won. Crying for every kill received and game lost. A great fun that was.

Sleep level through the first 48 hours was around 0 hours. After some fresh air I thought it would be a very good idea to sit down, taking the time to eventually change all my accounts passwords including the password safe master password. Of course I also had to generate a new key file. You can't be too serious about security these days.

One additional 48 hours, including 13 hours of sleep, some good rounds Call of Duty, Counter Strike and Crashday plus an insane Star Wars Marathon in between later...

I woke up. A tiereing but fun weekend was over again. After I got the usual cereals for breakfast I set down to work on one of my theory magic decks. I opened the browser, navigated to the Web page and opened my password manager. I type in the password as usual.

Error: incorrect password.

I retry about 20 times. Each time getting more and more terrified.

WTF? Did I change my password or what?...

Fuck.

Ffuck fuck fuck FUCKK.

I've reset and now forgotten my master password. I completely lost memory of that moment. I'm screwed.

---

Disclaimer: sure it's in my brain, but it's still data right?

I remembered the situation but until today I can't remember which password I set.

Fun fact. I also could not remember the contents of episode 6 by the time we started the movie although I'd seen the movie about 10 - 15 times up to that point. Just brain afk.

So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D

Microsoft Market:
"You tried a wrong password too many times"
(I know fucker, I made a fucking mistake because I had to restart the pc 20 fucking times already, I've got confused, you pc-fucker)
"The activity is temporarily suspended, try later"

LATER? WHEN? I need to work you moron. Just give me a number!!! 10 minutes? 10 hours? days?
Work on improving security, lazy sod, not on slowing my job.

PS As soon as I can I'll change the password in "ImpotentCrackWhoreFucker8==0-)"

Great news, I just lost my email account's password. The password is in password manager but apparently, when I was changing it, I did something wrong. Now, neither the old one, nor the new one work and I can't login into my email. I didn't even change the password reset phone number to my new one! And I also forgot the recovery mailbox' password. Fucking great.

Here's the lesson: **ALWAYS** re-check your new password in your browser's private window.

Firts social hacking ever 😁😁😁

In the bus at the end of the day
Me:(fake phonecall to Bell)ho you offert me a 10go of data per months for 30$ ! Wow

Guy in bus: he call is phone company and give all is Private information in the bus to have a better deal.

Me: poke him and say "you know now i can create accounts on your billing address for free"

Guy: Holy shit man you are right i need to take care.

Me: now change all you password contains what you publicly said.

Me: have a good day 😋

Yesterday I helped in a college final project. To be done using PHP and MySQL.

- they were taught to create a login page and when submitted just check the values against username and password from DB table and redirect to a dashboard page. No session created.
- in the dashboard, session is not checked. Shows links to other pages.
- each page is a separate php file
- the app allows users to issue books to customers. They were taught to delete the book from book table and save all the info in issue table, when a book is issued
- when a book is returned, book info is saved in a return table and also saved to book table again and deleted from issue table

I asked this student to change it to the right way, to use sessions and includes. He said that then the lecturer would know, he didn't do the project. It's a diploma level course.

I'm writing a devrant like site, so a kind of forum that supports live chat under every article. Login will be just username and password to stay anonymous. Email is optional for password reset. Also it won't have password requirements. Who cares if user uses insecure password. I do like the devrant avatar thing. I will use the ducky generator instead. So everyone on the site is a custom duck. K-SASS prolly never expected his generator to be used anywhere. The requirement of this site is that it scales very well. I have db calls of 0.006s, this is for persistent data only and will be used by all site instances. I expect that it can handle many clients concurrent as long I do not return more than 30 rows or so. Events get handled by a self written pubsub server.

All sounds great and development goes fine. But why is this a rant? Because the same thing as always is biting me, I can't design a site at all. I know how but I don't have any feeling for design at all making me almost incapable of building an attractive site. The only thing I can 'design' is an application in bootstrap or smth. I spend so much time one design while I don't like to do it ironically. But looks of site is almost as important as an good working site. Good working site doesn't get used if looks bad in many casee. This is since the start of my career an issue and it sucks that I appearantly can't deliver a whole site on my own meeting my standards.

My backend work is top notch tho. Btw, this application is not to be an alternative for devrant. I do not think I can attract more users than it already has and I've seen two communities disappearing once because someone decided to make a new one, took half of community with him and both communities died after short while.

End product of this project is a working project, not a live site hosted somewhere. It's pure about mixing mostly self written tech to get the best performance. Reinventing wheel on many levels. I wanted maybe to do the site in C but decided that it's way to much work for the value. I change the site so rapid since I don't have decent plan that python aiohttp is the best choice in amount of writing it yourself and fast. It's very lightweight.

More a story than a rant, sorry

WHAT THE FUCK!!!
Whoever says that MacOS is superior or at least on par with Linux in terms of ease of maintenance -- feel free to stick a backwards pinecone up your asshole and push it down with a baseball bat with 5" nails.

The FUCK is this nightmare. You can't even start a process w/o logging in via GUI, password changes are another horror story, esp. for users who have never logged in [warning says to change keystore pass separately... Which doesn't exist...], vnc uses some proprietary protocol, ...

Seriously, even SunOS is easier to maintain, not to mention AIX, compared to this BSD nightmare of a UNIXoid....

Wtf....

When I was in 11th class, my school got a new setup for the school PCs. Instead of just resetting them every time they are shut down (to a state in which it contained a virus, great) and having shared files on a network drive (where everyone could delete anything), they used iServ. Apparently many schools started using that around that time, I heard many bad things about it, not only from my school.
Since school is sh*t and I had nothing better to do in computer class (they never taught us anything new anyway), I experimented with it. My main target was the storage limit. Logins on the school PCs were made with domain accounts, which also logged you in with the iServ account, then the user folder was synchronised with the iServ server. The storage limit there was given as 200MB or something of that order. To have some dummy files, I downloaded every program from portableapps.com, that was an easy way to get a lot of data without much manual effort. Then I copied that folder, which was located on the desktop, and pasted it onto the desktop. Then I took all of that and duplicated it again. And again and again and again... I watched the amount increate, 170MB, 180, 190, 200, I got a mail saying that my storage is full, 210, 220, 230, ... It just kept filling up with absolutely zero consequences.
At some point I started using the web interface to copy the files, which had even more interesting side effects: Apparently, while the server was copying huge amounts of files to itself, nobody in the entire iServ system could log in, neither on the web interface, nor on the PCs. But I didn't notice that at first, I thought just my account was busy and of course I didn't expect it to be this badly programmed that a single copy operation could lock the entire system. I was told later, but at that point the headmaster had already called in someone from the actual police, because they thought I had hacked into whatever. He basically said "don't do again pls" and left again. In the meantime, a teacher had told me to delete the files until a certain date, but he locked my account way earlier so that I couldn't even do it.
Btw, I now own a Minecraft account of which I can never change the security questions or reset the password, because the mail address doesn't exist anymore and I have no more contact to the person who gave it to me. I got that account as a price because I made the best program in a project week about Java, which greatly showed how much the computer classes helped the students learn programming: Of the ~20 students, only one other person actually had a program at the end of the challenge and it was something like hello world. I had translated a TI Basic program for approximating fractions from decimal numbers to Java.
The big irony about sending the police to me as the 1337_h4x0r: A classmate actually tried to hack into the server. He even managed to make it send a mail from someone else's account, as far as I know. And he found a way to put a file into any account, which he shortly considered to use to put a shutdown command into autostart. But of course, I must be the great hacker.

***ILLEGAL***
so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests

so after like 30-40 mins of work, i have 7 working accounts

*for those who have basic idea of security practices you can skip this part

lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one

there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc

Skype password lost -> reset email -> new password given -> login failed on skype client -> login via website -> invalid password -> reset password -> first enter code by email -> done -> assign new password -> login via password -> someone else is using your account, you have to change the password -> first ensure you are you by enter a code -> code entered -> change password -> password changed -> finally login works
Way to go Microsoft!

so I just changed my password 3 times in the last 5 minutes to get access to skype... for a call we finally made via whatsapp... now I will remove skype again until next year, when I have to make that famous "once a year" call with skype

If I have to change my domain password every 3 months for a bullshit out of date security policy (there's plenty of evidence suggesting that changing passwords is actually worse security), then maybe, just FUCKING maybe, make sure that that password change appropriately filters down to things like SQL Server so I can keep doing my goddamn work.

The $customer gets a device from us, with th wifi connected as specified in the order. $customer connects it to the mains and monitor, puts in the dongle and the connection is established.
Fast forward 3 weeks, now everything went south. The device does not connect to the network, the service is offline. Our first question: "Has someone modified the WiFi name or password?"
$customer: "No, there were no changes in the WiFi"

So the full arsenal of debugging the connection over LAN starts, interrupted by $customer unplugging the device "because he needs LAN now"

After sometime, we figured out, everything is fine with the device, and ask $customer once again, if the config $ssid and $password is correct.

$customer: "Oh, we changed the name to $ssid2 because it looks nicer, is that a problem?"

Internal: "Are you f*kin kidding me? I asked you exactly that"
Me: "Alright, that explains the issues. Please tell us in advance if you want to change something with the WiFi."

I work as pharmacist, but code as hobby and recently change job. Have far more options to improve work enviroment, but IT guy sucks balls so much.

Better no password, because you have to remember them.

Some users don't have privilages to do some things, but everyone knows boss password with all privilages.

It guys connects via teamviewet whn I check prescriptions with quite vulnerable data and after my step in he responds that he creates this Pharmacy store and has deal with boss to access database and others.

Due lack of controls there is working against law all the time

Small city so everyone knows everyone and you have to be ultra polite to doctors and after my little unpleasent situation doctor starts to be mad at all employers.

It guy was asked to change disc space on OS drive, but he replies that it will takie at least 2 hours and he doesn't have time, but it takes me 15min top and he was mad at me.

Ffffff....

ChaseBank is getting up my nose. Twice in four business days my account was flagged and I had to change my password for 'security' purposes. I spent the better part of 90 minutes in a futile attempt to find out why, when there's been no suspicious activity on my account, I'm being flagged. My father contacted a branch manager near him who told him to dial the priolrity customer service number and key in the letters (I shit you not) HO HO. I called the number. It's the same damn number I'd been calling. I called the branch. They told me I'd definitely receive a call back last Friday by 1800. No call. So, yesterday I called the manager of that branch, verified its location, told the manager he was supposed to call me by 1800 last Friday, and Chase Corporate would be in touch with him soon to explain that when you tell a customer you'll call them, you'll fucking call them.

Ealier this day, I succesfully guided my young sister over the phone to change the boot order 🙌 (pc wouldn't boot).
Just to find out that she couldn't remember the password 😐

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

Just rebooted my work station during a video conference because the VPN was flaking out.

After reboot, launch Teams to get back to the meeting. The VPN credentials dialog then pops up, but IS NOT MODAL, so I end up sending my password to the group chat...

Time to change my password, I guess.

The wordpress site I told my friend her friends I would take a look at made me feel a bit like a real hacker.

Without knowing them I guessed their username and password for the admin panel in 15 tries. Today they send me the password and username via email.
I just told them I already had access and that they should change the password.

TL;DR first off you are lazy, it isnt such a long text, but the real tldr is "Me Hackerboy"

Rant rant rant!

Le me subscribe to website to buy something.

Le register, email arrives immediately.
*please not my password as clear text, please not my password as clear text *

Dear customer your password is: ***

You dense motherfucker, you special bread of idiotic asshole its frigging 2017 and you send your customer password in an email!???

They frigging even have a nice banner in their website stating that they protect their customer with 128bit cryptography (sigh)

Protect me from your brain the size of a dried pea.

Le me calm down, search for a way to delete his profile. Nope no way.
Search for another shop that sells the good, nope.
Try to change my info: nope you can only change your gender...

Get mad, modify the html and send a tampered form: it submits... And fail because of a calculation on my fiscal code.

I wanna die, raise as a zombie find the developers of that website kill them and then discard their heads because not even an hungry zombie would use that brains for something.

tl;dr. web hosting && a panic attack && security threat

i wasn't sure whether my brother's domain was hosted or not (because it wasnt showing a website and he didnt know any better).
so i decided to host a react-app for it on netlify and pointed the domain's nameservers towards it (a separate security threat at bottom).
all went well and now when you punch in the domain it ..all-behold.. shows a website.

NOW, i remember my brother was using the domain's email which probably means it was hosted, right?. so im panicking because im not sure whether i just deleted all his emails or not because it's 1:15 am and he's asleep.
there is a rant in there somewhere but im in too much of a shock as to how much data i might have just accidentally deleted
.
.
another tl;dr: my domain registrar let me change someone else's settings..
the reason i didnt know his domain settings is that he didnt know his password.
i had bought a couple of domains and was gonna host them on netlify. while i was doing this a bright idea hit me.. "you should finally build a website for your brother for the domain he bought 7 years ago"..
this is where the fun begins.
i sent an email to my registrar to point all nameservers of all domains to my nameservers and just to try out i included my brother's domain into it (i dont own this domain it's not registered by my email), and the next day i get an email telling me they've successfully made all changes.
.
Now tomorrow is monday and i'm going to their office to tell them i found a security flaw and see how long i can stall before actually telling them what it was and how their live's could've been made hell.

People, even on devrant, are complaining about having to change their Twitter passwords. A major security event is not the only occasion to change your password (for anything).

You should change your passwords for everything regularly. Like, once every month or two.

This is why password managers are brilliant.

IPMI...

2010....

Java Web...

Oracle JDK needed....

Oracle JDK Download requires Oracle Account..... To circumvent as I don't want a motherfugging shitty oracle account tons of googling and loading shit from not so trustful pages.

TLS 1.0 and WebJDK require Internet Explorer.....

And an even older version of Oracle JDK 8....

Broken keyboard input....

As on Laptop for Windows / Internet Explorer additionally struggling with keyboard...

Mounting SMB Share requires password change, as my password contains invalid characters....

Finally getting shit to load GParted...

Taking fucking ages to load.

Broken keyboard input, no pasting.....

Chrooting / input becomes a 15 min exercise.

Actual input necessary on chroot: 1 command.

Actual time needed to get there : 2 1/2 h.

*sigh*

When that one old machine dies noone was aware of. And this one old machine is only accessible via an IPMI... As noone even knows where that machine is.

Weekend dead. Weekend is so fucking dead and overrated.

Interesting password recommendation here...

Translation:
- A form with to fields: Surname and password.
- Below the form is a text: "For signup please enter your name and a password (e.g. your email address). With your name and password you can change your data anytime and may get access to the memberlist."

Bonus: There is a "help"-button (outside of the cutting) which even *recommends* the use of the email-address as the password!
Extra bonus: The password field is a normal text one.

IF THE EMAIL ADDRESS HAS TO BE SUBMITTED, WHY NOT JUST ADD ANOTHER FIELD OR AT LEAST LABEL THE FIELD CORRECTLY!

Update: After this form, you get to another form, to enter you email address...

Just managed to send my password in plain text to a colleague when I ment to enter it in the login box.....

Time to change my password again.....

I took Database System Class and Courses in University, and told to store the password using its hash and don't store it in plain text; it is at least a standard.

today i just resetting my gmail password since i forgot the password. and i wonder by how google forgot password mechanism work.

for example i register the password with:
'xxxfalconxxx'
and then change it to:
'youarebaboon123'

sometimes later i forgot both password, and google asked for the last password i remember; and i only remember part of it so i entered:
'falcon'

and this is right, so i can continue the forgot password mechanism. how could you check the hashed text of 'falcon' is the subset of hash text 'xxxfalconxxx' ?

I spent about an hour writing my own password generator at work... (And probably my item password safe) because my company doesn't allow using Keepass...

But require super complex passwords... That need to be exactly 8 characters...

And they expect us to somehow think of and remember them... And change it every 6 months....

As a developer, isn't it a given that if we can't have something, we'll just build one ourselves... But one that is lower quality since it is adhoc and with by a single dev... That doesn't have time or the experience of a domain expert...

They also blocked GitHub/Sourceforge so I can't just download from my own repo... And basically need to do it on company time... For better or worse.

First time programming for work... Man in the middle student password changes. Yep that's right I'm being asked to write a program that will change students passwords on their Google accounts and local domain while also keeping a decryptable format password in a database. Granted it's much better than not letting students change their passwords at all. Plus were doing it because it will let us fix their issues while their out of school so...

Client requested password change for their info@ email.

Changed the password.

Client said website is not sending emails

Turned out that website is using SMTP to send email using the same email address.

I checked out this new hybrid app that was released by some local senior developers.

Turns out that on my user profile, my user ID is set as the value of a hidden field and changing it to any other user ID and saving the form will update the profile of that user. Including changing the password.

The password reset form also allows me to change the user ID to reset that user's password.

Speaking of passwords, the value of the password field on the profile is my actual password in plain text.

Yes, I said this app was released by a couple of "senior developers". One has over 15 years of experience and the other works at an IT company that builds online banking systems. They appear to have outsourced this side project to some other development team but... Come on. At least take one quick look at the source code before releasing it, why don't you?

I don't even...

My journey into learning Docker, chapter {chapter++}:

Today I learned that when you use a database image in your docker-compose file, and you want to rebuild the whole thing for reasons (say, a big update), then if you change your credentials ("root" to "a_lambda_user" or change the db's password) for more security, and you rebuild and up the whole thing... It won't work. You'll get "access denied".

Because the database (at least mysql and mariadb) will persist somewhere, so you need to run "docker rm -v" even though you didn't use any volumes.

I love loosing my fucking time.

Nothing makes me not want to take a full-time job at your company more than having to go through IT tickets every quarter year when my password expires to actually change my password. Why have a fucking self-service portal for employees if logging in with an expired password doesn't work and the reset password link tells me that I need to log in to enroll with security questions (???). It feels like these websites are glued together with sticks and spit and there's a million of them each sporting one specific purpose! I have to go through this shit multiple times since I'm an intern and I didn't have access to my account through the course of the semester. Get your fucking shit together!

You know what fuck github , anyone remember when git cli was easy and straight forward to use

Now i have conflicting master branches because the remote is main and git automatically defaults to master.

Git still asks for a password while github can't wait to inform me how I have to go through the very long process of setting up an auth_token.

Apparently https remote origins for some reason don't work anymore, why because apparently i need to change them into ssh, good luck with the public key errors

This sucks , fuck github and fuck politics

I had joined a new company and got access to their codebase. They were updating password on MD5 hash of user name and their email in get request. No password validation, no token based authentication, nothing.

Eg
...com/change_password/email=(plainemail)&name= MD5(name)

That's it, you get change user password.

Dashlane is the worst password manager to use. I was trying to set up categories and since it does not have a simple selection box change feature I had to grab almost 100 at a time to change. Unfortunately after changing them I realized I had a duplicate and I clicked on that one to delete it. The system was still selecting all 100 (it uses a slightly gray color to show what is selected rather than a clear check box type feature) and it deleted all 100 passwords. It never asked me a question or gave me an undo feature. The interface is very difficult to handle.

Further, to set up a second user and grant them access to a large number of passwords (in this case my wife I wanted to give her access to 128 passwords), you must click them one at a time and then when you set it up they cannot get their own master password. Very cumbersome.

This is another high school story. mostly because i’m in high school.

like most schools we have horrible forced passwords. Our school recently purchased microsoft 365. which means we all use outlook for our emails. the logins for our district follow the sand format.

s + first five of last name (x’s for missing letters) + first letter of your first name + the last three of your student id.

so for example Sean Peterson 456705 would be speters705. since we have outlook we can look up a persons name and get their email which gives you the last three of their password. All passwords start with a 4 and most are followed by a five so you pretty much can get 5 out of the 6 numbers in their password.

so to mess with my friends i signed into all of their accounts and messed with their emails so they thought they were getting random emails. and then i made word documents on all of their accounts and just pretty much messed with all of their school stuff.

so that’s my “hacking” story. my district doesn’t allow you to change your password so i’m pretty much stuck. pls help.

So there I am sitting in front of my laptop, and trying to npm i and I am getting all sorts of sha mismatch errors.

After lot of debug I conclude it is coming from the proxy as it refuses to download and supplies the error page.

It says it's because I'm using the old proxy so they give me the new URL which I set up and it works.

All good until my password expires. I use our bash script to change it. NPM is buggered again throwing the same errors.

Go to IT, tell them the saga begins.

After a countless hours of looking at the log files we notice that the npm registry is set to http instead of the standard https (thanks bash script). so our firewall blocks the download.

Sorted, finally.

Almost. NPM now works fine, but when I go and I play around with node and axios, I get my requests time out. My instinct says its the bloody proxy again.

So I hit up my trusted WIN Support guy and he confirms that the url is not blocked. So he starts monitoring whats going on and turns out, every time I run the node app, node casually ignores the system-wide proxy settings and tries to send the request as the PC rather then my username.

Since the pc's don't have rights on the proxy it is being refused...

Thank fuck for the corporate proxies, without them, I could just develop things not ever learning these quirks of node...

Create DB connection file in every other place and writing password in all those connection files. 😒👿

Then using grep and sed like a pro to change passwords in one go. 🤷

Scratching their heads as to why the script says DB connection error.... After an hour or so; finding out that the password contains '@' sign it was under double quotes. 🤦

OK so encrypted my system drive during install. So far so cool. It also prompts me to enter the password before loading the OS. However if I misstype it it kicks me in grub rescue mode instead of asking me to reenter it. Wtf D: Can I change this?

If I were to change all my passwords into hashes (so take a random word and hash it, ex 'table') and then use those on various websites, would people ever guess that my password is _an actual hash_ rather than a password in hashed form if they were to see it? Would such a meta-hash be safer if 'hackers' were to find it unencrypted?

My country has the best security experts. They convince people that they are not thiefs, Then when people believe them and give them their data, They change the password.

!rant

Just got a message from a recruiter. It was something different. There was a link with a ZIP file and a bunch of files in it. Plus two MD5 hashes. You should now find the correct private key and the encrypted message to decrypt it with the key. This gave you the password to get further in the application process.
Not particularly difficult, but a refreshing change from the usual blah blah.

New customer calling me to change all admin password on all server and Nas and some router/wifi ap for an unknown reason.
Customer: I have so many windows servers and nas'es...
Me arriving on site: just one qnap Nas... no windows server. 👍🏻🦄

So I still have my very first email account, a hotmail account as a secondary, kinda spam account.

i signed up around 2000 i guess.

someone tried to get in, i got loads of mails of failed login attempts so i wanned to go and change my pw. But because of that bastard i cant login with just pw anymore, i need my phone. THAT ACCOUNT IS 20 FUCKING YEARS OLD. I never even provided a phone.
spent the last 20 minutes providing personal details to microsoft which are probably not the ones i used for signing up anyway.

you know how careful we were whem signing up for something online back them? I probably signed up as Thomas anderson from zion...

anyway, done now and bow it will take 24h for them to review it..

all of this only to reset my forgotten pw for my epic games account for with i signed up with that mail..,

holy guacamole.. I should start to trust password managers...

My Ubuntu VM just work fine for consecutive 217 days without restarting.

Need to change some config
And... I forgot the application access key... Damnit!!!

Lucky, I kept the access key in the password manager. Whew.

I manage the infrastructure of an application. Responsible for setup, maintenance and upgrades of all the associated servers, databases, filesystems and tuning. The business area is responsible for maintaining the content and structure of the app.

A couple of weeks ago, the business area started asking me for the system admin passwords in an attempt to integrate a remote service. The reason was because he didn't want to store his own credentials in Jenkins. Imagine the shock when they were told no.

Then a week ago, they asked for the password again so they could update a properties file. Again, the answer was no.

We sent them an email yesterday asking for their change management number so we could make the change to the properties file. They were absolutely shocked to find out that we hadn't already updated the file because they had already deployed their code changes to go with the properties file last Thursday. They submitted the request to us on Friday.

Getting real tired of people screwing up and pointing the finger back at me.

No idea what the fuck just happened, but my home router just dropped the internet connection and started demanding that I change the admin (default) password.
Now, I know that default passwords are bad and all that, but why the fuck now? This thing has been sitting there for over a year, and it only decided to complain now?

There have been some weird things going on lately, and I'm starting to worry that some of my systems may have been compromised in some way... but I'm not sure what/how, nor how to look for it...

Any tips for identifying a breach and disaster recovery?

To the developer of jobomas.com (I sent this while I canceled my account):

Seriously, a platform that confirms my password in clear text in an email is a risk for my privacy and data.

One more story: I wanted to change gender to male and you asked me for my phone number, birthday etc. (required form fields)?

I should be able to decide myself what I want to share with you and what not!

This platform isn't even fully translated to english (Gender selection for example...).

Consider hiring a UX-Designer so I don't press cancel, when I want to cancel my account.... what a finish, sigh!

So a while back I had found a hole in a website's security, one that I has used pretty frequently. I was able to change my cookies and become any user I wanted. The only caveat was that I had to log in as a user in order to get things started. But once I was in I could basically be anyone I wanted to be just by changing a few numbers in the user ID of the cookie. They also did all of their user processing on the client side. Even password checks.

A couple weeks back I decided to go back in to see if anything had changed since then. It did! But not in the way I had thought.

So these guys decided that instead of fixing their security hole, they would have users just contact their people directly in order to get a new account.

Wow that's so much fucking overhead for basically being a lazy shit and not fixing the security holes. I mean how bad is your architecture if you can't go in and fix this?

Not only that I found that they actually stripped all of the users of their original subscriptions. So now if you want to get back on your subscription you'll have to fork over another $399. So that means going to their shitty form filling out your name, your number, email, and just hope that someone contacts you via phone call.

I'm glad I dropped this service. They clearly can't get their shit together.