Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Creating a new account is always fun...
"This Is My Secure Password" <-- Sorry, no spaces allowed.
"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number
"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character
"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed
"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed
"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters
"Fuck" <-- Sorry, passwords must longer than 6 characters
"Fuck_it" <-- Sorry, passwords can't contain bad language
"Password_1" <-- Accepted.25 -
Dear EA games.
If you want to tell me my password needs to be “more” secure in your error message, at least tell the fucking truth about it.
- 100 random character password entered on mobile
- response: password needs to be more secure
- WTf!
- loads on pc
- notices password rules
- must be between 8 and 16 characters...
- I think that’s a Wii little Less secure you ass hats, and WHY can’t you show this fucking notice on mobile 😖12 -
Microsoft pro account.
2018.
16 characters.
2018.
Microsoft.
16.
2018.
Microsoft.
(Screams in French)
5 -
That should be enough characters...
var str = "The Hardest Button to Button";
var res = str.substring(0, 16);
3 -
Often I hear that one should block spam email based on content match rather than IP match. Sometimes even that blocking Chinese ranges in particular is prejudiced and racist. Allow me to debunk that after I've been looking at traffic on port 25 with tcpdump for several weeks now, and got rid of most of my incoming spam too.
There are these spamhausen that communicate with my mail server as much as every minute.
- biz-smtp.com
- mailing-expert.com
- smtp-shop.com
All of them are Chinese. They make up - rough guess - around 90% of the traffic that hits my edge nodes, if not more.
The network ranges I've blocked are apparently as follows:
- 193.106.175.0/24 (Russia)
- 49.64.0.0/11 (China)
- 181.39.88.172 (Ecuador)
- 188.130.160.216 (Russia)
- 106.75.144.0/20 (China)
- 183.227.0.0/16 (China)
- 106.75.32.0/19 (China)
.. apparently I blocked that one twice, heh
- 116.16.0.0/12 (China)
- 123.58.160.0/19 (China)
It's not all China but holy hell, a lot of spam sure comes from there, given how Golden Shield supposedly blocks internet access to the Chinese citizens. A friend of mine who lives in China (how he got past the firewall is beyond me, and he won't tell me either) told me that while incoming information is "regulated", they don't give half a shit about outgoing traffic to foreign countries. Hence all those shitty filter bag suppliers and whatnot. The Chinese government doesn't care.
So what is the alternative like, that would block based on content? Well there are a few solutions out there, namely SpamAssassin, ClamAV and Amavis among others. The problem is that they're all very memory intensive (especially compared to e.g. Postfix and Dovecot themselves) and that they must scan every email, and keep up with evasion techniques (such as putting the content in an image, or using characters from different character sets t̾h̾a̾t̾ ̾l̾o̾o̾k̾ ̾s̾i̾m̾i̾l̾a̾r̾).
But the thing is, all of that traffic comes from a certain few offending IP ranges, and an iptables rule that covers a whole range is very cheap. China (or any country for that matter) has too many IP ranges to block all of them. But the certain few offending IP ranges? I'll take a cheap IP-based filter over expensive content-based filters any day. And I don't want to be shamed for that.7 -
Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.
To add insult to injury the first displayed "tip" take a look at the attached image.
13 -
Ladies and gentleman, I've done it.
Remove your hacker game trophies from your wall.
That nasty bug you fixed a couple of nights ago? Meh.
Your top devRant post? You'll delete it after reading this.
Every awesome accomplishment you can think of: it all means shit now.
>> I have SUCCESSFULLY changed my business Microsoft account password into something I can remember AND Microsoft accepted it in under an hour of trying!!!!! <<
I want to say a big FUCK YOU to MICROSOFT for WASTING MY BLOODY TIME.
FUCK YOU for giving me a max of 16 characters. DASB&(*(&G*HH*& for telling me every time my password is 100% strength and then after every submit tell me I have to change it AGAIN because it should be harder to guess. WUT?! It was 16 characters including a (capital) letter, number and multiple special characters, WHAT ELSE DO YOU WANT FROM ME?! UNICODE EMOJI'S???!!! ALLOW ME TO USE MORE CHARACTERS SO I WILL MAKE IT HARDER TO GUESS IT, IT'S 2018 FFS.
I don't even understand why my new password is accepted compared to the other one, but fuck it I can access my account again.
Now I might have to find a new job before the company password policy kicks in again.
/me drops everything and walks out of the office to get wasted (not sure if celebrating or just really pissed off)7 -
And 1&1 again... I tried to create a new database... 1&1: “the password is to long. Please choose a password that is not longer than 16 characters.” 🙃
9 -
I used to love small 12 pt fonts but recently I've really liked coding with medium sized 16-18pt fonts and it's a big difference. As long as the characters are thin (like first code light) I really quite prefer it.
Am... Am I getting old...?13 -
Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.
Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.
Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.
Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".
Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.2 -
And another shitty hoster...
Translation:
“The password is to long. Please choose a password that is not longer than 16 characters”
2 -
Fuck pep8 in general. Fuck harder anything to do with line limits. Fuck with a rusty spatula those who tie it into their git precommits or CI tests.
What's that, it's 2018 and even the shittiest walmart-tier computers have 1080p OR BETTER at a 16:9 aspect ratio?
"lol, 80 character line limit."
Eat a bucket of rancid dicks.
Oh, and since we're forcing you to be so economical with your characters, we're going to force four space tabs. Yknow, rather than simple single tab characters, which could mean everyone can set their preferred level of spacing without bloating the code with whitespace.
Because, yknow, it's entirely reasonable to chew up 1/8 of a line because you're editing a function inside a class definition. God Almighty forbid you try to do a for loop inside that function! Fuck you!
"Oh but you can't have two editors or terminals open side by side without that limit!"
BULL FUCKING SHIT. Here's my shitty 1280x1024 display on my shitty computer with two Sublime editors open side by side. You'll notice the break is at 100 characters. You'll notice I don't have to scroll horizontally to do two things at once. You'll notice I even have room for COMMENTS!
If your code standards require you to make your code *less* readable and *less* clear and take up *more* space to accomplish the same tasks, YOUR CODE STANDARDS SUCK!
Enough with this stupid meme. We're not in the 80s anymore and it's high time to start fucking acting like it.
7 -
Make all fancy Azure blob storage with SFTP connection through firewall with dedicated public IP.
...to just find out that the webcameras you want to send stuff to the blob storage take in max 16 or 30 character passwords for sFTP. While the autogenerated passwords for SFTP in Azure are 32 characters long.
WHO THE HELL RESTRICTS PASSWORD LENGTH!? ASfjksdnfjksdjfnjksdakfadsnjkfjdsa14 -
I hate password restrictions that enforce all kind of limitations but then also limit you to a max of 16 ANSI characters ... i want passwords like this pѬѬasѪ"§§)("!编/)$=?!°&%)?§"$(§sw2
-
Never had a truly bad experience with a designer but once one mentioned offhand that the unique keys that we were using to secure access to sensitive information should be only 4 characters long because it looks better that way...
I kept them at 161 -
I feel with @gipsydanger
I had to work with snake case columns with a maximum name length of 16 characters. Abbreviations, acronyms and undocumented adfixes. The ORM models were generated with resolved pendants of the column names. There are typos in name resolving and some adfixes were used with different understandings which result in completely wrong field/property names for the ORM. As this ORM class generating process is separated from migrations some people did not care or check on the ORM.
Previous rant https://devrant.com/rants/1461563/1 -
I had to create an account on a website. I used LastPass to generate a strong password. I entered it and got the following message:
"Password must be between 8 and 16 characters and must have special characters (? , ! & #) and numbers"
My password was 20 characters, me annoyed to generate a 16 character password. Filled it in and got the same error. That was it for me.
Who dafuq limits a password to 16 characters, that's fucking nothing. It did not accept all special characters, only the ones that were showed (like 5 or so).
And here comes the worst part...
It's a bank website! I had to create the most most most insecure password in history for it to work.7 -
Have any of you noticed how bad the new Google login page is? They invented reCAPTCHA, yet they use the old one. Considering how easy it is to make a mistake in the captcha and have to retype the password, people could start making shorter passwords (<16 characters) and seriously lower the security level of their accounts.4
Top Tags
Weekly Rant
View