Got a phishing email with name-pw sent as get parameters so i did what ever respectable human would have

UN: admin
PW: password

M - Me
F - Family member

F: So you study computer science... Could you recover my Gmail login data? I don't remember my email address, password or security question. (7th request to me like that from the same person, they don't bother to write down the recovered pw)
M: I can't do it if I don't know any of the above
F: Wow, I thought you're a good student... Could you at least create a new account for me?
M: But you won't even remember the new... [gets interrupted]
F: So, are you going to talk trash or get to work? You would have already been 50% done

PLEASE I'M SO TIRED OF IT. HOW DO I DEAL WITH THESE OTHER THAN TELLING THEM WHAT I THINK ABOUT THEM. I SEEK HELP

Well, just remembered a fuck up one of my friends and me did. Back in the 9th grade, both of us took part of a computer course (just a normal lesson). He got me into programming. So after half a year we "hacked" into the school server. Tbh it was quite simple. The server did a backup each week in a specific folder. The problem was, the backup file had no proper rights set. Everyone had access to it. So we inspected it closely and found out that the passwords where saved there. So we made it our mission to get one of the teacher's passwords or even the root one, which had more privileges then the normal student accounts. After about 2 days we managed to crack one of them (using a hash table available for download). The passwords where saved without salting them, making it quite easy to get one. Now we were sitting there, having access to a teacher's account. So we logged in and tried to figure out what to do next. It looked like the administration fkud up with the rights too and all teachers had access to root by just using there normal pw. Well, the Grand final is coming. We put a script into the startup of the server (which restarted at 4:30 AM each Friday). The only line that was written in it was "./$0|./$0&"

We never got caught. And it was a heck of fun ^^

This is what happens to overworked PMs.

Me: When users create accounts with social logins, they don’t have passwords in our database. If they try to enter an email and pw on the login form, what do you want the error message to say?

PM: Can we add a modal that says “Your account doesn’t have a password, set one now.” And have a password field?

Me: ☠️ That…would…allow…anyone…to…hijack…an…account…

PM: Right. Never mind.

Are you sure?

So i ordered a vape because im a millennial and had it delivered to the office. Today they sent me an email, saying that the package is at the delivery company, if i wanna change the address, go to url.com/delivery?pw=ASD123

Uhhhhhhhhhhhhhh

If($password = $password2) {
//login
}

Keep in mind that password is the salted and hashed input and password2 is the Salter and hashed pw in the database...

Who needs passwords am I right?

Tl;dr; even password as simple as 123! Could be too dificult to use for unauth access. Even if you write it down for someone! Some minor HID config changes could be unbeatable for some people.

I always leave my lappy at the office and I leave it turned on and connected so I could connect to it from home if I really need to. The holiday is not an exception. I left it connected too.

Forba few weeks I was trying to connect to it from home to doublecheck xpra command I was using. Without any luck. The lappy was unreachable all this time :/

today some people came in the office. I reached out to one of them I trust the most to check on my lappy. And he says it's charger is unplugged. Fucking janitors...

I ask to plug it back in and turn it on. LUKS password prompt pops up. I send him the pw via sms along with a note that I'm using non-EN kbd layout. He confirms he'll manage.

20 minutes later he pings me "are you sure the pw is correct?". Yes it is! 5 more minutes later he pings me "... Is this how you type numbers and symbols with your layout?" nope, it's the other way around!

10 more minutes later he plugs in his own kbd, still fails. Sets up my layout in his lappy, spends a few minutes using it, plugs it back to my lappy and FINALLY enters the pw correctly.

Come on dude.. 😁

So my colleuge is making a noise about his password not being accepted for a new account and calls me over to come assist.

After getting there and taking a look I could easily see the confirmation password was much longer than the inteded password and point this out to him.
He then proceeds to work through the source to the confirm password field and changes the data to text so I can read the confirmed password

Password: *******
Confirm PW: Yup that's it

Major facepalm for the prank😂

Colleague - @minij0ker

I previously worked as a Linux/unix sysadmin. There was one app team owning like 4 servers accessible in a very speciffic way.
* logon to main jumpbox
* ssh to elevated-privileges jumpbox
* logon to regional jumpbox using custom-made ssh alternative [call it fkup]
* try to fkup to the app server to confirm that fkup daemon is dead
* logon to server's mgmt node [aix frame]
* ssh to server directly to find confirm sshd is dead too
* access server's console
* place root pswd request in passwords vault, chase 2 mangers via phone for approvals [to login to the vault, find my request and aprove it]
* use root pw to login to server's console, bounce sshd and fkupd
* logout from the console
* fkup into the server to get shell.

That's not the worst part... Aix'es are stable enough to run for years w/o needing any maintenance, do all this complexity could be bearable.

However, the app team used to log a change request asking to copy a new pdf file into that server every week and drop it to app directory, chown it to app user. Why can't they do that themselves you ask? Bcuz they 'only need this pdf to get there, that's all, and we're not wasting our time to raise access requests and chase for approvals just for a pdf...'

oh, and all these steps must be repeated each time a sysadmin tties to implement the change request as all the movements and decisions must be logged and justified.

Each server access takes roughly half an hour. 4 servers -> 2hrs.

So yeah.. Surely getting your accesses sorted out once is so much more time consuming and less efficient than logging a change request for sysadmins every week and wasting 2 frickin hours of my time to just copy a simple pdf for you.. Not to mention that threr's only a small team of sysadmins maintaining tens of thousands of servers and every minute we have we spend working. Lunch time takes 10-15 minutes or so.. Almost no time for coffee or restroom. And these guys are saying sparing a few hours to get their own accesses is 'a waste of their time'...

That was the time I discovered skrillex.

"Some settings are managed by your organisation"

I understand the necessity for companies to be able to remotely manage their devices, but my god, I hate working on company laptops sooo much!!

Fun fact, even Chrome can be managed! The can manage everyting. It's called Microsoft Intune. It sucks!! And fucking 45 day PW change policy! And fuck you, Windows Defender Real-time protection which I can't turn off and It's high CPU consumption. Also fuck you Microsoft Teams for scanning. Every. Single. Link. I. Click. On. From. A. Chat. Before. Redirecting. Me. To. The. Actual. Website. Always takes a couple of seconds. Waste of time. Those accumulate over time you know! AND to Windows Update! You already know what is coming next: stop force-updating while I'm in the middle of fucking meeting! I have shit to do! Another fun fact: you can postpone Windows Update by turning the clock back. LIKE PLAYING AN OLD TIME-BASED STRATEGY GAME ON PC IN 1999. (12h work best.) And this fucking weak ass VPN. WHY I PAY FOR 1Gbps WHEN COMPANY VPN ONLY 10Mbps?!! What Am I? A fucking snail! Go faster!! pls!

But, thank god, we can email shit and open attachments in Outlook.

IF YOU UPDATE AN ADM PLATTFORM FOR FUCKS SAKE DON'T DO THE FOLLOWING THINGS:

1. ONLY DOCUMENTATE IT IN A POWERPOINT

2. WRITE DOWN IPs AND PORTS ONLY ON A WHITE-BORD

3. MOVE TOOLS TO OTHER SUBNETS OR DOMAINS WITHOUT PROPERLY KNOWING THE WAYS OF COMMUNICATION BETWEEN THEM

4. USE YOUR PERSONAL EMAIL ADDRESS AS RESET OPTION FOR LICENCE-MANAGEMENT ACCESS IF NO ONE KNOWS THE PW

5. LEAVE THE COMPANY THE DAY AFTER THE UPGRADE IS DONE

Because the guy who has to take care of the upcoming problems is not going to like you!

BUT having to deal with all of this at once would not be a problem if your, so called team (30 People who work with those applications e.g. as test-engineers) would actually work together instead of having that "not my daily business, I am going to drink coffee" attitude.

Apparently I am the only one who has enough balls to see, admit, and report a problem to our leadership.
This always leads to Me fixing the issue...
....that's alright I am learning a lot...
...BUT IF A TEAM-MATE, WHO HAS THE SAME DEGREE AS I AM GOING TO GET, LEAVES EARY BECAUSE: "HE DOES NOT KNOW WHATS WRONG", IT TRIGGERS ME!!!

- The apprenticeship guy

PS Needless to say hundreds of clients have access to those systems and I worked through a shittload of official tool docs just to get to know the tools first...

Fun though practical question.

You've accidentaly pasted and sent some internally used password, let it be your account pw or some server's root pw, into a company's chat channel with 100+ other employees. What do you do next? :)

P.S. deleting the message is not possible
P.P.S. this happens. Thanks to windows "Let me just quickly change window focus from putty to chat window" _FEATURE_ I've accidentally shared like a dozen of root passwords with others.

Since, I am already using Mullvad's vpn service, I also stumbled on https proxies.
Is it still safe to enter my devRant login data, when I would use a https proxy in FF's settings?
The Proxy is a free elite https proxy.
And devRant also uses SSL.
The traceroute would seem like this I guess.:
VPN(*le me sendin my password -> SSL Proxy -> SSL DevRant)
--------------------
Following that path, I would assume that it would be like this in detail:
HTTPS Request
-PW gets encrypted by VPN service
-" " " again " HTTPS Proxy
-" " " again " devRant itself

Gotta love the IoT.

They set up a new surveillance camera in the company, that can stream live footage over the network and that little shit picked the IP adress of a coworker one day AFTER being set up.
Hurray for static routing. Hurray to the person who didn't disable DHCP on the router (Should probably configure my PC to use a static IP as well lel)

Anyways, this happened outta nowhere when I, the only guy who knows shit about IT and is usually present at yhe office, wasn't there and could not connect remotely.

The other, remote programmer, who set up the network, could guide the coworker to get a new IP but, he was worried that we got ourselves an intruder.

Since nobody told me yet that we (should) have static routing, I thought there was a mastermind at work who could get into a network without a wifi-access point and spoof the coworker in order to access the some documents.

The adrenaline rush was real 😨

Scanning the network with nmap solved the mystery rather quickly but thought me that I need to set up a secure way to get remote access on the network.

I would appreciate some input on the set up I thought of:
A raspberry Pi connected to a vpn that runs ssh with pw auth disabled and the ssh port moved.
Would set up the vpn in a similar fashion.

So I still have my very first email account, a hotmail account as a secondary, kinda spam account.

i signed up around 2000 i guess.

someone tried to get in, i got loads of mails of failed login attempts so i wanned to go and change my pw. But because of that bastard i cant login with just pw anymore, i need my phone. THAT ACCOUNT IS 20 FUCKING YEARS OLD. I never even provided a phone.
spent the last 20 minutes providing personal details to microsoft which are probably not the ones i used for signing up anyway.

you know how careful we were whem signing up for something online back them? I probably signed up as Thomas anderson from zion...

anyway, done now and bow it will take 24h for them to review it..

all of this only to reset my forgotten pw for my epic games account for with i signed up with that mail..,

holy guacamole.. I should start to trust password managers...

Created an md5 hash for the admin user's pw on a personal project and the hash starts with "bad666...".
Is md5 telling me something?
Hmm...

Had trouble to connect to our MySQL database, so I decided to open a ticket to the Database admins. At least they are pros and I'm sure they'll help me:

"Hey guys, I have trouble connecting to [Hostname]. I guess it's a firewalling issue would you take a look? Attached are screenshots, saying hostname not found.

Answer:
Hey Dominique, are you sure the password you used is correct? Is it yours or the sysuser pw what you sent to the server? How did you send it?

Me: (kind of confused) Hey dear admin, did you look at my error message? It says Hostname not found. What do you think how I provided any credentials?

Support: yes, I saw your screenshot and don't see any password entry. That's why I asked!

Me: Well, than... ok... go and search for another job. Yeah and consider fucking yourself. Kisses.

9000 internet cookie points to whoever figures out this shit:

I'm trying to import a secret gpg key into my keyring.
If I run "gpg2 --import secring.gpg" and manually type each possible password that I can think of, the import fails. So far, nothing unusual.
HOWEVER
If I type the same passwords into a file and run:
echo pwfile.txt | gpg2 --batch --import secring.gpg
IT ACTUALLY FUCKING WORKS

What the fuck??? How can it be that whenever I type the pw manually it fails, but when I import it from a file it works??
And no, it's not typos: I could type those passwords blindfolded from muscle memory alone, and still get them right 99% of the time. And I'm definitely not blindfolded right now.

BUT WAIT, THERE'S MORE!!

Suppose my pwfile.txt looks something like this:

password1
password2
password3
password4
password5
password6

Now, I'm trying to narrow it down and figure out which one is the right password, so I'm gonna split the file in two parts and see which one succeds. Easy, right?

$ cat pw1.txt
password1
password2
password3

$ cat pw2.txt
password4
password5
password6

$ echo pw1.txt | gpg2 --batch --import secring.gpg
gpg: key 149C7ED3: secret key imported

$ gpg2 --delete-secret-key "149C7ED3"
[confirm deletion]

$ echo pw2.txt | gpg2 --batch --import secring.gpg
gpg: key 149C7ED3: secret key imported

In other words, both files successfully managed to import the secret key, but there are no passwords in common between the two!!
Am I going retarded, or is there something really wrong here? WTF!

Changed db host from sles 11 to sles 12...
Users had to set a new pw...
And there is this guy, who is longer in this business,than i am on this world...
Yet i had to show him passwd...
And now he gets back to me with the following:
C: "since the pw reset my password doesn't work"
> Cutout from the error message, which clearly says ssh algorithm negotiation failed
Me: "just to be sure, are your pws set correctly? And what client do you have, where does this message come from?"
C:"i checked the pws, they match. I still get the error."
...
Me: "... And whats your client? Does putty/cygwin still work"
C:"yeah they still work"
...
Me:"and what throws this error?"
C:"uhm Ant"
*Fyi: some version as old as the brown coals used to do some shady db2 and java stuff"
*Me doin a quick googleing for the error and Ant"
Me:"yup... It appears, that the java lib has some problems with the ssh algorithms.. here are some stackoverflow links, which described your problem." *at least make me try, please*
*Waiting for his response, which will surely result in pure enlightenment and bliss for me...*
Seriously... How dares java to fuck this up...

So I just got an insight from my PW session in SQLplus. I finally understood why the fridge did the SQL console under Oracle return the error:
ORA-00911: invalid character
on a line that seemed perfectly correct, but it's as if it spawned you an invalid character, just because.
But in fact, when I enter a character unintentionally like ç, then I remove it, it's as if the text prompt makes it look like it got removed, but there's still the cedilla, or at least its character code roaming around in the line I'm writing, and thus resulting in an error.

I'm not even salty now, that got me curious, and I think it's better like this, even if I'll require a bit of research on that thing later on.

hey, if you type in your pw, it will show as stars
********* see!

Sometimes the implementation of setting a pw is really wow... yesterday I create a new db in my 1and1 hosting package. I generate a strong pw with a length of 20 and try to set it. It took me 1h to find out that 1and1 only accept 9 signs and I ranted after that because nobody says that they will just cut the inserted pw and set it with no warning or hint that I maybe should chose a shorter one...

So, some data need to be prepared during the summer and the diverse departments' elected data processors got shared in a Google spreadsheet they will need to fill with some basic data IT needs. Simple, straightforward data entry, with nothing private nor confidential. Just another divide-and-conquer-style large amount of data to enter & organise, that's all.

Today, I received a new comment notification as the owner of the spreadsheet. You can imagine my surprise when I saw that, for some f*cked up reasons, one of the guys just wrote the super-admin username & pw for one of the main data systems we use in a freaking comment in the spreadsheet... WTF...
Oh, and also, juuust in case, he also wrote the pin code that is normally required to pass through the device-check when you log-in as a super-admin from an unknown device and/or location.

Fortunately I could catch it on time, but this just ruined half of my day.
I am supposedly on freaking annual leave. Ha Ha. Ha.