Me: *Watching a movie*

Main Character: "Oh no, we have to hack the CIA to figure out how this machine works! Hacker girl, do the stuff"

Hacker Girl: "Consider it done!"

Hacker Girl: *Opens Linux bash*

Hacker Girl: *types 'mkdir Hack_CIA'

Hacker Girl: "They have two-factor authentication in place, this is going to be a hard one."

Hacker Girl: *Types 'cd Hack_CIA'*

Hacker Girl: "I'm in!"

Me: "..."

Friend: "Wow, so well done, so realistic!"

Me: *Dies*

Two factor authentication atrocities 😍😍

My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.

For the record, user levels were normal user, general admin and super admin (he was the only super admin).

Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.

Then I started.

Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.

Explained him where he went wrong and he wrote a patch under my guidance 😃.

That felt so fucking awesome.

(sensitive parts censored)

Friend: Hey, can you hack my (some website) account?
Me: Depends... What's your username?
Friend: (tells username)
Me: (clicks forgot password?)
Friend: I will give $10 if you do it. There is 2 factor authentication enabled.
Me: (silence) Ok.
Website: Please type the class number you were in in 4th grade.
Me: Hey, did you graduated BLAH elementary school?
Friend: Yeah.
Me: Ahh, I remember. You moved to BLAH elementary school in what grade?
Friend: 4
Me: Hmmm, I don't remember seeing you. What class were you in?
Friend: 5
Me: Well, I now remember. Stupid me. (smirks)
Friend: Haha. (continues to play games beside me)
Me: (Types in 8)
Website: We sent you a password to blah@example.com
Me: (uhh, heads to example.com and clicks forget password?)
Email: Please type the class number you were in in 4th grade.
Me: (wtf is this, types 8)
Email: Please type the teacher's name when you were in in 4th grade.
Me: What was the teacher's name?
Friend: Huh?
Me: When you were in 4th grade.
Friend: Ahh! John Smith.
Me: Ahh, he was strict, right?
Friend: Yeah (continues to play games again)
Me: (Types in John Smith)
Email: Set a new password.
Me: (Types "youaresostupid")
Email: Done!
Me: (copies PLAIN TEXT password from email, logs in to website)
Me: Da-da!
Friend: (gasps)
Me: Money plz~
Friend: Nope.
Me: (wtf, then remembers i changed his email password) Fine then.

=====================

1. There is 2 factor authentication enabled. : Got it?
2. The website sent plaintext password.
3. He is just pure idiot.
4. I didn't got the money.
5. I am now a h4x0r

** The most hilarious authentication implementation I've ever seen **

They stored password in cleartext, but never mind, this is sadly quite common.
For some reasons credentials were also case insensitive (maybe to avoid silly tickets from CAPS LOCK lovers?).

Then I had a look to the query executed during the login:
SELECT * FROM users WHERE username LIKE ? AND password LIKE ?;

So I tried logging in with user "admin" and password "%"... and it worked!
I laughed all the day.

So my friend has two-step authentication for his smartphone.

Now he is not able to find his phone.

So, he tried to find his phone by logging into his google account via Android Device Manager.

Now, it is asking for the authentication pin which is in his phone.😂

He just got deadlocked.

Happened a few weeks ago but still awesome.

Me and a good friend have a website together but we don't monitor it too much.
He studied with me in the same class but went towards frontend/apps where I chose backend/servers/security. He knows how to do basic Linux stuff but that's about it.

We were at a party when he noticed that our site was offline. Walked over to me (because I manage the server) to notify me so I could look into it said I'd look into it (phone):
*visits site: nothing*
*online dig tool: got the server ip*
*remembered this one didn't have pubkey authentication - after three passwords attempts I'm in*

"service apache2 status"
*service doesn't exist*
*right, migrated this one from Apache to nginx....*
"history"
*ah, an nginx restart probably suffices...*
"service nginx restart"

BAM, site is reachable again.

*god damnit, lets encrypt cert expired...*
"history"
*sees command with certbot and our domain both in one*
"!892"
*20 seconds later: success message*
*service nginx reload*

BAM, site works securely again.

"Yo mate, check the site again"

Mate: 😶 w-w-what? *checks site and his watch* you started less than two minutes ago...?
Me: yeah..?
Mate: 😶 now this is why YOU manage our server and I don't 😐

His face was fucking gold. It wasn't that difficult for me (I do this daily) but to him, I was a God at that moment.

Awesome moment 😊

I wrote a Student Information system for my midterm project back in 94 written in Clipper and runs on MS-DOS.

I demoed & explained to the panel of professors how it tracks enrollments, payments, class schedules, grades and attendance of each and every student. Has user authentication, auditing and reporting functionalities.
It has a lite version also written in Clipper that can be installed on a Professor's laptop so that he/she can update records even at home, and would be able to sync with the db at school via a BBS. Telix for DOS (self-taught) was my choice for the BBS as it was shareware, has built-in Zmodem support and comes with it's own programming language called SALT (Script Application Language for Telix) that can be used for automating tasks. The lite version of my project would dump the updates on an ASCII file, compress the file using PKZIP, use the laptop's modem to dial-up the number to the school's BBS and send the file across using Zmodem protocol.
The main version would then download the file(s) from the BBS and proceed to do a sync.

After the doing the demo and answering all their questions the panel asked me to wait outside the room, called me back in after 15mins and told me that I don't have to attend that class for the remainder of the term. The happiness as the my classmates outside of the room gawked at me felt like King Midas himself gave my balls his golden touch.

Then in 97, 2yrs after I graduated, I accompanied my cousins to a different campus of the same school for their enrollment and right there on the bottom of the screen were my initials on a very very familiar UI! They actually used, and were still using, my school project. Needless to say my cousins didn't believe that it was written by me.

*Facebook Hackers follow the Rules*
(real story)

TL;DR: sorry, not available, can't do spoilers

One night I was with a group of friends out at a pub. A guy and his girlfriend show up, I didn't know them but they were my friend's friends.

The girl kept bragging the whole time about his boyfriend being a professional programmer, trying to remind it to everybody whenever possible (don't ask me why!).

So, after a while, the discussion moves towards "suspect Facebook activities" and the guy starts saying that he can hack Facebook.

- "What do you mean?", I ask.
- "Hacking into other people's accounts, even with 2 factor authentication. I did it a lot of times"
- "Wait, and they don't notice?"
- "Of course not! ^_^ He's a hacker", the girl replies.

Ok, time to do a coming out.

- "Hey, I'm a developer myself. Can you give me an idea of what you did in technical terms? Did you find a vulnerability? Used a virus? Maybe a keylogger?"
- "No... Uh... Well... The secret is to read the terms of service"
- "What?"
- "Yes... yes it's all in the facebook terms of service..."
- "Uhm, I'm not really sure I'm following. Could you prove it by hacking my Facebook account? I'm giving you the permission".

In less than a minute the discussion flew completely away and they never mentioned computers again.

😂😂

Use biometric authentication

This is not really a rant, but...dude.

I was browsing github for a suitable library when i found a test repo of someone. A script inside and at the top he wrote his authentication token. I first thought it was a placeholder or an example or a test he used. No. I entered the token and could control his instance of the app. I sent him a message to disable this token.

I get that fingerprint authentication is very convenient but I'd never use it (not even for privacy reasons that much).

When someone guesses/gets your password you can just say "alright let's change my password"

Imagine that with fingerprints: "yeah sure let me change my fingers"

😆

I work at a small retail store and we have quite a few regular customers who know I'm studying computer science because I'm always coding at work on my laptop.

One lady who comes in quite often and is very sweet asked me if I would take a look at her phone. She said she bought it and paid the owner of a phone repair store to set it up for her, but was felt like he did something weird to it. I told her I wasn't an expert but would look at it.

Oh my god. This guy set up her phone connected to his own personal icloud account. All of his music was on there. All of his contacts were on there. All of his pictures were on there. Even nude pictures of multiple people that this lady said she definitely does not know. I tell her this is very very wrong and no one in their right mind should've set her phone up this way.

I automatically think to factory reset. I'm unfamiliar with iPhone, as the last time I used one was an iPhone4 many years ago. I was unaware that apple applies an authentication lock when the phone is reset.
The authentication is set up underneath yet ANOTHER email address that belongs to this guy, as this lady promised me she has no knowledge of any email address similar to the one listed, nor does she have access to it.

I tell her to call the guy and ask for her money back and to unlock her phone so that she can reset it herself.

He claims that he cannot accept refunds if a factory reset has been performed.

Uhm, I am calling SOOOOO much bullshit. There should be absolutely no reason why the owner of the phone cannot factory reset it. The owner should be able to do ANYTHING she wants with it, without being locked out of it because some creep at a repair store did NOT DO HIS JOB CORRECTLY AND HE KNOWS IT. Why else would he claim he can't refund if it's been reset, because he KNOWS she got locked out.

So long story short I talked on the phone with him and cussed him out telling him he was wrong for taking advantage of someone who doesn't know much about technology and that he was invading privacy and violating her security and that i would report him if he didn't fully refund her and unlock her phone.

He gave her all of her money back, unlocked the phone (which she is deciding to sell because she got so scared by this), and I'm still filing a complaint against this man and his store. Who knows how many more clueless people he did this too. Fucking scumbag.

So I had my exams recently and I thought I'd post some of the most hacky shit I've done there over here. One thing to keep in mind, I'm a backender so I always have to hack my way around frontend!

- Had a user level authentication library which fucked up for some reason so I literally made an array with all pages and user levels allowed so I pretty much had a hardcoded user level authentication feature/function. Hey, it worked!

- CSS. Gave every page a hight of 110 percent because that made sure that you couldn't see part of the white background under the 'background' picture. Used !important about everywhere but it worked :P.

- Completey forgot (stress, time pressure etc) to make the user ID's auto incremented. 'Fixed' that by randomly generating a user id and really hoping during every registration that that user ID did not exist in the database already. Was dirty as fuck but hey it worked!

- My 'client' insisted on using Windows server.Although I wouldn't even mind using it for once, I'd never worked with it before so that would have been fucked for me. Next to that fact, you could hear swearing from about everyone who had to use Windows server in that room, even the die hard windows users rather had linux servers. So, I just told a lot of stuff about security, stability etc and actually making half of all that shit up and my client was like 'good idea, let's go for linux server then!'. Saved myself there big time.

- CHMOD'd everything 777. It just worked that way and I was in too much time pressure to spend time on that!

- Had to use VMWare instead of VirtulBox which always fucks up for me and this time it did again. Windows 10 enjoyed corrupting the virtual network adapters after every reboot of my host so I had to re-create the whole adapter about 20 times again (and removing it again) in order to get it to work. Even the administrator had no fucking clue why that was happening.

- Used project_1.0.zip etc for version control :P.

Yup, fun times!

Protecting credentials from eavesdropping using HTTP Basic Authorization header:

"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."

I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.

Me: *Installs travis*

Dev: oh what's travis?

Me: it's a continuous integration tool I wanna setup.

Dev: ... contin.... ?

Me: continuous integration, a tool that performs builds.

Dev: ah!, is it the new version of that deprecated tool we were using "client access"?

Me: ... no ... that's an authentication service that generates and stores oauth tokens. This is the continuous integration tool I told you about yesterday (and last week and the week before).

Dev: ... contin....

Me: ... con ........ continuous integration. It listens to branches on GitHub, downloads, builds, tests and then deploys the code.

Dev: ah ok ok, cool.

I would bet my monthly fucking salary he can not repeat what I said, tell me what oauth is, or explain what he's working on at the minute.

Jesus at this rate I'd bet my salary he can't tell me my name.

Client asked for Two Factor Authentication as a part of the webapp we're building and then were confused as to why they needed a second password to login

"we don't want to add an extra step into the login process, can you remove it please"

fml

Look, PHPVirtualbox, i love you and all and you've worked very well for me for ages.

But, when I see the authentication is successful and you receive an 'OK', YOU'RE NOT SUPPOSED TO THROW A FUCKING "USERNAME OR PASSWORD WRONG" ERROR.

YOU'RE SUPPOSED TO LET ME FUCKING THROUGH.

MOTHERFUCKER.

Wow... Captchas are getting better!

Tonight I want to try to setup an openvpn server with mysql based authentication because I'd love to somehow setup/become a vpn provider.

Of course there's a huge ass legal part but let's first make sure I know the technology of the top of my head!

Just ranting this out because I'm excited 😊

Worst legacy experience...

Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.

Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.

The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.

Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).

!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

Honest speaks😜

Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
*Hungs up*

I can add two-factor authentication to GitHub, but my online banking password must have EXACTLY 5 characters...

After a few hours, I think I just got mysql based openvpn authentication working O_o

Fucking yay! Now let's implement a maximum amount of connections per user.

Yes, rants can be happy too.

One day with a lot of hours trying later:

Got an OpenVPN server running from scratch and can (still have to write the actual authentication code) accept or refuse clients through a php script ran from a bash script with a username and password.

Fuck yeah!

Authentication feature was only checking the length of the auth header instead of the actual content. I abused this to make a request to our API from inside our system with a junk header, so we were basically hacking ourselves...

Especially painful being a cybersecurity engineer;

Did something wrong with an if-statement.

Caused authentication to break completely; anyone could login as any user.

Was fixed veeeeeeery quickly 😅 (yes, was already live)

"So you need access to the test server?"
Me:"Yes"
"Please fill these 800000000 forms,sign here,get your blood sample,your ID ,your right kidney,letter of approval from your boss,...."

Fuuuuuuuck!!!! I just want to change only 3 lines of code!!!!!!

- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.

A moment of silence, please.

Dev checked in code (I suspect purposely not inviting me on the code review invite) saying he "fixed" the authentication bug in the web service.

Um no, like I told you last week, the authentication error is because the load balancer wasn't passing the user's authentication to IIS.

If I didn't overhear him telling a user "Still getting the error? I don't know, we might have to re-write that service", he might have gotten away with it.

Me: "Wait, that doesn't sound right. If I hit the server directly, authentication works. Its an issue with the load balancer, not the service"
Dev: "Admin said the load balancer is fine and it has to be the service."
Me: "I don't buy it. IIS is returning the authentication error, not the service."
Dev: "I added exception handling and nothing is being logged. Must be something in the service configuration."
Me: "No, IIS performs the authentication, not the service. I explained that last week, remember?"
Dev: "Oh yea. What changes do we need to make to the service?"
<my blood pressure starts to spike>
Me: "None. Give me a sec.."
<we have other apps on the same server farm that work just fine, so I re-configure the service pool settings to match theirs>
Me: "See, now going through the load balancer, the service works fine. For some reason, the admin had our service set up differently."
Dev: "OK, I'll let the users know the service is fixed."
Me: "Service was never broke and I'm not leaving it in its current state. In the morning I'll talk to the admin and see what he can do to fix."

I used PHPMailer to send emails to a client's website user. SMTP host is smtp.gmail.com.

web was hosted on Bluehost. I found out that mailer was not working. I enabled verbose output and to my surprise I found out that Bluehost was intercepting my mail and responding with

220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail

when i was explicitly using smtp.gmail.com. Not only they were intercepting but also They were trying my credentials against its own smtp server and then showing me that authentication failed.

When i contacted chat they asked me to tell last 4 characters of Bluehost account password to verify ownership.

Dude do they have passwords in plaintext.🤔

Recovering a legacy Gmail account after receiving a notice of a blocked login.

*Tries to remember the bloody password*
*Actually remembers it*

> Sorry your password isn't enough. Your father's phone number that you used a decade ago can be used for verification though!

Google, let's get this straight. Things have changed. I know the fucking phone number and yes I can enter it, and out of sheer stupidity I did send an authentication code his way. Unfortunately however, things have changed in 10 years. I can instantly kill the fucker on the spot if I were to meet him ever again. Do you think that I'm going to get that fucking code?!

> Oh but you can try to email the code to the very account that you're trying to recover, despite the fact that you know the password for it.

TO THE FUCKING SAME ACCOUNT THAT I'M RECOVERING.

Must've taken a true genius to code that in!!!

I really have this fucking love/hate relationship with application security.

For a lot of stuff that I write, user input has to be validated, authentication is required and so on and I do love looking into that, pentesting my own applications to death and thinking about the security architecture of the application itself.

But, sometimes, I just want to focus on the fucking features and then it annoys the living hell out of me that securing an application can take so much time and brain power.

Yay and grrrr, I guess.

I gave resignation so am on my last weeks. The top priority is suddenly an authentication service that is completely unfamiliar, proprietary, requires me to RTFM, and requires contact with a slothful vendor about details for our specific instance. Can you do it on a 10 day deadline?

“Are you sure this wouldn’t be a better fit for someone that has implemented this authentication system before? Someone with existing relationships with contacts that manage the authentication service? Maybe I should be the one transferring my understanding of the other 60k lines of code that I singlehandedly wrote? I’m starting from zero here. Maybe it would be good for the guy who isn’t leaving to do this one so that he can retain the knowledge of the authentication system for next time you need to implement it?”

They just plug their ears now because they clearly don’t trust me due to my resignation state. Just do it. Wow.

So there is this new rule in my class...

"No cellphones in the classroom.. they stay in your locker"

Everyone in the class starts trying to negotiate so that they can still text...

I am like sitting at my desk thinking:

How am I supposed to use 2fa??

So.. ya that proves that I have different priorities than everyone else..

Anyways.. how am I supposed to use 2 factor authentication????

Any suggestions?

Is there an Android Wear app or something?

What's the point of using a framework if you don't use any of its features!? What the heck, I have to fix this damn web frontend that is so broken in many ways.

Instead of using an authentication middleware, every single view has the same block of code to check if a user is authenticated. Instead of templates, they used static HTML/JavaScript files and they passed data to pages through cookies.

The "REST" API is so messed up, nothing is resource-oriented, HTTP methods are chosen randomly as well as status codes. They are returning "412 Precondition Failed" instead of a plain simple "401 Unauthorized" when you're not authenticated! What the hell, did they even bother to check what 412 is about when they copied and pasted it from a crappy website!? I would never come up with 412, not even in my scariest nightmare.

What kind of drugs were they using when they wrote such code? Oh dear, I need a vacation...

The 5 whys

So.. we cant deploy

Why? > We had to take our deployment tool offline
Why? > Because random people from the internet started deployments
Why? > Because we had no authentication and so it was publicly available
Why? > Boss said auth was no priority (we told him every day)
Why? > ¯\_(ツ)_/¯

Unaware that this had been occurring for while, DBA manager walks into our cube area:

DBAMgr-Scott: "DBA-Kelly told me you still having problems connecting to the new staging servers?"
Dev-Carl: "Yea, still getting access denied. Same problem we've been having for a couple of weeks"
DBAMgr-Scott: "Damn it, I hate you. I got to have Kelly working with data warehouse project. I guess I've got to start working on fixing this problem."
Dev-Carl: "Ha ha..sorry. I've checked everything. Its definitely something on the sql server side."
DBAMgr-Scott: "I guess my day is shot. I've got to talk to the network admin, when I get back, lets put our heads together and figure this out."
<Scott leaves>
Me: "A permissions issue on staging? All my stuff is working fine and been working fine for a long while."
Dev-Carl: "Yea, there is nothing different about any of the other environments."
Me: "That doesn't sound right. What's the error?"
Dev-Carl: "Permissions"
Me: "No, the actual exception, never mind, I'll look it up in Splunk."
<in about 30 seconds, I find the actual exception, Win32Exception: Access is denied in OpenSqlFileStream, a little google-fu and .. >
Me: "Is the service using Windows authentication or SQL authentication?"
Dev-Carl: "SQL authentication."
Me: "Switch it to windows authentication"
<Dev-Carl changes authentication...service works like a charm>
Dev-Carl: "OMG, it worked! We've been working on this problem for almost two weeks and it only took you 30 seconds."
Me: "Now that it works, and the service had been working, what changed?"
Dev-Carl: "Oh..look at that, Dev-Jake changed the connection string two weeks ago. Weird. Thanks for your help."
<My brain is screaming "YOU NEVER THOUGHT TO LOOK FOR WHAT CHANGED!!!"
Me: "I'm happy I could help."

Today I'm going to work on my side project that I haven't touched in weeks.

I want to utilize Angular 2 which means I'll need to learn TypeScript. I also want to use the new .Net Core and EF Core 1.0. Oh and I want to handle authentication using JWT!

Wow, that's gonna be a lot of effort to get things off the ground... maybe instead I'll use this time to learn some new concepts. Maybe watch this episode of Fun Fun Function, or maybe this video on writing Assembly code for an app on Raspberry Pi, that sounds cool!

Actually, you know I should really teach myself dependency injection and unit testing for once. I'm so behind the times.

Well, really I should finish this book on design patterns first. Ok, where did I leave off? Page 20 I think... ehh... maybe I'll just work on my side project.

Tomorrow... tomorrow, I'll work on my side project.

Question regarding implementing two factor authentication.

I want to implement 2FA for at least one service I'm writing but I'm wondering, next to email, what services/implementations could I use?

I know that email isn't the best when it comes to security but I also don't want to force (a-technical) users to install an app specifically for 2FA so keeping email as an option as well.

But except for email, any ideas? Anything related to Google/facebook (prism integrated services) are a no go anyways (this has, as mentioned before, nothing to do with my ego or giving myself 'a pat on the back')

As for costs, I don't mind a little bit of money but the service will be free at first and I'm not rich :)

Looking forward to the comments!

A true genius:

try to set up key authentication on my pi

reload OpenSSH while 2000km away from it

Why nobody uses public/private key authentication for ssh and disable password auth?

Am I the only one around here doing this?

When you want to unsubscribe from a newsletter and it requires you to login.... WHY?!

Why did I miss my turn while driving ? I was dreaming about authentication strategies in micro services.

I had some voucher codes for a website, which a worth a night at a hotel of your choice. This website has a function to check, whether your voucher codes are still valid. Because the website got stuck, i opened the dev console in firefox to find the reason. I found something different: behind the check function was an GET service. Very simple thing, without authentication or flood protection. So i built a python script and brute forced that thing. After a couple of hours, i had round about 20 valid codes. So i wrote to the support team and they were really glad about this. They fixed this within 2 weeks and gave me some amazon gift codes and an job offer. That was my badass moment. Very interesting, that a medium sized, international company could have so simple security issues.

PM ordered me to not use encryption for customer authentication links because we want to be able so send same link if the user loose it. "we have to prioritize usability over security". At least I can tell future hackers it's not my fault..

By heavens creating your own api server with the Go standard lib is so easy it should be fucking criminal.

Now....on to add authentication and a nice frontend stack(prob React) to make it all spiffy and show it to my manager and see if she lets me put this shit to use at work.

It will make it more interesting. It took me nearly 1 hour to get what I needed from the docs, build it using the net package first(das right babe, pure TCP) and just a couple of minutes more for net/http and boom. Ferching info and shit left and right

Man I love this shit. Wish I could do this for a living. Stuck fucking around with css, Java and php at work instead ;____;

The worst project is the one I am currently working on. I didn’t build it but have to manage it, because... Reasons.

The projects is made on Core PHP(red flag right there).
But when I dig in I get to see there is no authentication used in any of the REST service. Yup. What's the fucking point of login if you are just going to update profiles based on user_id you Twat! The querying used is simply mysql_query (I have to say I expected that).
No relationships defined in the Mysql table structure. No migrations.
There is an upload feature which is forcing the image to be saved as jpeg, therby corrupting the images being saved on the server.
No security, terrible logic, no classes, terrible architecture.

And I am the chosen one to maintain this shit!

Truely, FML!!!

Ok wtf? How is it that I can give myself admin access to almost any Apple computer just by turning it on, holding down two keys, and then removing one file called “.AppleSetupDone”, without any kind of authentication? And I get access to all of the data on the device too. Within two minutes of having physical access to the computer.

This is a company with millions of devices in use, why is this even possible? And the only way to prevent it is to have a firmware password, which, by the way, is not a default option...are you serious

Something strange just happened, activated Fail2ban on another server and instantly blocked me when I already had ssh session open >_>

Does macOS terminal keep on sending ssh authentication requests? Or is my OpenVPN that keeps on sending requests.

Why does this keep on happening to me T_T

I've just noticed an app review that I've given and would fit right into the wk123 (that's the insult one, right?).

"Biggest pile of junk that I've ever seen. You have one job! To register the fucking phone number (which you could get with Phone permission) and verify it (which you can do with the SMS permission) and you should either have the user do that once upon installation or you automate it entirely so that it can run in the background! You can fully automate this, and it's not that complicated that it needs 10 whole seconds of loading time in between! Heck, this pile of crap can't even continue into the main view after entering the verification code! You haven't published the source code (and maybe that's for the best) but if it was, I'd probably immediately get cancer by viewing your crappy spaghetti code. Dear developer, please take a step back and (re)join the PC tech support guys. You have no place in the development world."

To top it all off, that app currently only needs phone permission to verify my number (at least they've done that much). So I figured, I've already gone through that authentication flow so let's remove that permission to abide by the principle of least privilege.

Except that the fucking crapp just goes through the "requires phone permission" shit again whenever that permission removal happens. Fucking piece of garbage!!! That such spaghetti code fuckers even have a job, it boggles my mind.

Not me but my friend was so fucking worried when I shown him a security breach website he made for his company.

So that's how it went: We were talking about programming and stuff and we came to authentication logic. We were both still at college and both noob programmers.
He told me he didn't use sessions because they suck server memory and he found this neat thing called "cookies". He explained them to me and I was like "holy fuck"... I asked him to show me the website and login to any account.
I opened chrome devtools and took a. look at the stored cookies. There was only one: userId, stored as a plain number straight from db primary key.

You guys should see his face when I changed the cookie values and was, all of sudden, using his website as a. completely different user.
I explained some stuff to him like database stored sessions or encrypted cookies and he told me he'd fix that shit up first thing in the next day.

Me : I should start building user authentication system.
inner self : there are enough free and secure ones out there, just go read the documentation.
Me : fuck I'm not reading 10000 pages of documentation written in alien language.
inner self : well then you better start building
Me : **writes code
Inner self : you better add the data validation and security while coding
Me : I just want it to work !
Me after a few days trying not to suicide : the site is hacked, the code is bugged, hello darkness my friend

Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!

I sat there giggling dramatically for a while.

>Get password vom dev.
>Try to connect to MongoDB.
>Had some changes in how to connect because of Kubernetes and stuff.
>Always get authentication error.
>copy password again
>stop and restart portforwarding
>wait almost 1,5h (was lunchtime) for DevOps guy
>sit next to him and ask for help
>he unhides the password and deletes two spaces...

fml

And also permission denied and Authentication error 😠

Worst coding mistake: forget to remove print statement that prints user authentication details.

THE FUCK WHY did the company which made the website I'm maintaining now ADD CUSTOM FACEBOOK LIKES AND TWITTER FOLLOWER WIDGETS - IN A SUBDIRECTORY OF THE THEME?

Guess what, you motherfuckers: One year after you made that damn page the Facebook API changed and your stinking widget is broken REQUIRING ME TO REWRITE MOST OF IT!

Also WHO THE FUCK LEFT HIS BRAIN ON HIS BEDSIDE TABLE the day he decided to HARDCODE ASSETS WITH AN http:// (no tls) URL? YES, browsers will block that shift if the website itself is delivered over tls, because it's a GAPING SECURITY HOLE!

People who sells websites that have user management and thus request authentication without AT LEAST OFFERING FUCKING STANDARD TLS SHOUD BE TARRED AND FEATHERED AND THEN PUT IN A PILLORY IN FRONT OF @ALEXDELARGE'S HOUSE!

Maybe I should be a bit more thankful - I mean I get payed to fix their incompetence. But what kind of doctor is thankful for the broken bones of his patient?

Coolest thing I’ve built solo?

Damn, there’s been a lot of things over the years, but I guess the most used one I’ve made would be my voice activated tv remote - yes it’s real.

So in essence it’s a google home... yea I know spyware and all, but look it was free so I’m going to make use of it... err where was I, oh yea.

An IFTTT account which taps into the google assistant API and creates a webhook, although the authentication side of things is 0 to none, so had to put a api-key into the requests to at least have some layer of auth.

This webhook then hits a raspberry pi containing a PHP API to accept and authenticate the request in, digest this into KEY commands for the TV, and drops this into a Python script to connect to the TV over a web socket connection ( I found python more stable for this ) and sends the pre made key requests, it can even do multiple keys at a time... that was a pain.

So after all that, the end game becomes about a second from saying “hey google, change the tv channel to xxx”

This sick and twisted contraption is finished and the tv is my little bitch.

This has been built out to handle channels by name, number, volume up/down, sources switching to hdmi, tv, vga and a bunch of other things.

The things we do when we can’t find a tv remote for days....

Next up, getting it to launch Netflix app and going to a specified show / episode.. but may be to adventurous.

Apple is now forcing 2 factor authentication for publishing apps on the App Store. Except not just regular 2 factor, 2 factor via AppleId. Which means you have to have the AppleID on 2 different Apple devices! You now have to have a Mac and another Apple device to ship an app and you still have to pay $100/yr for the license.

Hell I usually like Apple stuff but this has gone so fucking far off the rails.

Don't you just hate where we're going forward with these different JS frameworks and packages? WebPack, Electron and all the other ways we try to use JS for desktop development and a simple build of a tiny project taking 10 mins on an average spec core i7 machine, then overdosing on npm install since every frikn thing is now so modular you donwload a gazillion packages just to set up user authentication with a simple route manager in your app.

JavaScript is fine really for certain purposes. It's these other frameworks that try to modularize every single aspect of it that sucks. If there's anything called too modular, JS has reached it now. over-modularizing, and over-complicating everyday trivial tasks just to introduce yet another frikn package or framework.

Really missing the good'ol monolithic days of programming. I mean, modular is fine bro, but for godsakes draw the line somewhere!
#NoMoreOneLineModules

We have a portal which uses Windows Integrated auth that lists out all off our internal sites.

Navigating to any of these produces a URL like the one in the attached image.

Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.

So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.

Fucking nuts.

Fuck you Amazon.
Fuck your two factor authentication.
Fuck your PINs over SMS that take 1 hour to arrive.
Fuck you.

2 factor authentication 😁

I once found a MongoDB cluster open to the internet with no authentication with nearly a terabyte of data that backed a CRM service whose customers included Microsoft and Adobe to name a few.

Once upon a time, in a proprietary e-commerce framework used by few hundred sites...

I just took over a project where the previous developer stored password in two separate fields.

password & password_visible

First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.

Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂

Someone ask to me as a security engineer.

Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?

One day, I spoke to my team which yubi or nitro key to get.

Senior (s) : but what do you need it for?
Me (m) : for encryption. And securing our password managers. Stuff, I guess.
S : encryption is not gonna be a thing. It hasn't and it won't.
M : *leaves*

I've been so baffled I couldn't cope with the situation.
A few weeks later I left the company. There were too many of such people and those products.

My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦‍♂️
Any better suggestion?

Friend of mine created a blog from scratch... You could create a post, by just sending a POST request (no authentication required!)....
As an additional bonus: you could dump full unfiltered HTML in a post, which was then executed...

Please kill me

Friend asked if I have ever built authentication using PHP and SQL...

Feel like sending links for them to research how instead of having me build it for them.

Teach a man to fish...?

Well on my last full-time job, that ware using cookies for authentication (not something new, eh?). The thing is, you see, the cookies had the 'accountId' which if you change to another number, kaboom you're that account, oh but that was not all, there was an option to mark the account type in there 'accountType', which was kind of obvious in VLE (virtual learning environment), 'Teacher', 'Student', 'Manager' put what of those values and boom you are that role for the session

Thing was open of SQL injection from the login form, from said cookies and form every part you can pass input to it, when I raised the question to my TL he said 'no one is going to know about thatt, I don't see what is the problem', then escalated to higher management 'oh well speak to *tl_guy*'

Oh and bonus points for it being written in ASP CLASSIC in 2014+ (I was supposed to rewrite, but ended up patching ASP code and writing components in PHP)

In 2015-2016, in a private college, charging kind-of big money per year

This is what I get for not putting authentication on the contact form on my portfolio...

Call it like you see it:

TF30063 : You have been fired quietly, or the Microsoft authentication system is down (again.)

Read a blog post at work yesterday from the company head of IT security. Line 1:
As part of our company policy we enforce the use of usernames and passwords, known as two factor authentication. However we also need to ensure.....

Stopped listening at this point as I hit Google to confirm the definition of two factor auth.

Nope I'm not loosing my mind, the blog post is insane....

Okay, just because I like the OS, doesn't mean that I fully condone Apple.

They now have a constant notification that won't go away unless I enable two factor authentication. But here's the problem: I LIVE IN A PLACE WITH NO CELL SERVICE.

Also, I don't want to recieve a notification every time I open up my laptop!

Apple, why the fuck do you think I encrypt my data? So my disk is secure! I fucking can't have my phone on me all the time, I am not a goddamn teenage white girl! (I am a weeb developer)

Am I allowed to use an API from the government that they do not have publicly documented or explicitly said anyone can use BUT don't have any authentication on it?

"How do we share access to two-factor authentication."

What you mean is "how do we defeat the purpose of multi-factor authentication."

Don't bother programming anything for us. We'll never use it. (I work at an IT help desk Technician at a school and this was from the IT director)

They now use 3 of my projects (one SSO authentication, another issue tracker, and the other inventory)

Might be more of a self-rant.. We’re developing an application with token-based authentication.
It’s a big an complex authentication model and flow, which we wrapped up a month ago. All of us very proud of it.

All of a sudden none of it worked.
We debugged for days, there were no errors or anything to trace what was happening.

Today we realized that we set the expiration of the token to 20 years.
Aaaand the expiration time is later on converted to epoch.

Guess what happens when you try to use a value > 2 147 483 647 in C#? Stuff blows up, cuz that’s the limit of an int32.

So yeah, feels good having prepared for the Y2K38 bug already, even though we’ll be replaced by AI writing better software than my dumb ass by then.

(To be fair, it was hidden in Microsoft Owin, which could use some error handling and/or proper messages..)

TL;DR - the doctor is a lazy cunt and I hope he steps on a lego.

We’ve got a user authentication portal for all the users in our network. Well, we have it set to where you can only have two active log ins on two different machines, anything else will give the error message “you need to log out elsewhere” or whatever it is...
This god damn doctor has been told to log out several times and still calls us to ask why it’s “not working”.

I just received a call because the lazy cock sucker didn’t want to walk from the clinic to the hospital to sign out, are you fucking kidding me you lazy fucking ass hole? It’s not my job to be your mother fucking slave dude, get the fuck up and do it yourself!

I’ll take a lot of shit from anyone but when you refuse to retain the information to preform your job and want someone else to do it because you’re too fucking lazy, that’s when we’ve got problems.

I hope you step on a fucking LEGO.

I’m heavily medicated so if this doesn’t make sense I... don’t care.

For fuck sake ... please make sure the logged in user is actually fucking authorized to see that orders info!! Very few things I hate more than being able to change the OrderID parameter in a URL and see somebody else’s order information.

Slack is cool and all... But do we really have to have an "account per team" ? Damn I cringed so hard when I was setting up two-factor authentication and realized it was this way... Wtf...

Fuck Apple Two-Factor Authentication.

I am a developer with multiple accounts and this two-factor authentication is a fucking joke! I spoke to this idiot on the line who told me that I had to create an administrator on my computer to login to a developer account of mine. I hung up the phone and told her to "Fuck Off"

It's a fucking waste of time. Apple has not had an innovation since Steve Jobs died; each upgrade does nothing new compared with the last one. What's new things are there between 10.14 and 10.8??? Nothing. Except it's a lot fucking slower.

The Instagram API sucks a Lot.

Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?

Fucking piece of shit

Currently working on my first real REST api and I've arrived at the authentication part.

I'm not sure how to do this one, the client will have to login using username/password but then, what's the most conventional way of authentication logged in users through a REST api? (no oauth (yet))

This should be usable for anything like ajax requests to calls from the backend to curl requests.

Looking forward to ideas!

Sign in with Apple...

* Nobody tells you that a app group can consist of a maximum of 6 apps.
* Nobody tells you that suddenly a key id is needed for constructing the signing key for signing the client_secret when other keys are added in the dev portal.
* Apple gives you email and name only (and i mean only) the first time a customer uses Sign In With Apple.
* You have no chance to reset your user during development in a way to try a fresh auth. So either create separate app ids or separate apple ids.

Sounds like fun, right?

@dfox could we get double authentication for devrant?

Not only did my boss insist on setting up roles and permissions for our app how he designed them, even after I spent 4 or 5 hours trying to convince him to let me do it differently, but he has now fucked our entire system.

Under this model of roles and permissions you cannot enforce them on the backend by any means, and now we have a service dealing with users including resetting passwords and changing details that does not use authentication. That's right, aurhe tocation and not even talking about authorization now. Good job.

I honestly wish companies like this would get hacked and fucked over as soon as they did it wrong because I can't believe how retarded some people are.

I am turning 16 in 3 months and I want to start freelancing then. I want to earn money and get some experience .

I will still go to school until I have my a levels so I can go to university later.

Do you have any advice for an absolute freelancing beginner? I will probably make websites with HTML and CSS (of course, what the hell else) and react. Nodejs and mongodb for the Backend.

What should I do in these 3 months to prepare myself?

I want to build a portfolio website and learn more about node, especially how to do safe authentication in these 3 months, anything else? Also which websites would you recommend me?

I sent my app to one of my lecturers(female). She opened it and it said "Login with Facebook". I had integrated FB login just like other apps for authentication. She thought that I was playing some trick on her to hack her facebook account and refused to continue...
Where to run, where to hide... 😂
After all, the login dialog was of facebook's itself and nothing else.

How does one hack a 2fa authentication?

Someone just guessed my 20+ character one time password on Microsoft 🤔 2 factor authentication and Geo IP checking are definitely good features.

Well, time to change all my passwords.

Scrape the Twitter frontend API without any authentication and restriction.

If your website has a login wall, my visceral reaction is to close the tab. After that, my rational reaction is to close the closed tab. Because fuck you.

Client asked us to modify site made in some obscure CMS. Authentication on AJAX request is done by sending email and password as plaintext in header and then it would do md5 on server side

It is a good idea to only use services that allow 2 factor authentication?

I started programming when I was 14, because I was deeply enrooted in MMORPG hacking communities. It gave me an escape from real life, and I felt empowered by the skill to create something from nothing. My first language was Lazarus FPC, followed by VB.NET, C#, C++ ( managed and unmanaged non CLR ). As time went on, I found more ways to turn my "hacks" into software, and finally I began selling subscriptions which required me writing an authentication system.

After weeks of research, I began writing my own REST API in PHP using MySQL as my database. At this point I had an IPB forum up and running for a year, but with my newly acquired knowledge I was able to couple my API with my forum software. To properly distribute my API i had to learn NGINX to route my API to a subdomain.

Soon after I began writing my own portal for my authentication system, at which point I had become entirely enveloped in Web Development. I was 17 when I dropped my forum, I'm now 21 and freelancing web app consulting, day job as a QA automation developer.

A friend has a small business and asked me if I could make him a small program. So why not, experience for me and I can help a friend out. (This started in ~mid 2016)

Started out as a WPF desktop application with many weird bugs and slow interface, into crashing the database on AWS (could not connect, could not get a backup). It was just hell and I kind of gave up on fixing it.

I always talked to him and said "yeah, I will do something better soon", but I was procrastinating and kept pushing it away from me. Then one day I said "f*ck it - lets go" and started coding on 2.0:

- WebApp with a complete new architecture (which I learned in the past few months)
- User authentication (JWT)
- ASP.NET Core Backend for web api
- Angular 4 Frontend w/ bootstrap
- Coded in like a week with 3-5 hours each day

Deployed around 6 months ago and he never had a complain. When I visited him I asked "how is your application doing?" - "great. it just works!".

My once most hated project turned into the most successful project in just a few months.

I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.

Just posted a rant that BitBucket gave me a big Internal Server Error

Then I realized one of my extensions was overriding the authentication token (as I configured it to do that for a dashboard) and that was why BitBucket was inaccessible

Why do I keep doing this to myself

Bit of an odd question maybe, but when sending out your CV to a company over email, what would you expect to be written / write in the email itself?

I've got a sysadmin position that I'd really like to apply to, and it seems like I'm ticking all the boxes, however some of the things like SSH authentication (I mean it's fairly basic, isn't it) I haven't mentioned on the CV at all because I feel it's to be assumed. But I'd like to mention it in the email itself along with motivation. Apparently there's this thing called a "motivation letter"? How does that work?

Point is, I could go on all day about these services they ask about and how they already exist in my home lab, but I'm not entirely sure whether I should just keep it brief and just say "here's my CV and there's my number", or go a bit in-depth about it in the mail. Perhaps something in between?

They used strcmp (PHP) on the main server as only form of authentication...

Changing authentication mechanism in SharePoint from windows identity to ADFS identity is stupidly complicated, especially for existing large farms with custom code.

On the plus side - just convinced the director this is stupid - saved myself, himself, and 1000 users a ton of misery.

When the site implements authentication through Facebook, but didn't expect you canceling your Facebook account afterwards.

¯\_(ツ)_/¯

I'm crying

Admin home page secured well, but every CRUD page available without admin authentication on prod environment... for at least 3 weeks

Why doesn't Twitter have a public API without authentication for simple stuff, such as reading tweets. One can do that without logging in on the website, why shouldn't code be able to do it.

Three days after I purchased iPhone XS, I had to install a new modem at home. The phone wouldn’t connect to the wifi network in the higher frequency band. The guy who came to install the modem dished out the theory that the phone must be too damn old to support it. That burn!

PS: it connected almost a couple of seconds later that. As if it was some kind of extra layer of authentication. Well played Apple.

So I recently started a new job and there's a boot camp as part of the on boarding process. I'm new to scala, I have python and golang backend experience.

During the scala session, the CTO shows us some examples and gives us an exercise to create a Todo REST API with user authentication, then goes to a meeting.

He was using a library called "bacon" in one of his examples, so we were busy struggling to get shit to work and googling "how to do x with scala bacon lib" with no results and we finally gave up.

CTO comes back 30 minutes later and wants to see to how far we got, so we ask him about this bacon lib only to find out that it's their own awesome framework. &$!#%

/rant
When you spend longer trying to work out why your background <div> refuses to cover the entire page, than you spent coding an entire user-authentication system in TypeScript for Angular 2.

Steps for making something that works become shitty, gmail and Microsoft edition:

1. Enforce non standards compliant authentication methods because you know client developers will have to bend to your will because you're fucking google
2. Let Microsoft develop a ldap wrapper with web authentication to load when you try to log in with a client.
3. As per usual, the Microsoft azure Authenticator crashes thunderbird immediately. Not even sure how they managed to do that
4. And we have suck.

Oh ffs, just fucking inject a chip into my finger already for authentication purposes, you can track my every fucking move if you so wish. When a web page like twitch uses 2FA it boggles my mind because its a page where you're watching some fucking videos.

"hey there, so out of the blue, we send you a code to your email, we won't tell you which so good luck. Also, you cannot copy paste this code because we did that fucking thing where each character has its own textbox"

Of course, this is only because we are dumb enough to reuse shitty passwords. THIS IS WHY WE CAN'T HAVE NICE THINGS.

I made Skype Bot which queries the data using wsdl authentication on our ticketing tool and send the data whoever has requested in skype itself(without logging or touching the ticketing tool).

Manager: Is that even possible?

Me: (In excitement) Everything is possible if you have the will.

Now, He wants me to work on his pet project. I dont know how to react!

Am I the only developer in existence who's ever dealt with Git on Windows? What a colossal train wreck.

1. Authentication. Since there is no ssh key/git url support on Windows, you have to retype your git credentials Every Stinking Time you push. I thought Git Credential Manager was supposed to save your credentials? And this was impossible over SSH (see below). The previous developer had used an http git URL with his username and password baked in for authentication. I thought that was a horrific idea so I eventually figured out how to use a Bitbucket App password.

2. Permissions errors
In order to commit and push updates, I have to run Git for Windows as Administrator.

3. No SSH for easy git access
Here's where I confess that this is a Windows Server machine running as some form of production. Please don't slaughter me! I am not the server admin.
So, I convinced the server guy to find and install some sort of ssh service for Windows just for the off times we have to make a hot fix in production. (Don't ask, but more common than it should be.)
Sadly, this ssh access is totally useless as the git colors are all messed up, the line wrap length and window size are just weird (seems about 60 characters wide by 25 lines tall) and worse of all I can't commit/push in git via ssh because Permissions. Extremely aggravating.

4. Git on Windows hangs open and locks the index file
Finally, we manage to have Git for Windows hang quite frequently and lock the git index file, meaning that we can't do anything in git (commit, push, pull) without manually quitting these processes from task manager, then browsing to the directory and deleting the .git/index.lock file.

Putting this all together, here's the process for a pull on this production server:
Launch a VNC session to the server. Close multiple popups from different services. Ask Windows to please not "restart to install updates". Launch git for Windows. Run a git pull. If the commits to be pulled involve deleting files, the pull will fail with a permissions error. Realize you forgot to launch as Administrator. Depending on how many files were deleted in the last update, you may need to quit the application and force close the process rather than answer "n" for every "would you like to try again?" file. Relaunch Git as Administrator. Run Git pull. Finally everything works.

At this point, I'd be grateful for any tips, appreciate any sympathy, and understand any hatred. Windows Server is bad. Git on Windows is bad.

I'm in the 7th circle of hell. Building out an authentication system using a 3rd party vendor into our company's application.
Developing in PHP, running inside a docker container, using a Windows PC. Absolutely everything has gone wrong that could go wrong but PHPCS whining about a missing space between the "!" and variable name was the last straw.

Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.

My phone suddenly is stuck in a reboot loop.
all solutions did not work (Safemode, Recoverymode etc)

It was time for a new phone.

well... most of my logins have now 2 factor authentication. That got me thinking:

imagine that you lost all your trusted devices in a house fire.
you cannot get in your email because of you need to verify.
you cannot buy stuff online because your phone gets a message.
and in certain cases you cannot even get in your password manager of the same reason.

I know that there are recovery codes and other solutions to this.. oh boy you are F*cked when you don't have your phone.

Everything turned out okay, Sim Card in different phone for messages. And new phone works like a charm :)

I've just bought 3 months sky ticket...
THEY ONLY ALLOW A 4-DIGIT NUMBERS ONLY "PASSWORD"?!?!

IN WHAT YEAR DO THEY LIVE???

AND THEY EVEN SEND IT TO YOU VIA EMAIL ALONGSIDE YOU USERNAME!

I guess their old windows server which handles their authentication would be overcharged when it'd handle real passwords.

So, a new web project came for some small layout changes, nothing to fancy.
It was on the hands of another company and the client didn't want to work with them anymore. Basic Magento with a custom theme.

As I was wondering through files, I found out that the old devs echoed, in ".phtml" files, contents from ".txt" files located in base directory. I was shocked and went forward with it. The core of Magento had tons of this "echo"s. Several minutes later I found out that they "coded" another administration panel besides Magento, that had "authentication" with hard-coded user/pass inside index.php and a session start. That admin panel just rewrote the contents of .txt files using textareas. Why/what/when the fuck..they've forgotten the admin password?!?!!!!

This was like 3-4 years ago.
Worst project i've seen, ever...

Attention guys and gals! If you are using grafana in your home setup, update it asap to 4.6.4 or 5.2.3. versions before those two are affected by an authentication bypass vulnerability. CVE 2018-15727
In the meanwhile, my nginx config is blocking everything but the LAN ips :)

It is time for my own dumbass's favorite pastime: not letting go on retro tech.

I am gonna build a small and complete RESTful web API with Vbscript and Classic ASP with errrthing thrown in this mfker including JWT authentication and i am gonna see how the idea of an ORM goes. I know that COM interop was a thing, dunno if it still is.

I am fucking bored. The graduate degree is killing me and I need a distraction.

Thinking about being a purist and keeping the COM libraries to be made with VB.NET :P

Fuck yeah for being a masochistic retard.

I legit love vb net tho

SO MAD. Hands are shaking after dealing with this awful API for too long. I just sent this to a contact at JP Morgan Chase.

-------------------
Hello [X],
1. I'm having absolutely no luck logging in to this account to check the Order Abstraction service settings. I was able to log in once earlier this morning, but ever since I've received this frustratingly vague "We are currently unable to complete your request" error message (attached). I even switched IP's via a VPN, and was able to get as far as entering the below Identification Code until I got the same message. Has this account been blocked? Password incorrect? What's the issue?

2. I've been researching the Order Abstraction API for hours as well, attempting to defuddle this gem of an API call response:

error=1&message=Authentication+failure....processing+stopped

NOWHERE in the documentation (last updated 14 months ago) is there any reference to this^^ error or any sort of standardized error-handling description whatsoever - unless you count the detailed error codes outlined for the Hosted Payment responses, which this Order Abstraction service completely ignores. Finally, the HTTP response status code from the Abstraction API is "200 OK", signaling that everything is fine and dandy, which is incorrect. The error message indicates there should be a 400-level status code response, such as 401 Unauthorized, 403 Forbidden or at least 400 Bad Request.

Frankly, I am extremely frustrated and tired of working with poorly documented, poorly designed and poorly maintained developer services which fail to follow basic methodology standardized decades ago. Error messages should be clear and descriptive, including HTTP status codes and a parseable response - preferably JSON or XML.
-----

This whole piece of garbage is junk. If you're big enough to own a bank, you're big enough to provide useful error messages to the developers kind enough to attempt to work with you.

Just got handed a dozen servers. Documentation shows a (Linux) database cluster is using ldap authentication. I try logging in with my creds. No joy. I look up the root password and log in.

Not only is it not configured to use ldap, it's also not clustered.

I need more coffee.

Three-factor authentication:
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)

So I had been developing a real estate website and developing a MLS feed parser. I had only 1 year experience at that time and parsing a XML feed was already complex enough. On top of it, the client wanted to automate feed download from the MLS provider through HTTP authentication. Managed to do it. Everything worked for 15 days and on 16th day the property location markers stopped appearing on Google maps. Turned out that address to lat-long reverse geocoding was failing because API limit exhausted. My bad, I coded it on view instead of caching the lat-long in database. Fixed it in a day and viola!

I'm sad that StackOverflow is removing OpenID support. I've run my own OpenID server for years, and I've slowly watched support get removed from all the sites I previously used it to login to.

Goodbye open, distributed, authentication standards.

Why TF to I have to authenticate with GPR just to download a *PUBLIC* package??

Why not just use Gradle's *BUILT IN* GitHub package loader? What's the point of this service?!??

-Rant-
How do you (not) secure your Rest based web service?
1. Chain it to shady organic authentication system built by a hoard of monkeys high on Tequila.
2. have secret keys that get copy pasted into config flat files, and index them on your code search engine.
3. make the onboarding extremely platform specific that you need 500 environment variables, 50 scripts, 5 fancy device presses and a tap dance to make a GET call to the service.
4. fish through 500 rotating log files that the authentication system generates for each API call made.
5. Leave traces all over the host so if you have to start over, you should sudo rm -rf / and set fire to your computer.

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

My biggest challenge has been moving away from an unmaintainable Java/Tomcat/Spring Security application server to a Node.js/Express application server. That handles single sign on and two factor authentication. In 2 weeks.

I'm a front end dev. I'm sure it's fine 😓

Started a new job, then I found out that the salary of the person in charge of me has lower/same as I have.

How did I know? I looked at the API without authentication of all the list of employees.

Luckily, I didn't sign the contract yet

We had a project with a web app and an Android app. We split it out, he took the web and I was working on Android. He was very curious to do the project with me and very motivated at the beginning. We agreed on our first module that was user authentication. After some time when I told him that first module of app is ready and asked him on his progress, (When ever we had a talk he pretend like every thing is going fluently, though I continously told him ask for help if needed ) he opened a folder in vs code containing two files "index.html" and "style.css" and showed me the "login & sign up" design he was doing for days. I have no option but to appreciate his work. On that day I created new folder on my machine "web application" and started working.

Is yubikey actually more secure than just super wide public key authentication? I mean cryptographically, let’s ignore the “2 different sources” factor unless that’s literally the only difference

Started up KiTTY to connect to my virtual test server per usual when I couldn't establish a connection.

Nothing too unusual so I do the typical troubleshooting I make sure host, port and authentication is all correct and it is. So now I open the display for the virtual server and start looking at ip info, host info, checking ports and everything is completely fine.

Now I'm getting frustrated so I start running things like configtest in apache, using systemctl to check the services status, even restarting virtualbox in my windows 10 devpc. Still cannot connect!

I start feeling hopeless and just shut everything down, the whole operating system.

*takes breath*

Computer boots up and I start my usual thing of creating workspaces, opening editors, starting servers, etc.

I open KiTTY again and launch my virtual test server..

konicm8ker@VM-UBUNTUSERVER:~$ _

Somethings you just can't fix without a reboot.

Why has authentication of web services to be so fucking complicated?
PAM, OpenID, LDAP, SSO...
Every fucking service supports something different and I have a hard time finding a decent tutorial on LDAP and the likes.

Rebooted a server..
1 hour passed and ping is still failing..
idrac authentication is failing

How the fuck does php type juggleling evaluate an variable as an integer on my system and passing all tests.
Then on the server as string, failing a typesafe comparison for authentication.

I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant

(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)

I feel like a fraud ...
So I recently joined a mobile dev company as an intern
I submitted the application
Got to coding interview passed the coding interview because thank god it was one of the sums i solved on geeks4geeks
Then came then interview did as best i could
Got the acceptance mail in next 10 mins
First day was chill it's work from home thing
Second day they gave me an app a previous intern had already build its layout and authentication code
But it wasn't working so I reported it so they told me to debug it so I found where the problem was occurring
Now I know the problem but i have no idea how to fix it
They gave me assignment to fix the authentication basically it's taking info creating a json and request an API call
But I feel i cant remember the concepts
I can't remember basic meaning of words the other day i forgot what SSID are
I just I don't know shit
And i feel like I'm going to get kicked soon
I don't understand what the previous guy wrote and i don't know how to fix it
Previously i have built my own apps but not like a real world project like this which works in regards to network management basically an wifi portal kind of Authorization application

Company sends email notifying us we'd need to register for two factor authentication because it would be mandatory for all access to email within a week. However, it had to get manager approval and had a side effect of giving us access to work from home (which my manager hates). So, we send the request to him, explain the situation, he denies it and says "that can't be right! Let's do this: if you do in fact lose access to email, then I'll approve it". Well, we did lose it, and just spent two days without any access to email and it was a huge pain to get the registration process done because one of its steps involved getting a validation code from the email.

It's my first rant. So please ++1 me.

Now my rant:

In this semester I had a subject about system architecture. In this class, we must learn Java script, C# (and ASP.NET framework ), PHP (and Zend Framework 2), but in the classes is taught only UML and patterns. In the moodle of the subject we don't have any information about any of the languages and if we ask the teachers they don't know anything.
And we need in 4 weeks do a work with a widget in javascript, 2 Asp.net mvc, 1 asp.net web api. All with authentication.

So we are all fucked

How do you prevent your software being vulnerable to IP address spoofing? Authentication? Certificates? VPN? Nah, just check the MAC address field of every packet. Nobody ever spoofed a MAC address before, that's just impossible. I thought that in binary there were only ones and zeros, but I guess nobody told me about the special tamper-resistant ones and zeros that MAC address fields are made of.

Oh, once you've done that, don't forget to tell the marketing people to put it in a brochure as an "innovation" for everyone to see.

I should post more of the crap the idiots I work "with" (quotes, because I am only here in body not mind) say. Especially when it comes to network stuff.

Get a message from our teammate explaining o auth. First off, I mean come the fuck on. Second I was building our authentication for a fucking week. It's all around slack and the commit messages.

Then again when you don't even check the fucking repo ever, you won't know the progress. Yes, this is the jackass from my last rant. Sweetheart will only be able to be there 15 minutes before class ends today. Obviously, I'm not going as I don't care about the outcome of this shit at all at this point. I have access to the orgs and repos as the creator. Whenever I decide to get some real work done, I'll just ban his bitch ass.

I can't believe this fucker actually tried to explain o auth like he was talking to a child. I wrote back that he can look at the week long discussion we already had about authentication. Fucking idiot.

hmmmmmm let me see.

Web based? lets do web based.

Do something simple like a basic crud app on web api format:
Do it with full authorization and authentication.
Start hard. Do it with pure golang using NOTHING but the std libraries.
Now, do it in a magic mvc framework like Rails or Laravel
Now do it on dotnet core
Now do it in django rest.

Watch the differences in all of them, sell your soul to something and now do it in Clojure. If you do it on a Scheme dialect or on Common Lisp my CMS admin will suck your whatever you have. Dude seems to be pretty good at it, we are trying to keep him from pulling tricks on the street but he insists.

Then add a React client with Typescript to get them basic ass endpoints to display nicely.

It should give you a fuckload of perspective amongst the different tools and way we do things and might make you appreciate the differences in paradigms required(pro points for doing modular in c# dotnetcore using different classlibs for the major points of the application using some crazy pattern like the mediator pattern)

I would hire a mfker that throws all this shit at me on a portfolio on the spot.

So the contract for this big project with a client has some interesting content in it. I'm not sure if I can sign this in good faith.

Because I seem to be lacking guard dogs and a receptionist at my home office. Maybe I could build a force field for them.

And I'm not really looking forward towards having all my friends sign a document every time they visist.

5 PHYSICAL SECURITY
5.1 Adequate physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard Information and information systems.

5.2 Supplier shall have a documented visitor policy and all visitors must be identified, registered, logged, and accompanied by an employee from Supplier.

I recently went to an office to open up a demat account

Manager: so your login and password will be sent to you and then once you login you'll be prompted to change the password

Me: *that's a good idea except that you're sending me the password which could be intercepted* ok

Manager: you'll also be asked to set a security question...

Me: *good step*

Manager: ...which you'll need to answer every time you want to login

Me: *lol what? Maybe that's good but kinda seems unnecessary. Instead you guys could have added two factor authentication* cool

Manager: after every month you'll have to change your password

Me : *nice* that's good

Manager: so what you can do change the password to something and then change it back to what it was. Also to remember it keep it something on your number or some date

Me: what? But why? If you suggest users to change it back to what it was then what is the point of making them change the password in the first place?

Manager: it's so that you don't have to remember so many different passwords

Me: but you don't even need to remember passwords, you can just use softwares like Kaspersky key manager where you can generate a password and use it. Also it's a bad practice if you suggest people who come here to open an account with such methods.

Manager: nothing happens, I'm myself doing that since past several years.

Me: *what a fucking buffoon* no, sir. Trust me that way it gets much easier to get access to your system/account. Also you shouldn't keep your passwords written down like that (there were some password written down on their whiteboard)

Manager: ....ok...so yeah you need sign on these papers and you'll be done

Me:(looking at his face...) Umm..ok

Fucking hell the AWS IAM documentation is confusing as fuck. Trying to set up a fucking role is harder than cutting a rock with a fucking spoon.

And who the fuck thought it would be a good idea to allow a CLI user to run any command he's allowed to without any form of authentication??
Oh, set up MFA for the CLI you say? Good fucking luck with that, if you ever manage to figure out how to set that shit up!
Fuck this shit!

I'm working with a consultant group at my company to implement a new authentication strategy for our entire platform.

The senior dev lead from the consultant group has 25+ years consulting and claims to have written a web browser for the blind and all sorts of in-depth accessibility things.

Stakeholders tell us "Don't forget about accessibility compliance on this project"

Senior dev lead with all this claimed accessibility experience asks me, "What does accessibility mean?"

Dude at work floats the idea of creating separate Github accounts for personal and work for security. My response:

While we're discussing options, we should also consider maintaining a list of users as a CSV^H^H^H MS Excel file, and install an authentication server that runs off the laptop of an "IT Administrator". That way it'll be super secure because hackers cannot access any system outside of working hours, as well as the days that said admin is off from work.

Here some more information to despise Apple.

In the past few weeks I keep having a problem making the iMac connect to whatever website/host, so I had to rerun whatever I had to do: fetching from github, push to github, connecting to a LAN server, pinging to know to IP, accessing a webpage and so on.
Luckily enough, browsers tend to request again if an error occurs.

At my job, I upload app files to servers, like GooglePlay and AppStoreConnect.

For those who don't know, Google makes you upload the app through the browser (among other ways) while Apple requires you to upload your app either through XCode. No other possible ways.

Whenever XCode requires an update, the authentication is required, but the authentication server cannot be reached for at least 5-6 tries.
Then I have to upload the app and just to be ready to hit the "upload button" it takes like 3-4 minutes, which might be completely useless if a network error occurs.

How hard is it to make your fucking app-loader to try again at least a few times?

🔥👽🤘🏻
I've been CRUSHING it lately, so stoked!!!
**Also, this means that in the near future something will crush me because I have a few subjects on deck I need to lock down.

1. Deno

2. TypeScript(deep dive)

3. CPP (currently 75% done with my 2nd masterclass, first one complete)

4. Multi-platform local device storage (Sqflite/mongoDB/shared preferences/Hive)

5. REST/api/requests/json management && application

6. Implementing Firebase authentication using Apple, Twitter, and mobile OTP

7. Cloud functions && server scripting/automation

8. Intro to embedded systems/OS/kernels

9. Steadily improve my code style, design strategies, and build patterns that are team friendly && provide easier code base maintainibilty

10. Influence, teach, and/or spark the interest of someone new to development in any possible- all that matters is getting new people on board, making sure they are stoked about, and last but not least making sure they feel welcome in the community and are able to start off in the right direction.

cheers, ya fockers!!!!

Was recently in a motorcycle accident and haven't been cleared to go back to work yet so I'm trying to build my first Android app.

I don't know Java, XML, kotlin, Android studio, or what the fuck a Gradle is; but I figured I'd take my app idea and download Android studio then try winging everything from there.

Needless to say, I'm having a damn hard time lol. I have been watching firebase tutorials on YouTube to try and figure out how to add authentication to my app. I kinda got it working in the AVD. But my personal Google account has 2FA enabled so I can't seem to get the app to sign me out, or sign me back in. (I was able to authenticate once successfully.)

I have no idea if having 2FA enabled is even the problem. I tried turning on debugging and can't seem to figure out how to actually get the app to debug or get a debug console open.

I seriously feel like the world's biggest n00b right now. Going to go YouTube/Google how to get the debugging working. Then I'm off for a round of learning how to read a debug report!

Hahahaha... Kill me now -_-'

Best debug ever?

Some years ago we had to do a web project as group. It was a cinema like website with backend and front-end.

So in the end we arrived at the presentation and while scrolling the code I found commented out some authentication controls 😅😆 (probably for debug reason lol)
Whatever, meanwhile, while I was talking with the professor two of my mates were whispering... Turns out they found what he mail service wasn't working. And what's best than fix it, push it to the Heroku server and restart all? XD
The professor noticed some little lag in a button and asked "what's happening?"
"oh, nothing we just restarted the server "

One day I helped another teacher with setting up his backend with the currently running Nginx reverse-proxy, peace of cake right?

Then I found out the only person with ssh access was not available, OK then just reset the root password and we're ready to go.

After going through that we vim'd into authorized_keys with the web cli, added his pub key and tried to ssh, no luck. While verifying the key we found out that the web cli had not parsed the key properly and basically fucked up the file entirely.

After some back and forth and trying everything we became grumpy, different browsers didn't help either and even caps lock was inverted for some reason. Eventually I executed plan B and vim'd into the ssh daemon's settings to enable root login and activate password authentication. After all that we could finally use ssh to setup the server.

What an adventure that was 😅

Why the fuck is debit cards that don't need a PIN for transactions even a thing? What is so difficult to understand or implement in a two factor authentication? Like do these companies have meetings where some fucktard proposes removing a crucial security feature and the others just nod approval?

I'm breaking out our authentication logic to a separate OIDC server. It's technically pretty straightforward, but just the thought of moving all those users and making sure that the communication between the system and the auth server works properly makes me shiver...

WHY THE FUCK DO YOU FUCKING RETARDS USE TWO DIFFERENT AUTHENTICATION METHODS FOR THE PAYMENT AND THE CHECKOUT API AND DON'T EVEN DOCUMENT THIS SHIT PROPERLY!! 🖕

I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.

// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)

// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)

Thanks!

EDIT: Maybe some salt for test string would be nice