My father got mad at me, because I had a passwd on my Linux-account...

I told him, that he hasn't got anything to do in my mails at all; Now, he took my phone :) Still laughing at his education-methods xD

BTW: I have to code in the Main room, seen by anyone... i feel like a zoo atraction :( Wish, I could put my PC into my room; I'm old enough after all -.-

sudo mv passwd passwd1

Stupidest thing I've ever done.

Oh man, I fucked up...
I was doing after hours work for client, setup website with https.

Can't work over sftp with current user,so I give it the same user ID as apache, get files transferred and shit.
Go back to change uid, set wrong uid, now my user is ntp, I can't get into root, can't set password...
I fucked up

Tail between the legs, sent email to clients support, asking them to fix my user fuck up, waiting for reply

There is a true story at my workplace.
A Linux administrator installing putty on its first day of work. On fedora Linux. Alright maybe normally using Windows. The next thing he had done was amazing.

He changed the UID in passwd file of root and pushed it to all servers......

Nobody could fix it anymore because even root didn't had rights to edit passwd. Next day he was asked not to come back

Fuck all authentication everywhere all the time. Fuck your passwords. Fuck your fingerprints. Fuck your rolling key fob. Fuck your aws secrets. Fuck your docker secrets. Fuck your oauth. Fuck your /etc/passwd. Fuck your groups. Fuck chmod and fuck chown and definitely fuck Kerberos. Fuck Saml. Fuck duo mobile. Fuck rotating pins. Fuck axiad. Fuck selinux. Fuck your fill out this form to get role based access. Fuck it doesn’t work because you can’t log in. Fuck it.

Hey passwd, when I want my password to be short then I want it fucking short. Don't tell me that "f" is too weak and prevent the action. A mere warning would suffice. (And I now know that if run as root it doesn't check the password criteria. Still, the default is annoying.)

I needed a short password to workaround a weird frozen system issue on unlocking the keyring in the latest Ubuntu release. It would freeze completely while I was typing my password, and hence by making my password short, I was quicker than the freeze, and hence got a useable system again.

I started using Keepass like 2 months ago, and recently i started going through all my email accounts to compile a list of all the services i've ever signed up to; delete the accounts you don't need and move everything else to keepass with a strong passwd, that was the plan.
I'm still going, but out of the 60 i have so far, 10 sites just had the password, *in plain text*, in the confirmation email!! I don't even konw anymore, just end me now plz 😢

The fuck? I'm trying to automate login for an asp.net website from a C# console app using HttpWebRequests. I used Fiddler to see how the login happens and how the browser obtains the session and auth cookies from the server. When I replicate the same procedure from C#, I am able to get both cookies withoth a problem, but when I try to use them to get data about the user, I get a 500 ISE. What the actual fuck? I've double-checked every single header and the URLs and it's doing literally the same thing as chrome: Get asp session id (POST)-> get an auth cookie (POST username and passwd) -> interact with the site using the session id and auth cookie (GET). And obiviously I don't have access to the server logs... :/

Got bit by a hacked repo. It was compromised for all of like 30-some seconds. No intrusions, but now I can't set my root password (passwd goes "oh, yeah, we got this" then it does... nothing...) and Weyland/X/Gnome/Cinnamon/KDE/whatever the kids use nowadays are all busted (they all start, but they just hang tty1 and whatever other console invoked it). Tried reinstalling all those kinds of things, didn't help.

fml

Changed db host from sles 11 to sles 12...
Users had to set a new pw...
And there is this guy, who is longer in this business,than i am on this world...
Yet i had to show him passwd...
And now he gets back to me with the following:
C: "since the pw reset my password doesn't work"
> Cutout from the error message, which clearly says ssh algorithm negotiation failed
Me: "just to be sure, are your pws set correctly? And what client do you have, where does this message come from?"
C:"i checked the pws, they match. I still get the error."
...
Me: "... And whats your client? Does putty/cygwin still work"
C:"yeah they still work"
...
Me:"and what throws this error?"
C:"uhm Ant"
*Fyi: some version as old as the brown coals used to do some shady db2 and java stuff"
*Me doin a quick googleing for the error and Ant"
Me:"yup... It appears, that the java lib has some problems with the ssh algorithms.. here are some stackoverflow links, which described your problem." *at least make me try, please*
*Waiting for his response, which will surely result in pure enlightenment and bliss for me...*
Seriously... How dares java to fuck this up...

>finally gets around to installing vsftpd on home server RPi
>doesn't work
hmm.mp2
>configurating
>confusing as fuck template documentation
>man page isn't much better
>gets it working
>goes to log in
User: pi
Password: a
(What? It's a home file/command server isolated from the Internet. Sue me.)
nope.avi
>why
>tries again
nope.svg
>FUCK
>sees small raw-command log in bottom-right of phone FTP client
hmm.flac
>tries again, watches log
PASS *****
>the fuck
>goes to change user pass over SSH
# passwd
"Current password?"
about half a second later
"passwd: auth token manipulation denied"
>the delay tho
>WAIT A SECOND
one time i got past some parental software bullshit on a tablet by abusing the delay between opening a banned app and the redirect to the normal software at like age 7. (Doing so let me enable remote wipe through Google. bye bye software!)
>*inner 7 year old has autistic screech*
# nano temp
a
abcdefghi
abcdefghi
^O Y ^X
# passwd < temp
>fucking works
>logs in to FTP server successfully
>does the one file download that was needed

why and how did that fucking work

$ Login: phoomparin
*types in password*
Incorrect Password.
*rushes to type user and passwd again*
Password shows in cleartext...

Remember kids, passwd is a readable file! You can have a very bad day trying to figure out a user's shell from side-channel attacks and getting nowhere, or you could remember that it LITERALLY SAYS WHAT IT IS PUBLICLY IF YOU DON'T FORGET THAT IT'S THERE.

On the plus side, I learned a ton about what you can do with ssh arguments and debugging logs. Shit's pretty cool.

Actual validation message. I will omit the culprit to not shame them:

Your password must be at least eight (8) characters long and contain at least one letter,
one digit and three (3) special characters. No combination of any of the previously mentioned
requirements may be in a repeat success of one (1) or more. Special characters must be
separated by at least two (2) non-special characters, not including numbers. You may not
use more more than one (1) upper-cased and one (1) lower-cased letters in order together. You
may not begin or end your password with an uppercase letter or special character. You may use
no more than eight (8) special characters in your password.

If you need any assistance with this process, please send a message to our support staff.

Message: PASSWD-NG
Your IP Address: 50.202.37.133

One of the worst practices in programming is misusing exceptions to send messages.

This from the node manual for example:

> fsPromises.access(path[, mode])

> fsPromises.access('/etc/passwd', fs.constants.R_OK | fs.constants.W_OK)
> .then(() => console.log('can access'))
> .catch(() => console.error('cannot access'));

I keep seeing people doing this and it's exceptionally bad API design, excusing the pun.

This spec makes assumptions that not being able to access something is an error condition.

This is a mistaken assumption. It should return either true or false unless a genuine IO exception occurred.

It's using an exception to return a result. This is commonly seen with booleans and things that may or may not exist (using an exception instead of null or undefined).

If it returned a boolean then it would be up to me whether or not to throw an exception. They could also add a wrapper such as requireAccess for consistent error exceptions.

If I want to check that a file isn't accessible, for example for security then I need to wrap what would be a simple if statement with try catch all over the place. If I turn on my debugger and try to track any throw exception then they are false positives everywhere.

If I want to check ten files and only fail if none of them are accessible then again this function isn't suited.

I see this everywhere although it coming from a major library is a bit sad.

This may be because the underlying libraries are C which is a bit funky with error handling, there's at least a reason to sometimes squash errors and results together (IE, optimisation). I suspect the exception is being used because under the hood error codes are also used and it's trying to use throwing an exception to give the different codes but doesn't exist and bad permissions might not be an error condition or one requiring an exception.

Yet this is still the bane of my existence. Bad error handling everywhere including the other way around (things that should always be errors being warnings), in legacy code it's horrendous.