I had a secondary Gmail account with a really nice short nickname (from the early invite/alpha days), forwarded to another of my mailboxes. It had a weak password, leaked as part of one of the many database leaks.

Eventually I noticed some dude in Brazil started using my Gmail, and he changed the password — but I still got a copy of everything he did through the forwarding rule. I caught him bragging to a friend on how he cracked hashes and stole and sold email accounts and user details in bulk.

He used my account as his main email account. Over the years I saw more and more personal details getting through. Eventually I received a mail with a plaintext password... which he also used for a PayPal account, coupled to a Mastercard.

I used a local website to send him a giant expensive bouquet of flowers with a box of chocolates, using his own PayPal and the default shipping address.

I included a card:

"Congratulations on acquiring my Gmail account, even if I'm 7 years late. Thanks for letting me be such an integral part of your life, for letting me know who you are, what you buy, how much you earn, who your family and friends are and where you live. I've surprised your mother with a cruise ticket as you mentioned on Facebook how sorry you were that you forgot her birthday and couldn't buy her a nice present. She seems like a lovely woman. I've also made a $1000 donation in your name to the EFF, to celebrate our distant friendship"

How I've decided to answer the "can you hack" question from here on in...

"Can you show me how to hack this account please?"

"Sure, you'll need a hammer, a blow torch, chloroform, some pliers and couple of bottles of really pure vodka!"

"What the hell?!"

"Oh, it's so much quicker to just extract a password from a person, than it is to break into a system, I'm not exactly trained in inflicting pain on the human body, but I'm sure you'll be able to figure it out through trial and error, good luck!"

TLDR : I left a company which doesn't understand the concept of email id and passwords.

Me (trying to login to the alumni website) *no register user option*

Customer support - you've to click on forgot password to create an account.
Me - Wonderful

*clicks on reset password*
*enters employee id, name, email, father's name, DOB, date of joining , date of leaving, current city because apparently if I just enter my employee id it is as if they never knew me. Sigh*
*your password will be sent to your email id*

Me - okay. *waits for two weeks because I assumed someone will manually go and create my account and email me, considering the state of system. *

After two weeks,

Me - I still haven't received my password on email after I created my account. Can you please check?

After one week,

Customer support - you need to click on forget password if you forgot your password.

Me - *inventing new curse words* I have not forgot my password, I never received it in the first place!

After one week,
Customer support - yes you'll receive your password on your email id.

Me - *runs out of curse words* seriously dude?
* proceeds to reset password*
System - your password has been reset. Your new password will be sent to your email id. *apparently anyone can reset passwords if you have the employee id, which is an integer*

After a week

Me - Am I going to ever receive the password? I've tried generating passwords, resetting my password. I never get my passwords. What should I do!!

Customer support - yes you need to click on Forgot password.

Me - are you fucking kidding me!!!
You fuckers need to be fired and replaced by a FAQ page which has no question and just a single answer, because a peanut has higher IQ than you. For any questions you may have, just reset password. Goddammit idiots!
Also, which email id are you sending my passwords to?

Customer support - myname@oldcompany.com

Me - you do realize that this is the alumni website for the company. Alumni means ex members.
Being ex members, you can assume we don't have access to our company email ids obviously?

Customer support - yes.

Me - how am I supposed to get the password using my old email id then?

Customer support - you need to click on forgot password option.

I think I should probably move to the Himalayas for my anger management issues. Plus it'll be probably easier to throw idiots off a mountain.

Interviewer - so what's your email ID?

Candidate- sir, abc@xyz.com

Interviewer - and password?

Candidate- 12345678

Interviewer - you shared such a confidential information so easily for the job. How can we trust that you will not share any confidential information of the company for some better offers?

Candidate - Sir, I might have shared my password with you but I don't think you can still login to my email account. Let's look for the possibilities. My password can be

12345678

Or

Onetwothreefourfivesixseveneight

Or

1twothreefourfivesixseveneight

1twothreefourfivesixseven8….. so on

Or

2444666668888888 (one 2, three 4….)

13355557777778 (1, two 3, four 5……, 8)….. so on

Or

Combination of all of these…

By the way, did I mention use of capitals? 😂

Finally that candidate was offered with the position as
" HR Manager"

There's this guy that sits next to me in a class.

Guy: Hey, you're a hacker right?
Me: I'm a programmer.
Guy: Can you hack into my email account?
Me: Nope, I work in a different field of computer science.

In reality, I want to give him a piece of my mind.

I already know his email so I open up the login page and enter it. I click "forgot password", and it asks for his favorite teacher's name. Keep in mind that he made this account this year.

Me: So anyways, who's your favorite teacher?
Guy: *proceeds to give me favorite teacher's name*
Me: 🤦‍♂️

I change his password and log into his account. After that, I show him and tell him about how he should keep his account secure.

He left class with a priceless look on his face.

(sensitive parts censored)

Friend: Hey, can you hack my (some website) account?
Me: Depends... What's your username?
Friend: (tells username)
Me: (clicks forgot password?)
Friend: I will give $10 if you do it. There is 2 factor authentication enabled.
Me: (silence) Ok.
Website: Please type the class number you were in in 4th grade.
Me: Hey, did you graduated BLAH elementary school?
Friend: Yeah.
Me: Ahh, I remember. You moved to BLAH elementary school in what grade?
Friend: 4
Me: Hmmm, I don't remember seeing you. What class were you in?
Friend: 5
Me: Well, I now remember. Stupid me. (smirks)
Friend: Haha. (continues to play games beside me)
Me: (Types in 8)
Website: We sent you a password to blah@example.com
Me: (uhh, heads to example.com and clicks forget password?)
Email: Please type the class number you were in in 4th grade.
Me: (wtf is this, types 8)
Email: Please type the teacher's name when you were in in 4th grade.
Me: What was the teacher's name?
Friend: Huh?
Me: When you were in 4th grade.
Friend: Ahh! John Smith.
Me: Ahh, he was strict, right?
Friend: Yeah (continues to play games again)
Me: (Types in John Smith)
Email: Set a new password.
Me: (Types "youaresostupid")
Email: Done!
Me: (copies PLAIN TEXT password from email, logs in to website)
Me: Da-da!
Friend: (gasps)
Me: Money plz~
Friend: Nope.
Me: (wtf, then remembers i changed his email password) Fine then.

=====================

1. There is 2 factor authentication enabled. : Got it?
2. The website sent plaintext password.
3. He is just pure idiot.
4. I didn't got the money.
5. I am now a h4x0r

OneDrive:
Login -> Password/Account is wrong
Forgot Password -> Account does not exist
Registration -> There is already an account with this email adress
Well, Fuck you

Close relative: Hey, what is my gmail password?
Me: I have no idea.
Him: but you created the gmail account for me a couple years ago.
Me: Yeah, I helped you to create it and I warned you to remember your password.
Him: didn’t you write it down somewhere?
Me: no, I didn’t, you fucking useless piece of shit. I am not your fucking password manager.

Rant
Why do shithead clients think they can walk away without paying us once we deliver the project !!!

So, here goes nothing..
Got an online gig to create a dashboard.
Since i had to deal with a lot of shitheads in the past, I told them my rules were simple, 20% advance, 40% on 50% completion and 40% after i complete and send them proof of completion. Once i receive the payment in full, only then i will hand over the code.
They said it was fine and paid 20%.
I got the next 40% also without any effort but they said they also needed me to deploy the code on their AWS account, and they were ready to pay extra for it, so i agreed.
I complete the whole project and sent them the screenshots, asking for the remaining 40% payment. They rejected the request saying my work was not complete as i had not deployed on AWS yet. After a couple of more such exchanges, i agreed to setup their account before the payment. But i could sense something fishy, so i did everything on their AWS account, except registered the domain from my account and set up everything. Once i inform them that its done and ask for the remaining payment.
The reply i got was LOL.
I tried to login to the AWS account, only to find password had been changed.
Database access revoked.
Even my admin account on the app had been removed. Thinking that they have been successful, they even published ads about thier NEW dashboard to their customers.
I sent them a final mail with warning ending with a middle finger emoji. 24 hours later,
I created a github page with the text " This website has been siezed by the government as the owner is found accused in fraud" and redirected the domain to it. Got an apology mail from them 2 hours later begging me to restore the website. i asked for an extra 10% penalty apart from the remaining payment. After i got paid, set an auto-reply of LOL to thier emails and chilled for a week before restoring the domain back to normal.
Dev : 1
Shithead Client: 0

Best prank I did to a office must be that one I did when I was 7 years old:

> Sat at a schoolcomputer and explored stuff
> Found alot of network printers
> Found one called "city hall front desk"
> Created a word-document with the biggest font possible
> Wrote "Dick"
> 2000 pages of the word "dick"
> Print 2000 copies

> Did the same to a kindergarten and a "rival school"
> Never got caught because I used my teachers novell account ( the password was his name)

I miss novell

So a friend of Mine asked me to check their Mail server because some emails got lost. Or had a funny signature.

Mails were sent from outlook so ok let's do this.

I go create a dummy account, and send/receive a few emails. All were coming in except one and some had a link appended. The link was randomly generated and was always some kind of referral.

Ok this this let's check the Mail Server.

Nothing.

Let's check the mail header. Nothing.

Face -> wall

Fml I want to cry.

Now I want to search for a pattern and write a script which sends a bunch of mails on my laptop.
Fuck this : no WLAN and no LAN Ports available. Fine let's hotspot the phone and send a few fucking mails.

Guess what? Fucking cockmagic, no funny mails appear!

At that moment I went out and was like chainsmoking 5 cigarettes.

BAM!

It hit me! A feeling like a unicorn vomiting rainbows all over my face.

I go check their firewall. Shit redirected all email ports from within the network to another server.

Yay nobody got credentials because nobody new it existed. Damn boy.

Hook on to the hostmachine power down the vm, start and hack yourself a root account before shit boots. Luckily I just forgot the credentials to a testvm some time ago so I know that shit. Lesson learned: fucking learn from your mistakes, might be useful sometimes!

Ok fucker what in the world are you doing.

Do some terminal magic and see that it listens on the email ports.

Holy cockriders of the galaxy.

Turns out their former it guy made a script which caught all mails from the server and injected all kind of bullshit and then sent them to real Webserver. And the reason why some mails weren't received was said guy was too dumb to implement Unicode and some mails just broke his script.

That fucker even implented an API to pull all those bullshit refs.

I know your name "Matthias" and I know where you live and what you've done... And to fuck you back for that misery I took your accounts and since you used the same fucking password for everything I took your mail, Facebook and steam account too.

Git gut shithead! You better get a lawyer

Sent an email out in work informing everyone that we had pushed updates out to all Windows PC's.

Got the following phone call 10 minutes later:

"Hi, I can't log into the banking account app on my iPhone. Did you do something to it with your updates?"

"Nope. They were PC updates."

"Well, I'm sorry but you're wrong. It must be you! It was working yesterday."

"Again, it's not us. What's the error message you're getting on your app?"

"Invalid password"

".....then could it just be that you're entering an invalid password?"

"No, I know the password. I only changed it yesterday!"

"So it was working before you changed the password?"

"That's what i said!
I'm telling you, it's your updates."

"Okay but before we go 'troubleshoot' it, how about ringing your bank firs-"

"Oh look, it doesn't matter if you don't want to help, I don't have time for this!
I'll ring your boss and he'll uninstall the updates for me and fix the app." *hangs up*

Creating a new account is always fun...

"This Is My Secure Password" <-- Sorry, no spaces allowed.

"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number

"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character

"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed

"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed

"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters

"Fuck" <-- Sorry, passwords must longer than 6 characters

"Fuck_it" <-- Sorry, passwords can't contain bad language

"Password_1" <-- Accepted.

At work

Me: I need to check something or your pc, with you account

Girl with PC: I wont give you my password

Me: I already have your password

Girl with PC: .....

JUST BECAUSE I SET UP THAT ACCOUNT FOR YOU DOES NOT MEAN I KNOW WHAT YOU CHANGED YOUR PASSWORD TO.

phew all better now

So my actual job is being a nurse at the local hospital, with coding being just a hobby. However, the way some IT–Related things are treated here are just mind-blowing. Here are some examples:

Issue: Printer is not recognized by network anymore due to not being properly plugged in

Solution: Someone has to tell the house technician, if the house technician is currently not available, ask his assistant who only works part time and like twice a week. House technician took the printer (God knows why), came back 2 days later and plugged it back in.

Issue: Printer 1 of 2 on ICU has run out of ink and since all computers default to printer 1, nobody can print.

Solution: Call the house technician, blah blah, house technician comes, takes ink cartridge of printer 2 and puts it into printer 1.

Issue: Public WiFi is broken, can be connected to but internet access is missing. Probably config issue as a result of a recent blackout.

Solution: Buy a new router, spend 5 days configuring it and complain about how hard networking is.

Issue: Computer is broken, needs to be exchanged with a new one, but how do we transfer the data?

Solution: Instead of just keeping the old hard drive, make a 182GB backup, upload it to the main file server and then download it again on the new computer.

Issue: Nurse returns from vacation, forgot the password to her network account.

Solution: Call the technician who then proceeds to open a new account, copies all the files from the old one and tells her to pick an easier password this time. She chooses "121213".

This should probably be labeled a meme, but I'm going to actually rant about this meme.

People use the term hacker way too frequently. Solving your trashy fucking "Pa$$w0rd123" password and getting access to your Spotify account isn't hacking.

Same douchewaffle probably thinks you could hack a Facebook account in 30 seconds. I fucking hate the way movies have portrayed hacking and created a dramatized bullshit idea for people to believe is real.

My last school used my SSN as the default account password.
Just to test, I used the “forgot password” functionality, and they sent me my SSN over clear text.

As a developer, I see that as 2 mortal sins 😡

1. Create user on website.
2. Receives mail with username and password.
3. Changes password.
4. Receives mail with new password.
5. Delete account and look for another service.

Okay, time to delete my old Skype account
1. Enter Skype name
2. Reset password
3. Captcha
4. Complete email
5. Enter email code
6. You are logged in now, please complete your profile first
7. Enter birth date
8. Add your phone number or second email address
9. Create new outlook mail
10. Got access to profile settings
11. Click on delete profile
12. Stop please first verify your email again
13. Enter code
14. Check all checkboxes that I am really sure to want it deleted
15. Click delete button

Fuck hell and that all again for my second account

- Password can't contain less than 3 chars
- Password can't contain more than 12 chars
- Password must contain only alphabetical and numerical chars
- Password must contain at least one uppercase letter
- Password can't contain a sequence of repetitive chars
- You already used this password in the past
- Password can't contain parts of passwords already used in the past
- Password can't contain your name, birthday or any other personal information
- Password can't be an anagram
- This password is too weak

"Remember that you have to update your password every 6 months".

Who the fuck has enough imagination to invent a new password that meets all these requirements every fucking 6 months?
And if so, how the fuck you can also remember it?

Fuck off… I don't really need access to my university account, right? 😡

Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account [cozyplanes@tuta.io] was hacked, because I sent message you from it.

Now I have access to you accounts!
For example, your password for [cozyplanes@tuta.io] is [RANDOM_ALPHABET_HERE]

Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $700 to our Bitcoin wallet: 13DAd45ARMJW6th1cBuY1FwB9beVSzW77R
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.

I guarantee that after that, we'll erase all your "data" :)

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

>> RE >>
Well f### you, thanks for telling my password which is obviously fake. I have sent your details to the local police department, shall rest in peace. Don't earn money by this kind of action. STUPID!

Dev : Every user in your organisation requires their own username and password...

User: Why?

Dev: Because if everyone uses one account, every note, product, message etc made by all the user's will be saved to that one account and confuse the he'll out of everyone using it when they can't find their 'own' information they made/captured/downloaded.
We just need the user emails.

User:We can't give you all the user emails just use one account ....
(The reason for not providing us the emails is purely cause it would require user to do work and that's out of the question)

Dev: Uhm ok, but this is not what you want, and *interrupts*

User: It is what we want, do it like that everyone will understand and it will make the system easier.

*Two weeks later*

User: Why is there only one account? Why doesn't everybody have their own account? This is not what we wanted.

... The shit you have to deal with when you are on holiday ...

Although this is gonna sound like bullshit, this happened to me for real. Since that moment I use even more backup services AND I regularly check EVERYTHING.

Had a backup of my important data (still used mainstream services back then) on:

- Hotmail email attachments
- Google Drive
(Both link to another email account).
- A few data backup services
- DVD
- USB
- External HDD.

I wanted to copy some backup data over again:

1. Walk to my staple of HDD's, tried to grab it, somehow missed and knocked the whole fucking pile over. HDD broken.

2. Well fuck, let's go put some of my clothes in the washing machine for clean clothes at study/monday. After this shit being in the washing machine for just a few minutes, I realized my backup USB stick was in one of my pockets, in the washing machine. FUCK. Couldn't stop it so I waited till the end, tried it and well, it wasn't working at all anymore.
Fuck my fucking life slightly right now.

3. *remembers about the backup disc*. I forgot to keep it in its case, very deep scratches and so on, unreadable. FUCKING FUCK.

4. Right, I still have those online services! *tries to login to all of them (including hotmail/gdrive) but forgot the password. Well, let's login to my backup account then (hadn't used that one in years). Account was suspended for some reason.
Started to get really anxious because every online backup service was linked to that email address.
Contacted customer support. They really couldn't restore it because of some issues they weren't allow to tell me. Sorry but I couldn't retain access.

5. Well this is fucked up. Couldn't get into any of the backup/hotmail/gdrive accounts anymore.
I tried contacting their support but never got any replies.

This was the moment I realized I fucked up big fucking time because damn, this stuff at this level hardly happens to anyone.

FUCK.

Fuck the incompetent and "pretentious psuedo devs" !!

I have been developing a web portal for a student club for this really big company (as intern) and then they assign this fuckin group of these 4 stupid intern devs to work with me !

The fuckin tweked my code and redirected the CONTACT FORM to the fuckin LOGIN CONTROLLER !!

Then these sons of Einstein inserted dummy users without a username and password into the fuckin production site !!

Now each fukin time someone submits contact form is redirected into some random user account !!

Who the fuck needs Hackers when we have these legendary coders -_-

*signs up for Skillshare*
> Sorry, your password is longer than our database's glory hole can handle.
> Please shorten your password cumload to only 64 characters at most, otherwise our database will be unhappy.

Motherf-...

Well, I've got a separate email address from my domain and a unique password for them. So shortening it and risking getting that account stolen by plaintext shit won't really matter, especially since I'm not adding payment details or anything.

*continues through the sign-up process for premium courses, with "no attachments, cancel anytime"*
> You need to provide a credit card to continue with our "free" premium trial.

Yeah fuck you too. I don't even have a credit card. It's quite uncommon in Europe, you know? We don't have magstripe shit that can go below 0 on ya.. well the former we still do but only for compatibility reasons. We mainly use chip technology (which leverages asymmetric cryptography, awesome!) that usually can't go much below 0 here nowadays. Debit cards, not credit cards.

Well, guess it's time to delete that account as well. So much for acquiring fucking knowledge from "experts". Guess I'll have to stick to reading wikis and doing my ducking-fu to select reliable sources, test them and acquire skills of my own. That's how I've done it for years, and that's how it's been working pretty fucking well for me. Unlike this deceptive security clusterfuck!

First rant, please take pity on the noob! 😐

Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫

Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...

... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.

So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.

Makes you consider the amount of control these big companies have over your life 😶

Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”

Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”

Set up an account at Wells Fargo today and they told me the password requirements... This is a joke right?

Day 1 10:00 am
Login to email account (Zimbra)
Your password is incorrect (I entered it correctly, this was a permanent issue ,used to happen in the company with many employees)
Reset your password by logging into internal company portal.

11:00 am
Logged into company portal, somehow. 2 Mbps internet shared among 104 people, you can imagine the speed.
Reset email password
* your password has been sent to your email id*
Are you fucking kidding me? U have emailed me the password to the same email I can't log in to?
Where did the architecture designer get this top notch weed from?

Day 2
Asked HR to reset my password (using a colleague's email)

Day 3
No reply from HR yet

Day 4
I went to meet HR, she's on vacation. So they have 1 person managing the password reset, for 5000 people with no backup person. Cool.

Day 5
Your internal company password has expired. Check your email for link to create new password. This is some next level shit going on.

Day 6
I called up Internal IT team to generate a new email for me.
They asked me to raise a ticket.
I can't raise a ticket because the only way to do so, is through the portal.

Day 7
Nothing. Btw, personal email and all social networks were banned. You can't even open stackoverflow.
And this was a research lab, amazing huh?

Day 8
Loss of pay for 4 days since I can't login to company portal to fill timesheet.

Day 9
HR comes back. Resets my password.
I try to generate my new password for portal.
The password policy:
Password can't be same as last 10 passwords
Passwords expire every week
8 characters minimum, 2 upper case, 2 lower case, NO SPECIAL SYMBOL. WTF. How long do u think its gonna take to crack that?

Fuckers had a company wise policy to automatically lock PC every 1 min if not used. Who the fuck can keep on using it continuously! I'm reading an article, and bam ! Locked. 2 wrong entries and that's it, repeat all steps again. Fuckers really didn't want to let me do my job, just keep on logging in all day.

Oh boy...

So my mom just responded to an email saying her email account would be deleted if she didn't respond to it by typing in her email address...

And the password to that email address, her SSN, and her bank account number. Now I have to fix it. For crying out loud...

I'm trying to sign up for insurance benefits at work.

Step 1: Trying to find the website link -- it's non-existent. I don't know where I found it, but I saved it in keepassxc so I wouldn't have to search again. Time wasted: 30 minutes.

Step 2: Trying to log in. Ostensibly, this uses my work account. It does not. Time wasted: 10 minutes.

Step 3: Creating an account. Username and Password requirements are stupid, and the page doesn't show all of them. The username must be /[A-Za-z0-9]{8,60}/. The maximum password length is VARCHAR(20), and must include upper/lower case, number, special symbol, etc. and cannot include "password", repeated charcters, your username, etc. There is also a (required!) hint with /[A-Za-z0-9 ]{8,60}/ validation. Want to type a sentence? better not use any punctuation!

I find it hilarious that both my username and password hint can be three times longer than my actual password -- and can contain the password. Such brilliant security.

My typical username is less than 8 characters. All of my typical password formats are >25 characters. Trying to figure out memorable credentials and figuring out the hidden complexity/validation requirements for all of these and the hint... Time wasted: 30 minutes.

Step 4: Post-login. The website, post-login, does not work in firefox. I assumed it was one of my many ad/tracker/header/etc. blockers, and systematically disabled every one of them. After enabling ad and tracker networks, more and more of the site loaded, but it always failed. After disabling bloody everything, the site still refused to work. Why? It was fetching deeply-nested markup, plus styling and javascript, encoded in xml, via api. And that xml wasn't valid xml (missing root element). The failure wasn't due to blocking a vitally-important ad or tracker (as apparently they're all vital and the site chain-loads them off one another before loading content), it's due to shoddy development and lack of testing. Matches the rest of the site perfectly. Anyway, I eventually managed to get the site to load in Safari, of all browsers, on a different computer. Time wasted: 40 minutes.

Step 5: Contact info. After getting the site to work, I clicked the [Enroll] button. "Please allow about 10 minutes to enroll," it says. I'm up to an hour and 50 minutes by now. The first thing it asks for is contact info, such as email, phone, address, etc. It gives me a warning next to phone, saying I'm not set up for notifications yet. I think that's great. I select "change" next to the email, and try to give it my work email. There are two "preferred" radio buttons, one next to "Work email," one next to "Personal email" -- but there is only one textbox. Fine, I select the "Work" preferred button, sign up for a faux-personal tutanota email for work, and type it in. The site complains that I selected "Work" but only entered a personal email. Seriously serious. Out of curiosity, I select the "change" next to the phone number, and see that it gives me four options (home, work, cell, personal?), but only one set of inputs -- next to personal. Yep. That's amazing. Time spent: 10 minutes.

Step 6: Ranting. I started going through the benefits, realized it would take an hour+ to add dependents, research the various options, pick which benefits I want, etc. I'm already up to two hours by now, so instead I decided to stop and rant about how ridiculous this entire thing is. While typing this up, the site (unsurprisingly) automatically logged me out. Fine, I'll just log in again... and get an error saying my credentials are invalid. Okay... I very carefully type them in again. error: invalid credentials. sajfkasdjf.

Step 7 is going to be: Try to figure out how to log in again. Ugh.

"Please allow about 10 minutes" it said. Where's that facepalm emoji?

But like, seriously. How does someone even build a website THIS bad?

My insurance company sending me the payment slip by post with my username and password to the online account for easy access. How sweet of them. 10/10 customer satisfaction.

I see your "Storing passwords in plain text". I raise you to "sending passwords via post in plain text".

Created webmoney account with password lenght of 81 character

Tried to login to my account
Password lenght cannot be more than 60 character

Now i have to reset my password to b e able to access it

One:

Had a stack of harddrives with my important data, two USB drives and a 4.7gb disc, two or three cloud storage accounts.

Needed a restore:
Knocked the stack of hard drives onto the floor (all broken), stood on one of the flash drives, found the other one in a pocket of a pair of trousers which just came out of the washing machine, dvd too scratched to read and couldn't verify my cloud storage account because I lost the password to the connected email account and the backup email account to verify that one didn't exist anymore. Fucking hell.

Two:

Production database with not that much yet but at least some production data which wasn't backupped.
Friend: can I reboot the db machine?
Me: yup!
Friend: what's the luks crypt password?
Me: 😯😐😓😫😲😧😭

End of story 😅

For the record, the first one actually happened (I literally cried afterwards) and that taught me to update my recovery email addresses more often!

Colleagues sharing passwords.That was a big fat NO when I was a sysadmin - and for a good reason. But now, since I'm closer to development, it feels like no one really cares about the passwords. If I tell my colleague I'll take 10 minutes more because I can't log in, he OFFERS me his credentials. And sends them over saying "in case you need it". [the next day the same colleague was complaining his account is locked out. Oh, wonders! How on Earth...!]

But seriously, password sharing is a serious problem. I would fire the person on spot if I caught him sharing his credentials! This is the 8th deadly sin! IDC if they are for non-prod. Most people reuse their passwords in multiple systems, and even non-prod envs can bring the prod down! Or worse - install a trojan.

This one isn't as interesting.

I was probably 6 years old when I first used a computer. A commercial played on the TV about an online game called Fantage.

I wanted to play, so I begged my mom if I could use her Dell inspiron 5100. After hours of begging, she finally said yes.

I've never touched a computer before, so when my mom typed her password and left me alone I was confused.

I didn't know how to get to the game so I stared at the screen until my mom returned. She was annoyed and said to go on the internet and I stared at her. She was about to yell, but refrained herself from doing so, and clicked on IE before typing in the game.

She made me an account and then left.

I figured out how to use the trackpad and keyboard so I was really excited. Then there was a pop up box that said something like, "click OK if you promise not to give anyone your personnel information."

As the stupid kid I was, thought I was going to give her a virus if I clicked OK, so I stared at the screen until my mom said computer time was over.

I never got to play Fantage.

TL;DR: Fuck you Apple.

10:30 PM, parent needs iPhone update to update Messenger. How hard can this be?
Need to update iPhone from 9.x to latest, which is so outdated it still required iTunes. Fk.

Boot iTunes on Windows 10 pc that is at least 10 years old.
Completely unresponsive
Crash in task manager
Launch and is completely unresponsive. (Also starts playing unrequested music.. Oh joy..)
Fuck this, go to apple.com to download iTunes exe
Gives me some Microsoft store link. Fuck that shit, just give me the executable
Google “iTunes download”. click around on shitty Apple website. Success.
Control panel. Uninstall iTunes. (Takes forever, but it works)
Restart required (of fucking course).
2 eternities later. Run iTunes exe. Restart required. Fk.
Only 1 eternity later. Run iTunes, connect iPhone.
Actually detects the device. (holy shit, a miracle)
Starts syncing an empty library to the phone. Ya, fuck that.
Google. Disable option. Connect phone. Find option to update.
Update started. Going nowhere fast. Time for a walk at 1:00 AM punching the air.
Come back. Generic error message: Update failed (-1). Phone is stuck installing update. (O shit)
1x hard reset
2x hard reset
Google. Find Apple forum with exact question. Absolutely useless replies. (I expected no less)
Google recovery mode. Get into recovery mode.
Receive message: “You can update, but if it fails, you will have to reset to factory settings”. Fuck it, here we go.
Update runs (faster this time). Fails again. Same bullshit error message. (Goddammit, fuck. This might actually be bad.)
Disconnect phone.
… It boots latest iOS version. (holy shit, there is a god)
Immediately kill iTunes. Fuck that shit.
Parents share Apple account
Sign in, 2FA required.
Fat finger the code.
Restart “welcome” process.
Will not send code. What. The. Fuck.
Requests access code on other parent’s iPhone.
No code present. What???
Try restarting welcome process again. No dice. (Of course)
Set code on other parent’s iPhone.
Get message “Code is easy to guess”. Ya. IDGAF
Use code on newly updated iPhone. Some success.
Requires reset of password.
Password cannot be the same as old password (Goddammit)
Change password.
Welcome process done.
Sign in again on same phone after welcome process done in settings. (Nice.)
Sign in again on other phone with updated password
Update Messenger.
Update hangs. Needs more space.
Delete shit.
Update frozen in App Store (Really??)
Restart iPhone.
Update Messenger.
Update complete past 2. Well that was easy.

Apple, fuck you.
Some call Android unintuitive, but I look at the settings app on iPhone and realize you aren’t any better.
This company hasn’t been innovative since 2007. Over 1000 USD for a phone? Are you fucking kidding me?
Updating an iPhone from iOS 9.x is probably uncommon anymore. But this is a fucking joke. Fix your shit.
Shit like this is why I’ll never again own an Apple product. I have HAD IT with the joke of a business.

Thanks for reading.

It were around 1997~1998, I was on middle school. It was a technical course, so we had programing languages classes, IT etc.

The IT guy of our computer lab had been replaced and the new one had blocked completely the access on the computers. We had to make everything on floppy disks, because he didn't trusted us to use the local hard disk. Our class asked him to remove some of the restrictions, but he just ignored us. Nobody liked that guy. Not us, not the teachers, not the trainees at the lab.

Someday a friend and me arrived a little bit early at the school. We gone to the lab and another friend that was a trainee on the lab (that is registered here, on DevRant) allowed us to come inside. We had already memorized all the commands. We crawled in the dark lab to the server. Put a ms dos 5.3 boot disk with a program to open ntfs partitions and without turn on the computer monitor, we booted the server.

At that time, Windows stored all passwords in an encrypted file. We knew the exact path and copied the file into the floppy disk.

To avoid any problems with the floppy disk, we asked the director of the school to get out just to get a homework we theorically forgot at our friends house that was on the same block at school. We were not lying at all. He really lived there and he had the best computer of us.

The decrypt program stayed running for one week until it finds the password we did want: the root.

We came back to the lab at the class. Logged in with the root account. We just created another account with a generic name but the same privileges as root. First, we looked for any hidden backup at network and deleted. Second, we were lucky: all the computers of the school were on the same network. If you were the admin, you could connect anywhere. So we connected to a "finance" computer that was really the finances and we could get lists of all the students with debits, who had any discount etc. We copied it to us case we were discovered and had to use anything to bargain.

Now the fun part: we removed the privileges of all accounts that were higher than the trainee accounts. They had no access to hard disks anymore. They had just the students privileges now.

After that, we changed the root password. Neither we knew it. And last, but not least, we changed the students login, giving them trainee privileges.

We just deleted our account with root powers, logged in as student and pretended everything was normal.

End of class, we went home. Next day, the lab was closed. The entire school (that was school, mid school and college at the same place) was frozen. Classes were normal, but nothing more worked. Library, finances, labs, nothing. They had no access anymore.

We celebrated it as it were new years eve. One of our teachers came to us saying congratulations, as he knew it had been us. We answered with a "I don't know what are you talking about". He laughed and gone to his class.

We really have fun remembering this "adventure". :)

PS: the admin formatted all the servers to fix the mess. They had plenty of servers.

+++ Thank you for 1000+'s! +++

So guys we did it! We've reached our first big milestone!
This account was created about a month ago, and we are already this far!

Thanks to all authors (@DLMousey, @filthyranter, @baewulff) who are putting a lot of work and time into their articles and help this account to further grow in size!

To make this article at least a bit informative, here's how we publish our posts:
When I started this account, I hadn't thought of how articles were going to be published. Should I give the password to all writers? Should I post the articles manually?
Well, after I've started the devNews Discord Server, @olback suggested making a Discord Bot, that helps us to publish our stuff.
After surprisingly few hours, @olback already got a prototype working.
We have a special channel and whoever writes stuff in it, updates the current article. Later, I took on the work, @olback has done and switched to LowDB, to be able to let multiple users have their own articles they are working on and much more. (Like special signatures)
And that's how it is now.
We have a channel for draft, where we write our stuff and a channel for publishing, where the bot listens to what we write and then publishes the articles with a command.
That's all of it.

Thank you for reading!

***JUST BECAUSE SECURITY***

My father deleted the email with the credential for our ISP (pppoe: username and password), and I need it to connect a router.

Just called the tecnical service, after a couple of minutes they gave it to me.

They sent to me both username and password.

In clear.

Asking me where to send (which mail).

I DIDN'T EVEN KNOW HOW IS CALLED THE CREDENTIAL I NEED.

Obviously, I just had to say the accountholder of the bill.

Now I am super scared, i can virtually access any account.

Yesterday my father called me and asked if I'd have a look at his website to exchange his logo with a new one and make some string changes in the backend. Well, of course I did and hell am I glad I did it.
He had that page made a few years ago by some cousin of a friend who "is really good with computers", it's a small web shop for car parts and, as usual costumer accounts. Costumer Accounts with payment infos.
Now I've seen a lot of bad practices when it comes to handling passwords and I've surely done a few questionable things myself but this idiot took the cake. When a new account was registered his php script would read the login page, look for a specific comment and add a string "'account; password'," below into to a js array. In clear text. On the website. One doesn't even have to breach the db, it's just there, F12 and you got all the log ins.

Seriously, we really need a licensing system for devs, those were two or three years this shit was live, 53 accounts... Now I've gotta decipher this entire bowl of spaghetti just to see if he has done any more unspeakable things.

I used PHPMailer to send emails to a client's website user. SMTP host is smtp.gmail.com.

web was hosted on Bluehost. I found out that mailer was not working. I enabled verbose output and to my surprise I found out that Bluehost was intercepting my mail and responding with

220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail

when i was explicitly using smtp.gmail.com. Not only they were intercepting but also They were trying my credentials against its own smtp server and then showing me that authentication failed.

When i contacted chat they asked me to tell last 4 characters of Bluehost account password to verify ownership.

Dude do they have passwords in plaintext.🤔

If someone wants to violate my Facebook account he needs my password, the key I receive in my phone, and to know all the faces in my friendlist.
If someone wants to violate my bank account and spend all my money, he needs my password.

Recovering a legacy Gmail account after receiving a notice of a blocked login.

*Tries to remember the bloody password*
*Actually remembers it*

> Sorry your password isn't enough. Your father's phone number that you used a decade ago can be used for verification though!

Google, let's get this straight. Things have changed. I know the fucking phone number and yes I can enter it, and out of sheer stupidity I did send an authentication code his way. Unfortunately however, things have changed in 10 years. I can instantly kill the fucker on the spot if I were to meet him ever again. Do you think that I'm going to get that fucking code?!

> Oh but you can try to email the code to the very account that you're trying to recover, despite the fact that you know the password for it.

TO THE FUCKING SAME ACCOUNT THAT I'M RECOVERING.

Must've taken a true genius to code that in!!!

The concept of, "hacking" at my school is so disgustingly bloated, as it probably is everywhere else. Some kid the other day said that he had hacked cookie clicker. Friggin cookie clicker. After opening inspect element and changing some local data to get infinite cookies. And he was hacking.

I swear, if I EVER told any of these idiots about some hacking project I did with an Arduino, they would start asking me how much money I made off with in the heist.

There is one kid in particular that annoys me, his name is Matthew, and he is the most pompous little piece of crap you have ever met. Every time they talk about him, they use the word, "hack" casually in conversation. "Wow dude he's gonna HACK you now", and it really boils my gears. I mean, come on, our school password is a birthday and initials, if he got into your account, he certainly didn't do it by hacking anyone. It has gotten to the point that I can't even hear the word without wanting to lash out at them and tell them how stupid they are. Maybe I can just send them a link to this rant.

M - Me
F - Family member

F: So you study computer science... Could you recover my Gmail login data? I don't remember my email address, password or security question. (7th request to me like that from the same person, they don't bother to write down the recovered pw)
M: I can't do it if I don't know any of the above
F: Wow, I thought you're a good student... Could you at least create a new account for me?
M: But you won't even remember the new... [gets interrupted]
F: So, are you going to talk trash or get to work? You would have already been 50% done

PLEASE I'M SO TIRED OF IT. HOW DO I DEAL WITH THESE OTHER THAN TELLING THEM WHAT I THINK ABOUT THEM. I SEEK HELP

Registered for a job application website and on profile page I see my password in clear type! ...

Time to change password to an easy one and remove profile as fast as possible...

Story goes on: changed password which included a special char successfully.
Tried to remove the account but was told password has invalid chars.

Logged off to see if the password still works. Can't login anymore...

Instant rant mail to admit.

Today Comcast told me my account password over the phone... Fucking Comcast stores passwords in plaintext.

A friend (also a colleague) of mine had hacked the password of his manager's Netflix account 😆

Well, can't call it as "hacking" in 2018 when you can sneak into an idle laptop and view stored passwords in Chrome.

Now this Netflix account works as a "charitable trust" and more than 30 people are aware of the password 😆

How it is to be a dev in my country?

At bit of an odd question this week.

For me (in the USA), it's being technical support for *every* website my family uses.

Over the weekend my wife visited her aunt and I get a call.

Wife: "How do I create an ebay account?"
Me: "I don't like where this is going. We already have an account."
Wife: "Not for me, dummy, Aunt T. She found some books she wants to buy on ebay."
Me: "You go thru the process to create an account? Email, name, password, etc."
Wife: "We tried that, but it's not working."
<few seconds of silence>
Me: "Oookaaay...why isn't it working? Is there an error?"
Wife: "I don't know, we already clicked off of it. Something about the email."
<few more seconds of silence>
Me: "Can you reproduce the error and tell me?"
Wife: "Uggh..are you serious? We've done it like 10 times, its not working. Just tell me what I need to do."
Me: "If you can't tell me the error, I can't help you. I'm not there and can't see what you see."
Wife: "Stop being an asshole."
<Aunt T takes the phone>
T: "Said something about using another email address. Does that help you?"
Me: "Are you sure you don't already have a ebay account?"
T: "No, I don't think so. I hate ebay. but I really want these books. I don't want the same problems as last time."
Me: "Last time?"
T: "Yes, I bought a coffee cup on ebay from China and it never arrived."
Me: "OK, so you do have an account?"
T: "I don't know, I mean, I never got the cup."
Me: "What email address did you use? I'll send a 'remind me' email so you can reset the password and login"
<go thru the motions, she is able to login>
T: "Ahhh...I do have an account! There are the golf balls I bought for <husband> for Christmas."
<face smack>
Wife: "Why didn't you do this from the start? I thought you knew a lot about computers. We basically figured this out ourselves. Goodbye!"
<click>

There was a time I made an update on one of our client's e-commerce website sign-up page. The update caused a bug that allowed new users to create an account without actually creating an account.

The code block meant to save user credentials (i.e email address and password) to the database was commented out for some reasons I still can't remember to this day. After registration new users had their session created just as normal but in reality they have no recorded account on the platform. This shit went on like this for a whole week affecting over 350 new customers before the devil sent me a DM.

I got a call from my boss on that weekend that some users who had made purchases recently can't access their account from a different device and cannot also update their password. Nobody likes duty calls on a weekend, I grudgingly and sluggishly opened up my PC to create a quick fix but when I saw what the problem was I shut down my PC immediately, I ran into the shower like I was being chased by a ghost, I kept screaming "what tha fuck! what tha fuck!!" cus I knew hell was about to break loose.

At that moment everything seemed off as if I could feel everything, I felt the water dripping down my spine, I could hear the tiniest of sound. I thought about the 350 new customers the client just lost, I imagined the raving anger on the face of my boss, I thought about how dumb my colleagues would think I was for such a stupid long running bug.

I wondered through all possible solutions that could save me from this embarrassment.
-- "If this shitty client would have just allowed us verify users email before usage things wouldn't have gotten to this extent"
-- "Should I call the customers to get their email address using their provided telephone?... No they'd think I'm a scammer"
-- "Should I tell my boss the database was hacked? Pffft hack my a**",
-- "Should I create a page for the affected users to re-verify their email address and password? No, some sessions may have expired"
-- "Or maybe this the best time to quit this f*ckn job!"
... Different thoughts from all four corners of the bathroom made it a really long bath. Finally, I decided it was best I told my boss what had happened. So I fixed the code, called my boss the next day and explained the situation on ground to him and yes he was furious. "What a silly mistake..!" he raged and raged. See me in my office by Monday.
That night felt longer than usual, I couldn't sleep properly. I felt pity for the client and I blamed it all on myself... yeah the "silly mistake", I could have been more careful.

Monday came boss wasn't at the office, Tuesday, Wednesday, Thursday, Friday not available. Next week he was around and when we both met the discussion was about a different project. I tried briefing him about last week incident, he seems not to recall and demands we focus on the current project.

However, over three hundred and fifty customers swept under the carpet courtesy of me. I still felt the guilt of that f*ck up till this day.

My parents are real sticklers for who is allowed to be on Netflix. They only let people on when they are present, and they never click 'save password'.

Me being a poor college student and desperate for the Netflix password, created a fake website for one of my parents to sign into.

How did I do this? I created my own localhost server with a backend database for the password to go to. I then copied the Netflix home screen and log in and asked them to log me into their account.

They said I can be on for one hour, and then they were signing me out.

I agreed to these terms.

As a small twist, I had also copied the no internet tab from Chrome for the page to redirect to. Knowing that once they logged in they would be expecting the main UI.

They logged in and then waited for the page to load. I, of course, put in a delay for the page to load and then displayed the no internet tab. They were confused and asked me to refresh, still nothing. I asked them if the router was out, and they went to check.

While they were away I quickly switched back to the real Netflix website and yelled back saying I got it working again. They came back over and saw that it was asking for a password again. They signed in and saw the main homepage and none were the wiser that day.

Once they left I checked inside the DB and found the plaintext password they typed in... The damn password was so simple, I cursed myself for not having figured it out sooner. No matter, I had my parents Netflix password.

So you're probably wondering how they didn't see the URL above and think something was off?

I pressed F11 and fullscreened my entire browser. They did ask, and I simply replied with, I don't like seeing all the crap up above when I'm streaming. No further questions, perhaps I was lucky.

"Whenever a user creates their account, they get an email with their password. We also get a copy of said email which makes it easy to troubleshoot any issues when they ring us." -- I was so tempted to hand in my resignation on the spot...

Shitty call
Me: what do you want?

Q: I Lost my iphone

Me: (already pissed) ok,do you have an icloud account?

Q: Yes, but i forgot the password.

Me: what!?!, ok, fine, we will reset it, which is your ID?

Q: I lost it too.

*stay calm* *stay calm*

Me: I can't help you go to an apple store and ask there. *I Close the call*

*Add that number to blacklist*

Switched banks, got new e-banking, unable to set up a new password.

It contains invalid characters.

IT'S A FUCKING BANK ACCOUNT I SHOULD BE ABLE TO USE HASHTAGS OR EVEN HAVE FUCKING SPACES IN IT IF I FEEL LIKE IT.

Sometimes I wonder how compromised my parents online security would be without my intervention.

My mom logged into her gmail and there was an red bar on top informing about Google preventing an attempted login from an unknown device.

Like typical parents / old people, that red bar didn't caught her attention but I noticed it immediately. I took over and looked into it. It showed an IP address and a location that was quite odd.

I went ahead with the Account security review and I was shocked to find that she had set her work email address as the recovery email!!

I explained her that work email accounts cannot be trusted and IT department of the workplace can easily snoop emails and other info on that email address and should not be related to personal accounts.

After fixing that issue, me being a typical skeptic and curious guy, I decided to find more info about that IP address.

I looked up the IP address on a lookup website and it showed an ISP that was related to the corporate office of her workplace. I noticed the location Google reported also matched with the corporate office location of her work.

Prior to this event, few days ago, I had made her change her gmail account password to a more secure one. ( Her previous password was her name followed by birth date!! ). This must have sent a notification to the recovery mail address.

All these events are connected. It is very obvious that someone at corporate office goes through employees email addresses and maybe even abuse those information.

My initial skeptism of someone snooping throguh work email addresses was right.

You're welcome mom!

A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.

Well ... at least I thought so ...

Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...

There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.

Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.

And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...

Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...

Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...

Is it just me feeling like this about crappy UI/UX design? Always wondering...

I starten when I was 12 years old. I got bullied and got interested in computers. One day I crashed my dads computer and he reinstalled it. After that my dad made two accounts. The regular user (my account) and the Administrator user (my dads account). He also changed the language from Dutch to English. Gladly I could still use the computer by looking at the icons :')

Everytime I needed something installed I had to ask my dad first (for games mostly because there was no cable internet at that time). Then I noticed the other user account while looking over my dads shoulders. So I tried to guess the password and found out the password was the same as the label next to the password field "password".

At that point my interest in hacking had grown. So when we finally got cable internet and my own computer (the old one) MSN Messenger came around. I installed lots of stuff like flooders etc. Nobody I knew could do this and people always said; he is a hacker. Although it is not.

I learned about IP-address because we sometimes had trouble with the internet. So when my dad wasn't home he said to me. Click on this (command prompt) and type in; ipcondig /all. If you don't see an IP-address you should type in; ipconfig /renew.

Thats when I learned that every computer has a unique address and I started fooling around with hacking tools I found on internet (like; Subseven).

When I got older I had a new friend and fooled around with the hacking tools on his computer. Untill one day I went by my friend and he said; my neighbor just bought my old computer. The best part was that he didn't reinstall it. So we asked him to give us the "weird code on the website" his IP-Address and Subseven connected. It was awesome :'). (Windows firewall was not around back then and routers weren't as popular or needed)

At home I started looking up more hacking stuff and found a guide. I still remember it was a white page with only black letters like a text file. It said sometime like; To be a hacker you first need to understand programming. The website recommended Visual Basic 6 for beginners. I asked my parents to buy me a book about it and I started reading in the holliday.

It was hard for me but I really wanted to hack MSN accounts. When I got older I just played around and copy -> pasted code. I made my own MSN flooders and I noticed hacking isn't easy.

I kept programming and learned and learned. When I was 16/17 I started an education in programming. We learned C# and OOP (altho I hated OOP at first). I build my own hacking tool like "Subseven" and thats when I understood you need a "server" and "client" for a successful connection.

I quit the hacking because it was getting to difficult and after another education I'm now a fulltime back-end developer in C#.

That's my story in short :)

!dev
GOD FUCKING DAMMIT

My Mother was intelligent enough to get her phone stolen and screams at me over the phone of my brother why I can't do more than telling her the last known location

BECAUSE THEY SHUT IT DOWN
I CAN'T DO SHIT WITHOUT THE PHONE HAVING AN INTERNET CONNECTION

But what if they go through my files go into my bank account

THEY CAN'T BECAUSE YOU HAVE A PASSWORD ON IT

but they could crack it or something

NO THEY CAN'T WITHOUT TRYING FOR MONTHS OR YEARS OF POSSIBLE COMBINATIONS

but

NO BUT JUST FUCKING CALM DOWN IF THEY AREN'T THAT BAD THEN THEY WILL CALL ME IF THEY ARE ASSHOLES THEY NEED AT LEAST MAKE A FACTORY RESET AND DELETE ALL YOUR FILES
I CAN'T DO MORE THAN THIS SO FUCKING SHUT UP AND DON'T LEAVE YOUR PHONE AT A FUCKING WAITING ROOM AND DON'T BELIEVE EVERYTHING ON THE FUCKING INTERNET ESPECIALLY FACEBOOK

Thanks know I can't concentrate anymore........

So my boss booked me a spot at a conference about "the future of online payments" and I received an email with auto created account (there was no sign up) with a clear text password.

I'm feeling pretty confident that I can trust them to guide and advise me on best practices when it comes to handling sensitive information.

This is what happens to overworked PMs.

Me: When users create accounts with social logins, they don’t have passwords in our database. If they try to enter an email and pw on the login form, what do you want the error message to say?

PM: Can we add a modal that says “Your account doesn’t have a password, set one now.” And have a password field?

Me: ☠️ That…would…allow…anyone…to…hijack…an…account…

PM: Right. Never mind.

Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.

Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.

Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.

I just had to print out some bills for a colleague.
Nothing too bad you say?

Well.. She doesn't seem to care about security or privacy at all.
I opened the website of her email provider at my computer and moved away from the keyboard, so she could log in.
But instead she told me her email and password... In an office with some other colleagues... Multiple times and wrote it onto a piece of paper that the later left on my table.
After that I should look through her inbox to find the bills.
(Yup, I know a lot more about her now)
After finding and printing out her bills, she just thanked me and walked out of the office, because hey, why should I log out of her account?

It's nice that she trusts me... But that was a bit too much...

Just received a mail from my college that my college's student account password does not contain any special characters and I should change it immediately. Wtf? How did they know that?

WHAT THE ACTUAL FUCKING FUCK MICROSOFT?!!
I go to log into my laptop:
me: *enter the pin*
Windows: Error
me: Ok let's try the password...
Win: WRONG PASSWORD!
me: *checking my password manager* Nope, pretty sure that's correct... Ok, whatever let's try to reset it.
me: *generates new password and resets the password for the account*
Windows: You can now log in
me: *enters the new password*
Windows: WRONG PASSWORD!
me: that's weird... let's try that again
Windows: WRONG PASSWORD!
me: Ok... reset once more *I enter the same password I generated before*
Windows: ThAt Is An OlD pAsSwOrD
me: *getting really pissed* FINE, GODDAMIT, HERE, NEW PASSWORD
Windows: You can now log in
me: *enters the new new password*
Windows: wRoNg PaSsWoRd!

jdjsjcjj+3+@!o(€;#@!(&(1!!#((#(€_"jsjeucjcjfdjosdifhshabxnfnxjsosoguwqlqqlall#7@+1(
aaaaaáaaaaaaaaaaaaaaaaaaaaaaaaaa

FUCK FUCK FUCK FUCK FUCK FUCK FUCK
YOU FUCKING INCOMPETENT CUNTS AT MICROSOFT!!!!!1!!!!!!!

I'M GONNA FUCKING TEAR YOU INTO THOUSAND PIECES AND THEN RUN YOU THROUGH A SHREDDER!!

YOU MOTHERFUCKING IDIOTIC CUNTS
FREAKING DEGENERATES

My university has impeccable data management. I needed to ssh into their Linux server for an assignment but it refused to accept my login. Which was weird because I could login to the same account on one of our websites just fine. I typed my password into a text file and then copy and pasted it into both logins. The Linux one failed but the website succeeded. After some experimentation it turns out that the Linux server only recognized my username if I typed it in all lowercase, even though when I created the account it had uppercase characters as well.

So let me walk you through the sloppiness that had to have occurred for this to happen. When I first created the account it must have ignored what I entered and just saved the username in all lowercase without communicating that to me. Then the websites that use this account must either ignore case for usernames or lowercase the user input before querying the database. Finally, the Linux server, despite knowing that all the usernames are lowercase, is case sensitive and won't recognize the username as I originally typed it in.

Can you guess what department manages the account, website and Linux server? The Department of Computer and Information Science. Incredible.

I love it when someone changes the password of the test account without warning

The cleaning lady saga continues yet again..

Here in Belgium, cleaning ladies are paid with cheques. All fine and dandy, and apparently the parent organization (Sodexo) even migrated to digital cheques. Amazing!!!

If only they did it properly.

Just now I received an email with my login data.
Login: ${FIRSTNAME}${FIRST2CHARSOFLASTNAME}
Password: I won't reveal the amount of characters.. but it's not even hex. It's just uppercase letters, and far from what I'd deem even remotely secure. Hopefully I'll be able to change that shitty password shortly, and not get it mailed back, even when I ask for recovery. Guess I'll have to check that later - the person who made that account was pretty incompetent when it comes to tech after all. Don't ask me why they did it instead of me. I honestly don't really know either.

With that said, this is a government organization after all... Can I really expect them to hash their passwords?

Client: I can't login with my lastpass
Me: Oh, why not, how are you trying?
Client: So, I've entered my lastpass password into my bank account, and it says 'wrong login credentials'
Me: °-°

not really a rant, but but i am intrigued...

got an email that my rockstar account (gta) email was changed.

changed the email and password and noticed that all the details were changed (nickname, date of birth etc) and the guy even posted on support asking to remove steam link (probably could not login). But rockstar requires a screenshot of user logged in to steam (as if that is hard to fabricate...), so he gave up :D

i'm not even mad, i'm wondering what's the guy's story. Probly bought a stolen account for cheap, hoping to play :(

Maybe i should just let him play the game, since i'm not...

*Sigh

Every single one of us here loathe this question "Hey can you hack a Facebook account for me?"

Even worse when the one asking is your mom.
😶😶😶

(Backstory, she and her friend runs a store. Shit happened between them. The friend is the one who setup the store's Facebook page. Now posting shit on that page. She's not tech savvy. I can probably brute force her password. No 2FA)

Dilemma. Dilemma.

Can people just fucking stop using "hacked" as a synonym for "my password has been found out"? Even devs do this shit! Devs should know better about what a "hacked" account is.

Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)

So, I got bored, and irritated, so I decided to see just how secure the classroom really was.

It wasn't.

So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)

1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:

2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.

3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:

4. don't give admin priveledges to an account without a password.

seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?

anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.

I mean you no malice. just trying to help.

For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.

-- a guy who isn't very good at this and didn't have to be
have a nice day <3

oh, and I fixed the clock. you're welcome.

When your test account password is more secure than your company account password...

Its been 1 month and still no reply from my university IT department after i inforned them the login was transmitting usernames and passwords unencrypted over http and that the password field was case-insensitive for some fucking reason.

Might have to break out the sniffer and setup a script to automatically email them different students account details until they fix it, i should cc the dean 😂

Me: Dad, what are you doing with my facebook account

Dad: Just seeing your news feed son

Me: you don't know my password

Dad: Yes...you just logged in one of my phishing pages.

Me: But when did you learn these things?...you don't even know how to send a mail

Dad: Go, drink some gelusil son

Amazon: you're logged into 53 devices.

Me: ooooh Kay, since when do I have that many devices. let's sign out of em all and change the password for some piece of mind.

Spongebob: * a few hours past *

Spam email: someone in the US has logged into your account - click here to verify through some random URL that doesn't even contain "Amazon" in it 🥳

-

I suddenly have that feeling Amazon sells you're account setting changes and not just your personal details.

My girlfriend configuring her e-mail account in the app because her phone had to be reset to factory :
-I can't figure out how to do these setting, annoying...
-Oh yeah the imap and smtp servers can be tricky, let me put that
(I Google the settings for her mail provider and put them in)
-It still doesn't work.
-Uuuh, maybe with another security setting, try it.
-This shit still doesn't work, seriously my phone is broken.
-Have you verified the e-mail address and carefully typed the password?
-Yes of course, I've tried it several time
(I take the phone and check all the parameters... During a looooong time... Until it hits me.)
-Hmm... Can you read the e-mail you've entered?
-Yeah, it's my mail, blabla@hotmail.com.
-No can you read it again please?
-It's blabla, why?
-No, can you *spell* your e-mail?
-Yeah it's B-L-A-B-L-A-@-H-O-M-A... Ow shit...
- ¯\_(ツ)_/¯

CAN YOU PLEASE UPDATE TO 2018!!!

My bank just sent me a message, that they have a new service where you can send a private message to your banker.

I needed to transfer money, and didn't have my cheque book on me, so I sent him a message to please transfer XX dollars to account YY.

His response?
Please send us a fax.

A FAX?? ARE YOU SERIOUS??

And that is supposed to be more secure than a private message from your website, after you force me to change my password every 90 days with crazy requirements that only satisfy hackers???

I told my friend that he will get his money when the bank updates the century they live in ...

I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.

But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:

1) a notification you’re account is no longer secure,

And,

2) an immediate ability to change passwords before any access is granted.

Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.

PS: Fuck you, you low life shithead!

When I was 14 or so, we had acces to some computers during break. I went through each and every one of them, rebooted into Safe Mode (yeah, Windows), logged in as admin with no password, and gave admin powers to my account (each student had one, at least). Then, installed a keylogger and one of those "trojaans" that let me remote terminal, keyboard and mouse control to all the PCs (I had tried telnet server, but this was soo much easier).

Then came the fun.

"Why does the start menu keep opening by itself?"
"Why is the CD tray opening and closing on its own?"
Etc.

Then I found out social media passwords like (translated from spanish) "bigdicks". Never used them, because I considered myself one of the gray hatted. I did it just for the fun.

Clicking "share" on directory in Windows Explorer, digging through config panel, fidgeting with network discovery options, toggling password protection, digging through account management, jumping over a chair 3 times to channel my inner Bill Gates, checking directory permissions, sacrificing 7 virgin unicorns, go into lusrmgr.msc, curse various gods, install CIFS1.0 protocol, reboot computer, disable encryption, checking registry, trying to summon Steve Ballmer using the blood of a bald goat and sweat-scented candles... 5 hours.

Install Ubuntu on spare SSD, mount Windows NTFS drive, start SMB daemon and set up samba users... 15 minutes.

Let's play a game!

The first person to figure out the password to this account before April 7th will get two sets of devRant stickers for free!

When you've got the password, log in to this account and @mention yourself to prove that you solved it!

Here are your clues:
7 4 12 e 8 18 5

7d 76 64 7a 42 5a 36 7d 3d 4b 36 7f 5b 40 3f 47 44 3d 6d 54 46 6a 61 4b 42 79 53 36 5e 75 5f 38 5c 4a 3d 60 42 55 6d 72 76 36 54 4a 2a

So my colleuge is making a noise about his password not being accepted for a new account and calls me over to come assist.

After getting there and taking a look I could easily see the confirmation password was much longer than the inteded password and point this out to him.
He then proceeds to work through the source to the confirm password field and changes the data to text so I can read the confirmed password

Password: *******
Confirm PW: Yup that's it

Major facepalm for the prank😂

Colleague - @minij0ker

I forgot the password to my test account for my forum.

Time to implement a password reset feature

I had security reopen our test-user last week. I could run the tests once, then they started failing with "blocked user due to too many attempts at logging in". Huh, that's weird. I go through everything, every script, every scheduled task, every nook and cranny of every drive on every machine I could reach, and make sure the password is updated everywhere. Reopen account. Same shit.

I email around to some people, they don't use it, one guy asks if I checked x, y and z, I did. Then he's sure we don't use it anywhere else.

It's one of our fucking contractors that took one of our scripts (that they're supposed to have duplicate copies of) and forgot to change to their own credentials. That's literally the agreement, take our scripts and change the user and run them on your machines.

Afhfjdkdhdjdbd stop locking me out of everything with your incompetence. I email them, some cunt gets back to me asking for the new password. NO. USE. YOUR. OWN. CREDENTIALS. I KNOW YOU HAVE THEM, THEY'RE HERE IN THE LIST AND BEING USED IN ALL OTHER SCRIPTS AAAAAAAAAHHH

Biggest GTFO moment of the year;

While applying for colleges, I created an account with a username and variant of my usual password (I know, bad move, sorry). I came back to finish the application but had forgotten what variant I had used. So I clicked the forgot password button and got an email with...

MY PASSWORD IN IT!!!!

Plain text password! Just as part of the email! WTF do these people think they are doing?!?!

I immediately changed my password to a random string and deleted my account, so hopefully when someone gets into this database my stuff with be overwritten... stupid programmers...

So... I’m sitting here doing pretty much nothing, just reading through some rants when all of a sudden I get a wave of emails.

Pinterest!
We noticed a login from a new device or location and want to make sure it’s you.
Device: Firefox, Windows 8
Where: New Jersey, United States (Approximate)

OhhhhhKay then... so there’s a couple of problems with this, 1 I didn’t even know I had a Pinterest account, 2 I don’t have Pinterest in my password manager either.

So I follow the link and fair enough it’s actually pintest, so I attempt to login, to no avail, oh maybe it’s a social login..., ok let’s try google, nope that wasn’t it, deletes account, logins with Facebook, oh here we go, checks logins, 1 random jersey player, deletes account, swaps to Facebook, changes password (this fucker was already 100+ characters) and adds 2FA and contains no new logins 🤔

Ok... so what the fuck, either someone managed to get through a long ass password or something phishy is going on, the email for FB logins is seldomly used (maybe a handful of services at best) as I have another for all the junk and spam bullshit I expect from today’s “marketing”

I just got sent an email after registering an account at a webshop which contained my username and password.. *sigh*

"Yeah, I'm going to make my account super save! Lets give it a new and cryptic password!"
*Forgets password*

Google has a password reset procedure so intense, that even if I can sign into my recovery account and give them the code from there, use 2 factor auth and give them the code from there, tell them my recovery phone(s) number(s), give them my mother's father's mother's late cousin twice removed daughter's maiden name, and whatever other security measures were set in place, I can't get a fucking password reset. Thanks Google, fuck you.

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

When you're signing up for an account on a government site not to be named in this rant and they limit your password to 6 alphanumeric characters and no special characters... Smh

We all have that one friend who says he "hacked someone's facebook account", and all he did was peek while that person was typing his/her password....

So last year i was competing in IT basics, school level went great so i went to state level. This is my first state competition ever and im really nervous, everyone is telling me things like "you've got the gift, don't worry" (by everyone i mean my mum) but i keep believing that everyone who went to the state level has a 'gift' for IT. So the competition is about to start and a guy next to me raises hand to ask a question and im like so nervous that he is going to ask something i dont understand or is too complicated for me. The guy fucking asks how to get past the login screen because he clicked on an admin account and it is requesting a password. The fucking guest account is right next to the admin account that he clicked on and i proceed to help him and i click on the guest account and he litteraly asks me "wow i didnt know that was possible". What the fuck. IT BASICS STATE LEVEL. DOSENT FUCKING KNOW HOW TO ENTER A GUEST ACCOUNT. Next on, the competition is over and we have to enter passwords to submit our online test so as i walk to exit the classroom i see a guy struggling and i ask him like dude you need to write a password and submit! Hes like umm yeah i know but umm you see... I dont know how to write a # (it was required as a password) .IT FUCKING BASICS STATE LEVEL.DOSENT KNOW HOW TO WRITE A '#'. Later on i got 8th place and the fucker who didnt know how to write # got 1st because he knew fucking exel questions that i didnt.

Thanks to mandatory password change, today:

- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.

All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"

Fuck your clients, right...? A small town bank I’m doing some security work for; I had them create me a test account. I received an email with my password; are you fucking serious...?

When I left school I decided to apply for a junior dev role. I received a call back later that day and they tried to sell me access to some course with the promise of a job afterwords. They gave me a website to visit to find more information.

I Googled the company and found that it was as I suspected a scam and that they had been praying on the jobless for sometime.

So, I played around on the site they told me to visit for a while and found a rather simple SQLI. I managed to pull the admin email/password (which they stored as plain text) the email address belonged to a Gmail account.

I tried the password for the Gmail account turns out the account belongs to the person running the scam. I find an email from the hosting account and you guessed it the password was the same.

I pulled the site down and replaced it with a picture of the person running the scam along with his name and the words "I'm a dirty scammer".

Then I sent all the info to the police (he'd been running a few others scams too) not sure what that lead to I didn't hear anything back.

So... did I mention I sometimes hate banks?

But I'll start at the beginning.

In the beginning, the big bang created the universe and evolution created humans, penguins, polar bea... oh well, fuck it, a couple million years fast forward...

Your trusted, local flightless bird walks into a bank to open an account. This, on its own, was a mistake, but opening an online bank account as a minor (which I was before I turned 18, because that was how things worked) was not that easy at the time.

So, yours truly of course signs a contract, binding me to follow the BSI Grundschutz (A basic security standard in Germany, it's not a law, but part of some contracts. It contains basic security advice like "don't run unknown software, install antivirus/firewall, use strong passwords", so it's just a basic prototype for a security policy).

The copy provided with my contract states a minimum password length of 8 (somewhat reasonable if you don't limit yourself to alphanumeric, include the entire UTF 8 standard and so on).

The bank's online banking password length is limited to 5 characters. So... fuck the contract, huh?

Calling support, they claimed that it is a "technical neccessity" (I never state my job when calling a support line. The more skilled people on the other hand notice it sooner or later, the others - why bother telling them) and that it is "stored encrypted". Why they use a nonstandard way of storing and encrypting it and making it that easy to brute-force it... no idea.

However, after three login attempts, the account is blocked, so a brute force attack turns into a DOS attack.

And since the only way to unblock it is to physically appear in a branch, you just would need to hit a couple thousand accounts in a neighbourhood (not a lot if you use bots and know a thing or two about the syntax of IBAN numbers) and fill up all the branches with lots of potential hostages for your planned heist or terrorist attack. Quite useful.

So, after getting nowhere with the support - After suggesting to change my username to something cryptic and insisting that their homegrown, 2FA would prevent attacks. Unless someone would login (which worked without 2FA because the 2FA only is used when moving money), report the card missing, request a new one to a different address and log in with that. Which, you know, is quite likely to happen and be blamed on the customer.

So... I went to cancel my account there - seeing as I could not fulfill my contract as a customer. I've signed to use a minimum password length of 8. I can only use a password length of 5.

Contract void. Sometimes, I love dealing with idiots.

And these people are in charge of billions of money, stock and assets. I think I'll move to... idk, Antarctica?

I found this old printout of my username and password for my school account from ca 2008. I really like how the password are the same as the username except for some capitalization 😂😅

“sECurItY”

Ladies and gentleman, I've done it.
Remove your hacker game trophies from your wall.
That nasty bug you fixed a couple of nights ago? Meh.
Your top devRant post? You'll delete it after reading this.
Every awesome accomplishment you can think of: it all means shit now.

>> I have SUCCESSFULLY changed my business Microsoft account password into something I can remember AND Microsoft accepted it in under an hour of trying!!!!! <<

I want to say a big FUCK YOU to MICROSOFT for WASTING MY BLOODY TIME.

FUCK YOU for giving me a max of 16 characters. DASB&(*(&G*HH*& for telling me every time my password is 100% strength and then after every submit tell me I have to change it AGAIN because it should be harder to guess. WUT?! It was 16 characters including a (capital) letter, number and multiple special characters, WHAT ELSE DO YOU WANT FROM ME?! UNICODE EMOJI'S???!!! ALLOW ME TO USE MORE CHARACTERS SO I WILL MAKE IT HARDER TO GUESS IT, IT'S 2018 FFS.
I don't even understand why my new password is accepted compared to the other one, but fuck it I can access my account again.
Now I might have to find a new job before the company password policy kicks in again.

/me drops everything and walks out of the office to get wasted (not sure if celebrating or just really pissed off)

I had to make an account for my kid's school.

Last night I start. I put in a username, then it has a quality meter for the password. I put one in and it goes to like 90%. Ok, fine. I submit and...

Validation error on the username field. Message? [object Object].

Try all different kinds of username: no numbers, all caps, etc. But no luck so I give up.

Today I try again and get stuck again. Then I think... "Maybe the devs suck worse than I think..."

I change the password so that it's rated 100% and submit... Success.

Fucking devs.

Registered an account with a local pizza business and rated them 5* on Yell moments before checking my email and finding they had emailed me my unencrypted password, GREAT NOW I WON'T BE ABLE TO EAT

When you spend 5+ minutes creating a secure password for your new bank account and you get a message saying the password must be between 6 and 12 characters long.

Not sure I want to open this account any more.

Fuck me.

sometimes our application users can't login to our application and they report the problem to us. The fucking problem? Almost sure they forgot the password because we can login with their account.. Yeah we should not have access to their password, but we do xD. The worst is they send a Word file with only a print screen of the application error saying they can't login. Why not a .jpg??! The word takes 4 seconds to open

This is not fucking security, it's obscurity! What the fuck is a memorable word without any context! It drives me up the fucking wall. This doesnt help anyone it just promotes people to put silly shit like password or something so they won't forget but it just makes their account weaker.

Hey Citrix:

FUCK YOU.

Learn to make an accessible log in page you fucks.

Maybe instead of vague fucking "you're user name and password is wrong" say things like "your account is locked because we somehow decided we don't like your password anymore. . . . without telling you"

Fucking 2 hours of my day wasted trying to log into my company's VM because first it wouldn't take my password (that I've had for over a month and doesn't expire for another month) over and over again. I changed it, logged in. Got up to do something that'd take less than 5 minutes. And OF COURSE the people who set up the VM made them log you out if you're gone for more than 3 minutes (fuck that guy too). Come back to a log in screen and it won't accept my new password.

Change it again. Except this time it won't accept my new password because it's "like my old password." It is in that it uses the alphabet and numbers, but it's also different in that those alphanumeric characters are LITERALLY DIFFERENT IN EVERY PLACE. I finally get it to accept a new password.

I'm also loving the whole "answer these security questions that literally anyone who does minimal research on you can answer" before I get to change my password. Yeah. Because finding my mother's maiden name or the city I was born in is so fucking hard. Literally impossible to find out what my Dad's dad's name is. Shit like that isn't publically available. Nope. Why the fuck are we still using "security" questions?

I log into Citrix again. And it takes me to . . . the log in for Citrix.

There is no word in elvish, entish or the tongues of men for this stupidity.

Fuck Citrix. Fuck the people behind the password manager (Aviator or something like that), and fuck whatever administrator setting turns my computer off due to inactivity in such a stupid short amount of time. 10 minutes, 15 minutes, that'd be fine. But it's more like 3 or 5, like wtf.

I don't usually look at the "updates" section of my Gmail but yesterday I did. One message cought my eye: "Your application to Microsoft BizSpark has been approved" but I've never applied to Microsoft BizSpark!
Someone has registered in my name, opened a Microsoft Outlook account under my full name and added my startup details for applying to BizSpark! One issue though, he used some Spanish equivalent of mailinator to subscribe so I could easily reset the password and replace the security email. Now I have 5 visual studio subscriptions I don't know what to do with.

Not a Story about an actual hack, but a story about people being dumb and using hacks as an excuse.

A few weeks ago my little cousin would reach out to me because "his Account was hacked...". Supposedly his League of Legends account was hacked by a guy of his own age (14) and this guy was boasting about it.

So i asked the usual things: "Has the email account been hijacked? Did anyone know about details to your acvount access? Etc..."

Turns out that one if his "friends" knew his password and username, but suppsedly erased these Informationen. And that was the part i didn't buy.

This was the point where he lost. Just because i am a programmer does not mean i can retrieve an account he lost because of a dumb mistake that could have easily been avoided. And that guy who was boasting about hacking LoL Account was coincidentally freinds with the friend who had the user credentials and password.

Moral of the Story? The biggest security weakness is almost always the user or a human in between...

Another rant about my school: the default password system.
Each student's username is FirstnameLastname, and the same applies to teachers. The passwords assigned are <First initial><Last initial> for students, and the same for teachers with "teacher" appended to the end. As students, we figured out this system pretty quickly, and we were able to log into the computer system as any teacher who we knew had requested an account. (Teacher accounts had unfiltered Internet access, student accounts did not).
I now teach in this school, where they recently got Google Classrooms accounts for each teacher during Covid. The accounts use the same naming/password scheme! I somehow doubt the teachers replace their passwords, so any student clever enough to figure out the system can log into their Google for Education account.

Fun though practical question.

You've accidentaly pasted and sent some internally used password, let it be your account pw or some server's root pw, into a company's chat channel with 100+ other employees. What do you do next? :)

P.S. deleting the message is not possible
P.P.S. this happens. Thanks to windows "Let me just quickly change window focus from putty to chat window" _FEATURE_ I've accidentally shared like a dozen of root passwords with others.

!rant I just put my phone in my pocket with the devrant app open.

I take my phone out again about 10 minutes later and i'm in the process of making a new devrant account....

So somehow while the phone was in my pocket, it must have clicked the logout button and sign up button and had entered random letters for the email name and password section.

Boy, i'd like to know what my pocket (or Ass) wants to rant about....

Yesterday was the day. I got asked. Asked, if I could hack back someone's "hacked" Instagram account. For the first time.

He's probably one of those dudes who use short and easy passwords, so his password was just guessed.

About a decade ago there was a torrent site for audiobooks audiobookbay I think?, if you forgot your password to your username they would literally just give you a new password on the next page. Naturally being a 1337H4X0R teenager I found the username of one of the admins and got into their account on the site. I don't know if they ever fixed that but that was a serious wtf moment.

Edit: just checked this flaw has not been patched.

The TA for my computing lab in uni consistently shows up 45 minutes late. I'm usually done in 20 because I use the rest of the time to work on the next lab.

He walks through the door, lets out the biggest sigh, sits down, sighs again, opens up his laptop, and sighs once more. When someone asks for help, he sighs so hard you can see his lungs shrivel up as he exhales, and then provides them with a pointless answer.

The best part about the cs department here is that when you join cs, you are given an account to use with the ubuntu machines in the computer labs. They send you the password over school email, and you can't change it on any system they provide.

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

Hey Citrix:

How about if my account is locked, you give me an error saying "my account is locked" and not "incorrect username and password"

SO I CAN KNOW WHAT I NEED TO DO TO FIX THE ISSUE YOU JACKASSES.

TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.

Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.

Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.

Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.

I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.

What the duck? Could have been anybody giving any phone number. So much for extra security.

Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.

So, I just created an account on a premium objective information website. It basically sells access to several articles on laws and general "financial relevant subjects". It is important for my work and they have pretty strict password requirements, with minimum: 18 characters length, 2 HC, 2 LC, 2 special, 2 numbers.

Without thinking twice, openned Keepass and generated a 64 length password, used it, saved it. All's good. They then unlocked my access and... wrong password. I try again... wrong password.

Thinking to myself: "No, it can't be that, maybe I only copied a portion of the password or something, let me check on CopyQ to see what password I actually used."

Nope, the password is indeed correct.

Copy the first 32 characters of the password, try it... it works...

yeah, they limit password length to 32 characters and do not mention it anywhere ... and allow you to use whatever length you want... "Just truncate it, its fine"

My company email:

- It's time for the monthly password change!
<writes the usual passwod>
- The password must be over 50 characters long!
<adds more letters>
- The password must have numbers!
<adds some numbers, though it's getting irritating>
- The password must have special characters!
<wtf?? Adds a pound character>
- The password must have at least 20 different special characters!
<da fuq???>
- The password must be at least 50 characters, only special characters and invisible tab/LF/CR characters and it must be changed daily!
<head explodes>
- Thank you! Now please sign in with your new password for 200 times per day.
<closes the laptop and starts using Remington type writer>

Usually these remainders start popping up during the 1st vacation day. When you return to the office, the account is already locked.

And then you wonder why people have the passwords written on a post-it or as a plain txt file in SkyDrive.

Registering a new account for microsoft teams:
`Your password cannot contain a space, &# characters combination, or the following characters: < >`

Are they storing the passwords in plain text? Are they not sanitizing the input? Why the fuck would they care if I put motherfucking emojis in my password? What the fuck are you doing to the passwords, Microsoft? TELL ME.

Probably the worst security I've ever seen is a website I used to visit that had their "Forgot your password?" system change the password of the account to the user's username and didn't even send an email confirmation before doing it.

tldr: Fuck Apple AND Microsoft...

Tried to check my "me" email today (iCloud)... and well it's apparently "locked" for god only knows what reason, and they will only let me recover it through a Hotmail account that I haven't used in >10years.. So I tried that and after one login attempt outlook.com is telling me "you've entered too many wrong password attempts, you must reset your password"... ugh OK, so I hit the button and it's asking me "my" security question.. 'where did you and your spouse meet?'.. wtf? I'm not married now nor was I @12yrs old when I made this account....

Well thanks so I guess that's fucked for forever...

That moment when your Minecraft account has a typo in the password. Every damn time I have to retry the login until I magically mistype it the same way again. Of course I can't reset the password because the email address of that account also has a typo in the password. How does that even happen

Motherfucking stupid windows 10.

Wanted to try out cortana with all features after disabling it via regedit.
So naturally I created a Microsoft account and linked my user to it. Of course I used a random password generator and saved it in a passwort vault.
Then an update happened, I restarted my computer and guess what this stupid piece of SHIT garbage software did?
It prompted me to enter my password. Not the password I had for my local user BUT THE MOTHERFUCKING 15-DIGIT RANDOM PASSWORT GENERATED AND NOT EVEN VIEWED ONCE FUCKING SHIT!!!
Did they even ask if I wanted that? No they fucking didn't. Did they WARN ME? NO. NO THEY FUCKING DIDN'T.

That's the last straw. I'll kick windows down the garbage bin where it belongs and programm my own AI with open source software.

Who's the dumbass that decided you can't delete your PayPal account at all unless your balance is $0?

I am not giving you my card information for the $0.18 balance I have. For God sakes, I don't even bend over to pick that up if I see it on the ground.

It's one thing if it were like $100 or even $10. But it's eighteen fucking cents. Not even a a quarter of a fucking dollar.

At least make me put in my password and answer a security question or some shit, not straight up remove the option to delete it.

Fucking ridiculous.

Installs Nessus. Creates Admin account. Forgets to save the 32-char random password to a password manager and locks himself out. Installs Nessus...

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

Recently I flashed Android 9 (Pie) on my Nexus, but to this day I still haven't logged into Google from it. One reason is because I don't know my password and I didn't git clone my password store yet (where it's contained). Another reason is because I want to reclaim my privacy and not be a data battery for a Matrix of convenience that feeds itself with my personal information. Eh, it sorta works out I guess. Yalp is an amazing alternative to the Play Store, and even offers its own shadow accounts to use along with Google Play.

One problem though, while I've noticed that I could log in with my own account to get all my premium apps (couple hundred euros worth, so not easy to just discard) it apparently violates Google Play's ToS to do so from a third-party app. So I'm a bit hesitant to do that. Do you know of any viable alternative way to preserve my privacy yet install, keep and have validated those premium apps? I could download them from e.g. BlueStacks and export the apk's, but that'd be tedious and wouldn't be able to get those apps validated on my phone unless I log into Google there as well (which kinda defeats the purpose). Any suggestions?

The 1x1 to lock you out of your Mediafire-Account:
- Change password to a new one with more than chars (works)
- Try to login with it. 😂 (too long)

Had to reset it and set a new new one with 30 chars.

Am I the only guy using the GDPR emails as a to-do list? For each email I either delete the account with that service OR I take the opportunity to change the password. Tedious? Yeah. Satisfying? You bet!

I see all these people complaining about their inbox blowing up with "spam" but how many of those accounts or services do you still use? I bet over half of them were only signed up for to try their demo and then forgotten about.

I just woke up this morning to an email saying that someone from chile logged into my instagram account and I'm not actually what set me of the most.

The fact that my password was leaked, the fact I literally never got notified that I had a Instagram account I never wanted or the you have to disable most privacy settings, just to reset your password.

Like holy fuck, I disabled all options I could find on firefox concerning privacy/tracking and it still tells me I should disable some privacy settings.
So I enabled chrome again (fucking system app) and it worked on first try. Just as expected...

Anyway, fuck instagram and thank you dear hacker for telling me that I had a worthless to delete.

Omg how stupid some people are... Today at my university I used the first time one of the computers in the computer room and there is a portable Firefox installed in a shared space on the computer and that is also where it saved settings etc. So this is the same for every user on that particular computer.

And when I checked the security settings I found that about 10 different accounts were saved and accessible with website username and password.

So of course the shared space Firefox is bad, but you still shouldn't save you password on a public computer :S

PS: If anyone needs a webmail account or an account for the german university network contact me :P

Recent conversation with a client for our SaaS product.

Client: So why can't we delete this information.

Me: We want to able to know who made a change to the data to avoid getting into trouble with the law.

Client: Does that mean you can see all the data on our account?

Me: (I know where she is going but let me stall)..You are the only one with access to your account. If I don't know your password, I can't access your data.

Client: But you sound like you can see the information in the cloud.

Me: (Laughs softly and segued).. The additional features you requested would be.......

Someone needs to read the T&C...

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

I went to uni for CompSci with knowing no prior knowledge.

In my first year of uni I created a DigitalOcean droplet to host an SQL server. I didn't change the root password or disable password login out of convenience and as I didn't think anyone would be able to find the IP address to be able to hack it.

Within 3 hours DigitalOcean had locked my account for using my droplet to send DDoS attacks. Support contacted me to ask what was going on. I knew nothing at the time so I was a bit 🤷‍♂️.

And that's when I learned the importance of changing your root password.

What the fuck is wrong with Google?!!

Trying to log into Gmail.
Forgot password.
Gmail: To reset, code from authenticator app is required.
Me: Super. Good thing I set it up.
Enters code.
Gmail: Recovery email.
Me : Uh... Forgot that too.
Gmail: Some email address to communicate.
Me: Super!
Enters some other email address.
Receives mail with a link.
Me: Finally!
Opens link

Gmail: "When did you create your account?"
Me: Uh... If I had that kind of memory, we wouldn't be dancing right now.
.
.
.
Gmail: Sorry we couldn't verify you.

WHAT THE FUCK, GOOGLE?!
What sort of sadist play is this?!

Dropped them a mail to get access back. Got a link in the auto reply that explains how to repeat the above process. WTF?!

What the actual fuck?!

Security! I wish clients would listen to me regarding security...

The client has started to ask me to give them access to all the logins I have for the email, domain, server etc.
I created them a new account and gave them admin access.

Now they’re asking for password for all the email accounts (I don’t even store them). So I asked why, she wanted to have them in case some of the employees forgot their password.

I explained to her, deeply and many times, WHY THIS IS A BAD FUCKING IDEA. I also discovered she’s keeping it in a document, clear text.

Why do they pay me for support, when they want to have access to everything...

I’m wondering if they’re planning to find someone else to do their support, or do it themselves.

I didn’t even think 25€ pr month is that expensive for support

What the actual f. I just changed my password on uplay to a 30 character password which works fine on the web account manager. Apparantly some moron decided to limit password field in the uplay client where your actual games are stored to 17 or 18 characters.

And that while they want to "improve" security. Please ubisoft, fix your shit

I'm installing Unity. Choosing the "sign in with Google" option, this leads to a screen asking for my Google account and password - *inside the installer*. No external browser.
What made them think it's legitimate? Why can't they just open my web browser for this? Why should I trust them with my email password?

Other staff: I’m having trouble logging in to website A. My password doesn’t work.

[Me thinking: That’s weird. When I set up your account, the password worked. I told you to change it. So maybe you forgot your new password. We haven’t changed anything to about the login process.]

Me: I reset your password. [sends new password]

Other Staff: The new password doesn’t work. But I can log in with Google.

Me: 😶 Website A does not have sign in with Google. What website are you actually on???

"You have to change your password, because you've either just registred or your password doesn't comply with our guidelines anymore."

I've not made my account recently.
The question beeing: How can they know if they "should" decently hash it? 👿

Password guidelines...

Just got an online account for an insurance:
Allowed characters for password are a-z, A-Z, 0-9.
Really?
I tried special characters, maybe they just forgot to mention them. Doesn't work, "Password not valid".

When I was in 11th class, my school got a new setup for the school PCs. Instead of just resetting them every time they are shut down (to a state in which it contained a virus, great) and having shared files on a network drive (where everyone could delete anything), they used iServ. Apparently many schools started using that around that time, I heard many bad things about it, not only from my school.
Since school is sh*t and I had nothing better to do in computer class (they never taught us anything new anyway), I experimented with it. My main target was the storage limit. Logins on the school PCs were made with domain accounts, which also logged you in with the iServ account, then the user folder was synchronised with the iServ server. The storage limit there was given as 200MB or something of that order. To have some dummy files, I downloaded every program from portableapps.com, that was an easy way to get a lot of data without much manual effort. Then I copied that folder, which was located on the desktop, and pasted it onto the desktop. Then I took all of that and duplicated it again. And again and again and again... I watched the amount increate, 170MB, 180, 190, 200, I got a mail saying that my storage is full, 210, 220, 230, ... It just kept filling up with absolutely zero consequences.
At some point I started using the web interface to copy the files, which had even more interesting side effects: Apparently, while the server was copying huge amounts of files to itself, nobody in the entire iServ system could log in, neither on the web interface, nor on the PCs. But I didn't notice that at first, I thought just my account was busy and of course I didn't expect it to be this badly programmed that a single copy operation could lock the entire system. I was told later, but at that point the headmaster had already called in someone from the actual police, because they thought I had hacked into whatever. He basically said "don't do again pls" and left again. In the meantime, a teacher had told me to delete the files until a certain date, but he locked my account way earlier so that I couldn't even do it.
Btw, I now own a Minecraft account of which I can never change the security questions or reset the password, because the mail address doesn't exist anymore and I have no more contact to the person who gave it to me. I got that account as a price because I made the best program in a project week about Java, which greatly showed how much the computer classes helped the students learn programming: Of the ~20 students, only one other person actually had a program at the end of the challenge and it was something like hello world. I had translated a TI Basic program for approximating fractions from decimal numbers to Java.
The big irony about sending the police to me as the 1337_h4x0r: A classmate actually tried to hack into the server. He even managed to make it send a mail from someone else's account, as far as I know. And he found a way to put a file into any account, which he shortly considered to use to put a shutdown command into autostart. But of course, I must be the great hacker.

I just found out today , that my pm had mistakenly committed the email id and password of his account(which he probably used for testing) in the public repo in github.
Although he subsequently removed it, I can see it in commit history.

The point is.....
I don't kinda like him...
Any mean ideas....?

Worst error message to show a new user...

"An account with that email and password already exist. Please try again or login to your account." 😂😂😂😂💀💀💀💀

Student Account Password at the university. No changes the default. It's their DOB and first two letters of the name.

Injection steps:
Open Database ( I am the Placement Representative )
Copy DOB
Paste
Add the first two alphabet
Unlocked

The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.

Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.

I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.

Is it me or is password security is a giant mess right now?

Everyone has a gazillion ways to sign in.

Everything needs an account so eventually you get a password manager to keep track.

After reauthenticating passwordword manager, then you get to the next screen that requires you to enter a code from 2FA. Internet isn't fun to use any more.

It was more of "Hate story" with a guy whose mere presence would irritate me very much. He was also close to the girl I liked a bit (not very huge crush or something).

So he was very active on two of his social networks one being fb and second directly connected to fb so basically getting hold of fb would mean that I could control his other one too.

It was Oct 2016 and that time you could easily hack an account using social hacking (not asking OTP out something mere details did it for few accounts).

I hacked his account and wrote curse words and all. As I had already changed the email and password, he couldn't till date retrieve it.
However as he reported to fb, his account was held and I could no longer access it but till then everything was over.
I couldn't still spot him on FB or the other social network.
And this was one of the most evil act I have performed in my life.

So, this incident happened with me around 2 years ago. I was pentesting one of my client's web application. They were new into the Financial Tech Industry, and wanted me to pentest their website as per couple of standards mentioned by them.

One of the most hilarious bug that I found was at the login page, when a user tries logging into an account and forgets the password, a Captcha image is shown where the user needs to prove that he is indeed a human and not a robot, which was fair enough to be implemented at the login screen.

But, here's the catch. When I checked the "view source" option of the web page, I saw that the alt attribute of the Captcha image file had the contents of the Captcha. Making it easy for an attacker to easily bruteforce the shit outta the login page.

You don't need hackers to hack you when your internal dev team itself is self destructive.

Way back, 20 or so years ago, when I went to the university, every student got an account so that we could work with the Unix machines. Every user got the same default password, -apollo-, still remember it until today, and one day I felt a little bit evil and I tried to login to the administrator account, of course the first password I tried was the default password and it worked!!! I got super scared and told an older student about it, who was brave enough to scare the administrators a little bit by leaving a message like "you have been hacked!!!" or something similar. I was just too scared to do anything about it. All I wanted to do was see IF I could login ☺️ my few minutes of being Mr. Robot... Guess hacking was not for me 😃

-- What if JavaScript never existed?
-- What if HTML was a programming language?
-- What if our data online isn't abstract but physical?
-- What if geeks have their own country?
-- What if humans exist and we are the aliens?
-- What if the internet is state-owned?
-- What if we could download food just like every other downloadables?
-- What if my VSCode won't kill me when switched to light theme?
-- What if there was no gender and the word "female" is just an alias for "male"?
-- What if bugs could find and fix themselves?
-- What if there's no need for an account password?
-- What if Linux was owned by Microsoft?
-- **What if I could tell my boss that I'm tired of his fucking job without actually telling my boss? This is the actual what if.**

The hand of IT guy in family

My family sees me as guy who works on IT stuff. The best part is that I will have to help them whenever they encounter problem regarding electronics in daily activities.

Son! The internet is not working
Son! The printer is not working
Son! The TV is not working
Son! My phone didnt get any signals
Son! The microwave is not working
Son! The TV remote is not working
Son! Why is this whatsapp popup always appear whenever I opened it
Son! The dvd player is not working
Son! My phone wont charged
Son! I want to buy online stuff
Son! The email that ur uncle sent me cannot be opened
Son! The email that ur aunt sent me is not there
Son! Can u help me download this travelling app
Son! I opened a website and it told me that I have 163718362 virus!
Son! I forget my password of my facebook account!
Son! Some guy idk on facebook added me as his/her friends, what should i do?
....
Son! The internet is not working (again)

The fact is that, most if these problem, I helped them by just.. restarting the router, reboot the router for 1 min interval, find specific toggler in disfunctional hardware that they accidentally hit during sweeping the floor, take out the power and put it back again, show them how to's in many account/payment mechanism in apps, etc

The very best part that whenever they satisfied, whenever things back to work again, whenever they can reset the password:

"I've tried what you told me, but it just didnt work, but idk when u did it, it works! you are really an IT guy"

And i was like
🙃

- client announces that they are reducing the number of employees since Dec31
- I'm among the ones relieved from duty
- hours before the end date I receive a 'your account will expire in 7 days. Reset your password' email from that client

riiight, that's one chore I no longer have to worry about.

Wanted to make an account on Payoneer to get paid from 99designs for the stuff I make there.

Entered my password, got error.
"Please use only the latin alphabet, a-z and 0-9"

SERIOUSLY, it's banking stuff. how can they not allow secure passwords? *sitting here, crying"