This one time, a client wanted a complete overhaul of her website.

I asked her for the credentials to the VPS, She gave me some random crap to try, cause clearly the site hadn't been touched since 2003 (and boy was it fugly).

Me: Maam, these aren't the correct details.

She sends in more crap to try...2 days pass with this back and forth.

Client: "contact steve, he should have the login details"

Me: ****Calls Steve *****
Me: "Maam, he says the login details are in your mail"

Client: "well, I don't remember this fact. Steve handled everything.
Hack into the website and then reset it.

The Russians did not need login details to hack into America's system. So please, do what you have to do to get us moving."

No jokes...that was the exact crap that came out of her fingers

1995: Viruses create funny VGA effect
2000: Viruses send SPAM e-mails
2010: Viruses steal credentials
2016: Viruses launch DDoS attacks
2017: Viruses demand ransom
2018: Viruses mine crypto coins

** The most hilarious authentication implementation I've ever seen **

They stored password in cleartext, but never mind, this is sadly quite common.
For some reasons credentials were also case insensitive (maybe to avoid silly tickets from CAPS LOCK lovers?).

Then I had a look to the query executed during the login:
SELECT * FROM users WHERE username LIKE ? AND password LIKE ?;

So I tried logging in with user "admin" and password "%"... and it worked!
I laughed all the day.

One of our customer thought it would be too unsecure to send us his AWS credentials by email. So he printed it and sent it as registered mail to us. The password we received was "hallo123".

Production is down, a coworker got himself locked in his own apartment so he can’t leave and another is late, the phone won’t stop ringing

And I don’t have the credentials to access the production server

Just a monday morning, everything’s fine 🔥😊🔥

Very comforting..

Boss : How do you access code at home ?

Me : Well, Git is fairly accessible from anywhere with the right credentials at hand

Boss : What of you have virus in your system ? Can't the virus infect our NodeJS code ?

Since then, I haven't been able to get out of the mental comatose induced.

Downloaded example code and he left gmail credentials in...

Was at a friends place recently and he asked me to set a new WiFi password. Fair enough!
Me: what's the routers login?
He: Oo. No clue.
*me trying a few combinations*
*hmmm not working let's try one more time*
Router: you have entered the wrong credentials five times. Fill in a new password to regain access!

😵😨😧😱😷😲

So our genius client just posted a photo of our office whiteboard on Facebook with the beta site credentials on it... 🤦‍♂️🤦‍♂️🤦‍♂️

So our public transportation company started to sell tickets online with their brand new fancy​ system.

• You can buy tickets and passes for the price you want
• Passwords are in plaintext
• Communication is through HTTP
• Login state are checked before the password match so you can basically view who is online
• Email password reminders security code can be read from servers response

Oh and I almost forgot admin credentials are FUCKING admin/admin

Who in the fucking name of all gods can commit such idiocracy with a system that would be used by almost millions of people. I hope you will burn in programming hell. Or even worse...

I'm glad I'm having a car and don't have to use that security black hole.

Client: Hi. my SEO guy messed up the website. Its kind of .... you know .... gone. You must have the backup. Please restore

Me (after 10 mins): Done

.............

Client: Hi again. I don't see my changes from yesterday. Why?

Me: Because I had 2 months old backup.

Client: Why?

Me: Because that's the last time I worked on your website. And you changed the credentials later on.

Client: But you're a programmer. You must have had a back door to take back ups.

........

Client: Hello?

Me: It's time to leave earth.

So, i tried to demonstrate my roommate how many people push their credentials to github by searching for "password remove" commits.

I decided to show him the file and noticed something interesting. A public IP, and mysql credentials.

I visit the IP and what do i see there, a directory listening with a python script, with injects the database into a webpage (???) and a log of all http requests. Lots of failed attacks aiming at the PHP CGI. Still wondering how they failed on a python server 🤔🤔🤔

Edit phpmyadmin to connect to the mysql database. Success.

Inserted a row telling him the his password is on github. Maybe i should also have told him how to actually remove it. 😅
Yes, root can login from %

This is how far i can get with my current abilities.
------------------------------

Scary how insecure this world is.

Looking at the database credentials for an application I’m working on.

Dev/QA password: yU$@1zmH91?
Prod password: app123

When your Dad questions your CS credentials because you can't fix his printer.

Client: Let me send you the files needed.
*client sends link to their own Dropbox folder page, not actually sending a shared link*
Me: Uuuhm, the link you've just send is only viewable by your account.
Client: Oh, hold....
Client a bit later: *sends actual Dropbox credentials over email in plain text*

Why.

I know that my coworker can't write a single fucking operable line of code. So I wrote a script that is called everytime someone pushes new commits. If the commits contain the username of my coworker, create a ticket in YouTrack with the Label "Rewrite", and assign it to the files changed.
So I had that running for a longer time, and my dumbfuck of coworker hardcoded the credentials of the server in a networking library. One of the credentials was his username. He then updated the copyright on the whole project(which adds a copyright in the top of every file), also in the included librarys(!). The script had a check if the files are related to the project or just librarys. In the end, he pushed all of that with another account(in fact, a reporter account), which had another name(and didn't even belong him). So the files didn't belong to the project, the script sees his username anyways, the script assigns a rewrite, and in the end, everyone in the team thinks I'm mad because I(the script with my account) assigned a rewrite to a HUGE library.

PS: It was great fun to remove these copyright notices.

Protecting credentials from eavesdropping using HTTP Basic Authorization header:

The craziest shit in my life just happened.

I left my laptop(basically my whole life) and my handbag at my dinner table and went to the the toilet for 4 minutes. I live in a ground-house in a rural area, and the front door wasn't locked.

After I exited the bathroom I noticed eevrything was gone. My laptop, my bags, my wallet. Everything. I panicked.

I quickly informed the local security authority while canceling my credit card and resetting all of my credentials, they with the help of the police they tracked the theives in 10 minutes in a neighboring town, with what it seems all of my stuff intact, which I am supposed to get tommorow.

This is both insane and a miracle. I am speechless and thankful to G-d. This is divine providence. I can't explain it in any other explanation

Watch over your stuff like your life depends on them. Don't ever leave your laptop even for a few minutes.

Oh God NO! Please tell me it is not normal for an Android app cumminacating with a rest API to send my login credentials in a fucking GET request!

*Client phones me at 11pm*
Client: It's not working!!
Me:What's the error you're getting?
Client: "Database connection error"
*Phones system/dB admin*
DB Admin: Yeah we had to change the SQL logins, I've sent you the new ones
*Phones junior dev in charge of dB programming*
Junior Dev: Yeah you'll just have to go and change the credentials. They're in all the places where we're using the dB, just before the statement, in the connection strings...

We make over 470 calls to the DB 😑

First rant, please take pity on the noob! 😐

Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫

Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...

... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.

So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.

Makes you consider the amount of control these big companies have over your life 😶

WHAT DO YOU MEAN INVALID CREDENTIALS.
I JUST LOGGED IN WITH THEM ON YOUR SHITTY FUCKING WEBSITE YOU FUCKING INCOMPETENT PIECE OF WANK.
FUCK YOU YOU ARE THE WORST FUCKING CREDENTIALS SYSTEM I'VE EVER FUCKING SEEN; AND I'VE USED YAHOO

You guys are pissed off whenver you see a mail with plain text password. And here I have clients who couldn't log in even after I shoved the raw and plain credentials up their arses.

I've always been anxious about putting my stuff on GitHub.

However, I did upload a project of mine there.

Thoughs few minutes after uploading it:

"Omg, is anyone judging how bad my code is?"
"I'm sure they will criticize it."
"O shit, I forgot a // TODO in there."
"O shit did I upload my credentials by mistake?"
"Does this commit message sound right?"
"Should I commit more often?"
"Do I commit too often?"

Not exactly a security bug, but there was a company that made a Django app for some internal work and later open sourced it. I was browsing through the code and I saw that the config file had an IP address and a hashed password for the database credentials

When I tried to use them, I was able to login directly to their read replica RDBMS, I had access to all their customer data (including phones & home addresses)
Being the saint I am, I informed them of the ignorance made by their developer and was presented with some cool swag.

I still miss my college days. Our crappy IT Dept restricted internet usage on campus. Each student used to get 10 GB of internet data and they used Cyberoam for login (without HTTPS). 10 GB was so less (at least for me).

Now, thanks to CS50, I learned that HTTP was not secure and somehow you can access login credentials. I spent a night figuring things out and then bam!! Wireshark!!!!

I went to the Central Library and connected using Wireshark. Within a matter of minutes, I got more than 30 user ids and passwords. One of them belonged to a Professor. And guess what, it had unlimited data usage with multiple logins. I felt like I was a millionaire. On my farewell, I calculated how much data I used. It was in TBs.

Lesson: Always secure your URLs.

Colleagues sharing passwords.That was a big fat NO when I was a sysadmin - and for a good reason. But now, since I'm closer to development, it feels like no one really cares about the passwords. If I tell my colleague I'll take 10 minutes more because I can't log in, he OFFERS me his credentials. And sends them over saying "in case you need it". [the next day the same colleague was complaining his account is locked out. Oh, wonders! How on Earth...!]

But seriously, password sharing is a serious problem. I would fire the person on spot if I caught him sharing his credentials! This is the 8th deadly sin! IDC if they are for non-prod. Most people reuse their passwords in multiple systems, and even non-prod envs can bring the prod down! Or worse - install a trojan.

!!pointless story

Bug report comes in from a coworker. "Cloudinary uploads aren't working. I can't sign up new customers."

"I'll look into it" I say.

I go to one of our sites, and lo! No Cloudinary image loads. Well that can't be good.

I check out mobile app -- our only customer-facing platform. None of the images load! Multiple "Oops!" snackbars from 500 errors on every screen / after every action.

"None of our Cloudinary images load, even in the mobile app," I report.

Nobody seems to notice, but they're probably busy.

I go to log into the Cloudinary site, and realize I don't have the credentials.

"What are the Cloudinary credentials, @ceo?" I ask.

I'm met with more silence. I use this opportunity to look through the logs, try different URLs/transforms directly. Oddly, everything seems fine except on our site.

I check Slack again, and see nothing's changed, so I set about trying to guess the credentials.

Let's see... the ceo is basically illiterate when it come to tech, so it's probably not his email. It's a startup, and custom emails for things cost money, and haven't been a thing here forever, so it's probably oen of the CTO's email aliases. he likes dots and full names so that narrows it down. Now for the password.... his are always crappy (so they're "easy to remember") and usually have the abbreviated company name in them. He also likes adding numbers, generally two-digit numbers, and has a thing for 7s and 9s. Mix in some caps, spaces, order...

Took me a few minutes, but I managed to figured it out.

"Nevermind, I guessed them." I reported.

After getting into Cloudinary, I couldn't find anything amiss. Everything looked great. No outage warnings, metrics looked fine, images all loaded. Ex-cto didn't revoke payment or cancel the account.

I checked our app; everything started loading -- albeit slowly.

I checked the aforementioned site; after a few minutes, everything loaded there, too.

Not sure what else to do, and with everything appearing to work, I said "Fixed!" and closed the issue.

About 20 minutes later, the original person said "thanks" -- never did hear anything from the ceo. I've heard him chatting away in the other room the entire time.

Regardless, good thing for crappy passwords, eh?

Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.

I used to work as an all-in-one IT guy in a company. One day I got a call from our HR team and the HR said "my Internet banking account has been hacked! It's logging in automatically!!" So I went to see the issue, and the so called "hack" was because she allowed Mozilla Firefox to save her login credentials, and because of that the login form was automatically filled. Such a stupid ass

Me: Browsing the security of a website.

Tell the website developer that they are using the SHA-1 hashing algorithm for encrypting the credentials of it's registered users.

Them: Yeah, so what?

Me: You shouldn't be using an algorithm which was exploited years ago in the age of 2016.

Them: Don't worry, nothing will happen.

Me: *facepalm*

A recruiter asks for my LinkedIn credentials to save me from the hassle of updating my profile.
Is this the new 'send me your cv in .doc format so I can write whatever I want in there'?
I'm not even looking for a job and I don't know who you are! Fuck off!

Dev gets hold of me, says my service is down in QA. Works if he hits it locally, works via Postman, but via the QA app server it gives a 401.

I’m like, look, if it works everywhere else, there’s something wrong on your side in QA.

He insists, no, I must help him, and begins CCing all the managers telling them this system has been down for days.

So I eventually climb into his system, check the credentials they’re using in the QA environment, and sure enough, the password is wrong.

Craziest deadline I've ever had...

Task: Patch 193 machines
Environment:
- no configuration/patch management
- no knowledge of the machines
- no contact info/application owners

...timeframe...do it today!

Here's the winner...do we have credentials for these machines? Ha, nope.

Worst WTF dev experience? The login process from hell to a well-fortified dev environment at a client's site.
I assume a noob admin found a list of security tips and just went like "all of the above!".

You boot a Linux VM, necessary to connect to their VPN. Why necessary? Because 1) their VPN is so restrictive it has no internet access 2) the VPN connection prevents *your local PC* from accessing the internet as well. Coworkers have been seen bringing in their private laptops just to be able to google stuff.
So you connect via Cisco AnyConnect proprietary bullshit. A standard VPN client won't work. Their system sends you a one-time key via SMS as your password.

Once on their VPN, you start a remote desktop session to their internal "hopping server", which is a Windows server. After logging in with your Windows user credentials, you start a Windows Remote Desktop session *on that hopping server* to *another* Windows server, where you login with yet another set of Windows user credentials. For all these logins you have 30 seconds, otherwise back to step 1.
On that server you open a browser to access their JIRA, GitLab, etc or SSH into the actual dev machines - which AGAIN need yet another set of credentials.

So in total: VM -> VPN + RDP inside VM -> RDP #2 -> Browser/SSH/... -> Final system to work on
Input lag of one to multiple seconds. It was fucking unusable.

Now, the servers were very disconnect-happy to prevent anything "fishy" going on. Sitting at my desk at my company, connected to my company's wifi, was apparently fishy enough to kick me out every 5 to 20 minutes. And that meant starting from step 1 inside the VM again. So, never forget to plugin your network cable.

There's a special place in hell for this admin. And if there isn't, I'll PERSONALLY make the devil create one. Even now that I'm not even working on this any more.

I'm so grateful DevOps is now a thing. I remember getting a phone call from a client at 2am on a Friday because their site was down and having to ssh in from a Nokia with the world's tiniest keyboard to reboot the server.

Of course that particular server only exposed port 22 on it's local network, so I had to first ssh into another server which did have its ssh port open to external connections.

Trying to remember two sets of credentials and type them in on a tiny keyboard, while so drunk you were seeing double, standing outside in the rain as it was the only place you got signal. Yeah…I'm so grateful DevOps is now a thing

I really dont get it when people cry over "when sending password in emails".

Had a customer today that wants us to send credentials on WhatsApp instead because it is "secure" instead of email, because email is insecure... .

One of our internal customers to my team: "We need this new feature to be implemented as soon as possible! It's super urgent!! Work on it asap!! PEOPLE ARE DYING!!"

Us: "Ok, we'll prioritize this feature and deliver it as soon as we can"

Them: "Is it ready yet?"

Them: "Is it ready yet?"

Them: "Is it ready yet?"

Them: "Is it ready yet?"

... One month later ...

Them: "Is it ready yet?"

Us: "We're done! We implemented everything as promised! Please give us your credentials so that we can whitelist you and you can start using the new service"

Them: "Okay, we will get back to you"

... Two months have passed since then and still not a single word from them. I'm starting to wonder: are they still alive? 🤔

I used PHPMailer to send emails to a client's website user. SMTP host is smtp.gmail.com.

web was hosted on Bluehost. I found out that mailer was not working. I enabled verbose output and to my surprise I found out that Bluehost was intercepting my mail and responding with

220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail

when i was explicitly using smtp.gmail.com. Not only they were intercepting but also They were trying my credentials against its own smtp server and then showing me that authentication failed.

When i contacted chat they asked me to tell last 4 characters of Bluehost account password to verify ownership.

Dude do they have passwords in plaintext.🤔

Congratulations to myself. I deployed an app and immediately lost the credentials to the database

So my friend, who owns a restaurant, asked me over 6 months ago, if i could redesign his homepage. I told him "sure why not" and since we're friends i didn't want him to pay me any money.

He told me what his thoughts about the design were and i told him that i needed the menu, some decent pictures of the restaurant, the "about us" story and the credentials to the server.

He didn't know the credentials to his server and i told him to ask the person, who made that page to send me the information i needed, but he kept on saying "could you call her because blah blah". Well, i did but she couldn't give me that info without asking the owner. So i met him and told him "hey i told you so, because it's completely normal not give sensible information to unknown people and besides that she told me to tell you that you should give her a call, because she hasn't got your new phone number". Two months later i got an email with the credentials, but still no menu and no pictures.

Four days ago i made a transition page, because i didn't want to publish the page with stock images and without menu, so i wrote him again whether he wanted design #1 or #2. Got a text at ~21:00 saying "design 2, but you need to publish it at 22:00".

I mean wtf?! He assured me he would call some people he knows to get those things. I told him, that it would be free, because of our friendship, but no support from him and he keeps stressing?! He knows i've got a full-time job and my studies going on, so my time is really limited and he keeps fking around like that?! Man it pisses me really off...

On my first day at work i was given the task to rewrite some code. I pulled the code, started the server and was greeted with a login-page. Instead of asking for credentials i tried good ol' " OR 1=1;#. Instand login, admin account. My boss was baffled, but instead of fixing this he decided other tasks had "higher priority". 3 years later, this still exists. I also heard some client runs the application open on the internet.

Everyone wants security, but some people decide to pull out the bottommost card in the fragile house of cards of security

Jokes aside, this got me thinking html is most used and most successful hacking tool out there.

99.99% of the time it's far easier to socially engineer and phish for existing credentials that scan networks, sniff ports and look for vulnerable versions of software, new vulnerabilities etc.

We (people) are ad always will be a zero day exploit.

Someone called me saying that the system wasnt letting them login.

I walked over to their desk to see that they had the application open with the credentials filled in. I clicked "OK" and what do you know, it logged them in!

SVN commit log for a project folder:

"Remove printing of user and password to log"

I was developing a project that also featured automatic payment to specific sites. I asked for a dummy credit card and he insisted I use the company's credit card. Who would ever want to give a developer actual credit card credentials for development!? I was a junior dev back then. Of course, I failed once. I got told off because I wasted money. My team leader defended me and said this is the risk of having projects with payments. I got proof I asked for a possible sandbox for payment or whatever that will work for development. Almost got fired. Because of that incident, I'm not comfortable working with projects dealing with payment that doesn't have sandboxes.

My wifi was hacked two times last year, so I decided to change the factory credentials. Some months ago a tree fell on top of the cables on the street, cutting my internet connection. I call the ISP and when they get here they say I have no right for costumer support as I have altered my own connection.
WHAT. THE. FUCK
I had to revert the credentials to admin/admin in order get my internet back. These ISPs live in the fucking stone age. How the fuck do they force me to fucking have my router exposed with a fucking "admin/admin".
Fuck them.
I hope some day we have a cable revolution and finally have some rights over the networks we pay for with both tax money and excesive fees with low fucking speeds. Fuck them. Really.

Indian web dev company (during the interview)::
We follow standards

Me:: Hey, can I get the project's github link so that I can fork it, do my tasks, run test cases, push and, make pull request that you can review, run integration test, and finally merge.

Indian web dev company:: What?? Here's the ftp credentials.

Me::

Well on my first job we had to integrate payment gateways in client apps for online payment. On my second week in office I published an app on the play store with payment gateway credentials for a different client cause they were there as default values. So the money for one client would go to the other. Nobody noticed it for two weeks and when they did, I thought I had just lost my job and also I would now have to pay all the losses out of my pocket but fortunately I didn't have to cause no transactions​ had yet been made. After that I always checked my integrations atleast five times before publishing. The incident scared the shit out of me but taught me the value of developer responsibility.

Don't use code comments to list the root-admin credentials for all your servers!!!!!!

I was asked to help with the website of this one club. Their 'IT head' is a business person. I told them no, but they sent me something anyways.

They sent me a zip file of their code
instead of giving me access to their GitHub repo. I then realized that they were using 3-year-old NodeJS and Express to power their static website and doing blog posts as JavaScript modules.

A second part of their architecture which was related to member sign up was horribly broken and also written in Node. I found out that they hard coded credentials to their Google Apps account, despite having the setup to pass it via environment variables.

And now they are worried that their sign up isn't working. Their developer resigned.

They want me to help them fix it within a very small timeframe. So they can use the code to collect membership fees.

This is what happens when you have business people develop code.

I got transferred to a new city at the client location for few months.
I got the credentials for internet access, but I was not able to get internet. I contacted the admin and after troubleshooting it for few minutes, he asked where is Internet Explorer in this laptop?

I immediately understood, why they need me here. I was using a MacBook. 😐

PS: In the end, he gave me the full access without any credential requirements.

The intern pushed their credentials to GitHub...

... again

I feel I am getting paid for getting trolled (you read that right) - I have had now two completely seperate clients, a month apart - paying me hundreds of dollars for "testing".

I have explained both of them atleast for a total of 8 hours why there's "sandbox" accounts and that the "virtual money" is the same as "real money", so later when you go live, it will be the exact same, just without the need of actually testing with actual money.

I even as a last suggestion asked to atleast be developing with $0.01 transactions (to literally not run out of additional money, because of the different packages), but they wanted it to be as "real" as possible.

I work at a place where security is really high when it comes to server access. Today I was in urgent need to get admin access to a server, this is a real pain. Luckily I found an xml in version control containing the credentials for the web application which happens to be an admin account! Lucky me, saved me at least two weeks of waiting to get admin access!

I came across a line of code that calls an sms provider that sends account credentials in the url using HTTP T_T

Client: I can't login with my lastpass
Me: Oh, why not, how are you trying?
Client: So, I've entered my lastpass password into my bank account, and it says 'wrong login credentials'
Me: °-°

Holy fuck nvidia. Why the fuck you want me to login to your fucking app in order to download a fucking driver. You also want me to click a fucking link that you sent to my email for verification on every fucking login? Why on earth someone would stole my fucking nvidia account? To see which drivers I use? What the fuck nvidia? Oh wait. DO YOU DARE ASK ME TO SETUP TWO FACTOR AUTH TO SECURE MY ACCOUNT?!? What the fuck? Even if I put my credentials online no one would care to login my fucking nvidia account. Just let me download my fucking driver!

Hard coded their own credentials in a project repository.

Being rejected as "unprofessional" for explaining that I don't want to rush a decision 2 days before Christmas. By the guy who, I kid you not, showed their EKS credentials on screen during a recorded online interview. Kinda glad I dodged that one now that I'm looking back...

Damn... some dude has his full SSH credentials to his webserver in his published NPM package...
I have to tell him 😅

Whilst I was browsing the university website I came across a directory that allowed directory listings. Amongst all the .pl files was one named something.pl.old. Rather than interpreting the file the web server returned the raw source, including domain credentials for one of the network admins.

Boss slides keyboard over to you during conference call. It's slightly crooked. Trying to punch in credentials without looking like a noob... impossible.

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

For shits I opened myh spam box in gmail. There was a flood of spam from dating.lt . I wanted to just go over there and see if I somehow have an account in there. And delete it if possible.

But when I tried to log in with my usual "spam credentials" -- this hapened

Dear Product Owners,

If you tell me how I need to architect my software again I'm going to ask you to provide a network topology of the architecture you want me to build.

I'll also need you to request the new servers, work with the ops teams to setup credentials, provision the NAT, register the domains and document the routes that the proxy will need to use.

then I'll need you to hook the repo up to our non-existent pipeline so that I can make sure I won't do all that testing I already can't do.

I hope you're paying attention, because that framework you told me I needed to use is going to be a pain to setup correctly.

after you're done with that, please attach any documentation you shit out to the ticket you never created.

Enragedly yours,
Looking for a new job

PS: get fucked

We got DDoS attacked by some spam bot crawler thing.

Higher ups called a meeting so that one of our seniors could present ways to mitigate these attacks.

- If a custom, "obscure" header is missing (from api endpoints), send back a basic HTTP challenge. Deny all credentials.

- Some basic implementation of rate limiting on the web server

We can't implement DDoS protection at the network level because "we don't even have the new load balancer yet and we've been waiting on that for what... Two years now?" (See: spineless managers don't make the lazy network guys do anything)

So now we implement security through obscurity and DDoS protection... Using the very same machines that are supposed to be protected from DDoS attacks.

I request the VPN credential to access to an italian big company network.
The ask me the email to send the new credentials.
I reply sviluppo@mycompany.it
They say it's not good, it's not associated only to me.
I said I'm the only developer (sviluppo) in my company.
They reply the is more secure my private gmail account.
They sent the credentials to my gmail account.

Poorly written docs.

I've been fighting with the Epson T88VI printer webconfig api for five hours now.

The official TM-T88VI WebConfig API User's Manual tells me how to configure their printer via the API... but it does so without complete examples. Most of it is there, but the actual format of the API call is missing.

It's basically: call `API_URL` with GET to get the printer's config data (works). Call it with PUT to set the data! ... except no matter what I try, I get either a 401:Unauthorized (despite correct credentials), 403:Forbidden (again...), or an "Invalid Parameter" response.

I have no idea how to do this.

I've tried literally every combination of params, nesting, json formatting, etc. I can think of. Nothing bloody works!

All it would have taken to save me so many hours of trouble is a single complete example. Ten minutes' effort on their part. tops.

asjdf;ahgwjklfjasdg;kh.

Worst one I’ve seen so far is when I was working for my previous community another developer joined to help me, without the permission of me or the other lead developer he pushed a client-side update. We didn’t think it was a big deal, but once we began reviewing the code it became a big deal... he had placed our SQL credentials into that file that every client downloads. All the person had to do was open the file and could connect to our SQL which contained 50k+ players info, primarily all in-game stuff except IPs which we want to protect at all costs.

Issue becomes, what he was trying to do required the games local database on the client-side, but instead he tried connecting to it as an external database so he decided to copy server-side code and used on the client.

Anyways, the database had a firewall that blocked all connections except the server and the other lead dev and myself. We managed to change the credentials and pull the file away before any harm was done to it, about 300 people had downloaded the file within an hours period, but nothing happened luckily. IP to the DB, username, password, etc, were all changed just to keep it protected.

So far this is the worst, hopefully it doesn’t get worse than this :/

Production server credentials "test/test" 😱😨😱

Got a new eval board. It came in with a stock firmware, had its own IP and naturally its own webGUI. I wanted to check what was under the hood. So I SSH'd in to the device, and was prompted to enter the username. There weren't any specs or documentation.

*Hmm, let's try root*
User: root
Password: *Eh? Well, what the heck* admin
.
.
.
root@evalboard#

Muhahaha!!! Meet your hacker, eval board!

Remember kids, clear out any login credentials before doing git commit and git push!

/smacks himself

I like logging into public wireless networks where the admin credentials are the default and mess with their wireless settings...

Am I wrong?

My god, the managers don't even know their credentials to the Bitbucket account that THEY created!!!

🤦‍♂️🤡🤦‍♂️🤡🤦‍♂️🤡🤦‍♂️🤡🤦‍♂️🤡🤦‍♂️🤡🤦‍♂️🤡

Let's just hope they're not locked out for good... now THAT would be some grade-A comedy!

When I saw hard coded credentials in the code repo.

Clients never have login credentials to their stuff, do they?

I had security reopen our test-user last week. I could run the tests once, then they started failing with "blocked user due to too many attempts at logging in". Huh, that's weird. I go through everything, every script, every scheduled task, every nook and cranny of every drive on every machine I could reach, and make sure the password is updated everywhere. Reopen account. Same shit.

I email around to some people, they don't use it, one guy asks if I checked x, y and z, I did. Then he's sure we don't use it anywhere else.

It's one of our fucking contractors that took one of our scripts (that they're supposed to have duplicate copies of) and forgot to change to their own credentials. That's literally the agreement, take our scripts and change the user and run them on your machines.

Afhfjdkdhdjdbd stop locking me out of everything with your incompetence. I email them, some cunt gets back to me asking for the new password. NO. USE. YOUR. OWN. CREDENTIALS. I KNOW YOU HAVE THEM, THEY'RE HERE IN THE LIST AND BEING USED IN ALL OTHER SCRIPTS AAAAAAAAAHHH

My websites contact form got a submission from some "manjeet" offering me his freelancing services, together with previous projects, where he apparently delivered and... has a login backdoor that he advertises to others to check out?.. with credentials etc.

Also got flagged with "It contains a suspicious link that was used to steal people's personal information. Avoid clicking links or replying with personal information."

My company's logic:

If your account gets locked, you need to raise a ticket using the company portal. In order to access the portal, you need to enter your credentials.

I thought my code wasn't great until I saw this project marked for decommissioning by end of 2024.

Holy shit.

These people basically wrote their own JS full stack framework because they don't like frameworks.

In one of the files, there are over 150 console logs.

I also found two database names. I wonder if I keep digging, I might find a full database query string with login credentials in plain text.

I have to provide support if needed because they're firing the contractor. Wise Decision, methinks.

One of my colleagues in college asked me if I could check his raspberry pi because it behaved „strangely“.

I found out that it had been hijacked and somebody tried to mine bitcoins with it... that’s why you should change default credentials...

I swear, if I ever were to develop a support ticket system, I'd require credit card credentials for P1 tickets - "for covering potential costs to get the developer to the computer at this point in time". Let's see how many of your fucking tickets are Business critical after all!

<supervisor>,

I would like to raise a concern of mine to your attention. I would urge you to inform <CIO> because I think he should know as well. In our recorded meeting this afternoon <bad_vendor> exposed another company’s credentials after failing to access our system, and proceeded to demo access into someone else’s system while exposing their client's sensitive data. Others noticed this as well. This is an alarming situation because not only did <bad_vendor> expose someones data to <us>, but to one of our vendors. While it is unlikely that <us> or <helpful_vendor> would abuse this situation, it could have easily been <us>’s data that was exposed to another company and their vendors had the situation been reversed. I understand we are all under tight deadlines and under a lot of stress — by no means am I trying to make waves — but nonetheless I felt compelled make light of this situation and felt in was echoed by <helpful_vendor> during the meeting as well.

Thank you

Thanks to mandatory password change, today:

- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.

All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password"

I hardcoded credentials into source code because I was too lazy to write the method to read them from the database properly.

Some nice person created a Github repo to show some usage examples for a service.
He is even nicer because, besides some example credentials, he added live credentials too.
But I think they are safe: he commented them out, so nobody can read them.

Did a freelancing project... Hosted the project and gave the client credentials with the invoice. She changed the password and there is that

One fine day, at work, I was doing one of my favourite things.

git push origin test:mainline

And it prompted for my credentials. I gave them and continued as per yooozh..

What I didn't realise then was that I had used my personal github credentials instead of my official account's!

Oops.

Day 3 - and no one has noticed yet...

Commiting Prod credentials to git.

Some mother fucker decides to change production application db credentials…wtf man🤒🤦🏿🤦🏿🤦🏿

This former developer made an app 2 years ago which is in production since then. On the 404 page it's throws the database credentials. The database saves personal information about the mobile owner.

Luckily I found out and fixed it. The client doesn't know about this.

Oh boy!

Passing credentials in the URL...

Gotta love Linux!

Wanted to install Arch on my Rasperry PI yesterday, but don't have a cardreader on my PC. Still had an SD with a different distro (RasPlex) lying around. Popped that in, connected power and ethernet only, looked up the default SSH credentials and got to a blinking terminal on my desktop PC.
Well, how am I gonna format my microSD? Rasplex comes without fdisk, and I booted it from the only microSD slot.
Well, here we go - Extracted arch to a usb thumb drive, chrooted into it, switched microSD cards, partitioned and formatted it from the USB-Arch, installed Arch on it, chrooted from Arch to Arch (😁), set up drivers, network and ssh access, rebooted to my why-the-hell-not distro.

Everything worked!

It finally happened. One of our junior devs pushed a secrets file to their git branch and now I have to reset ALL THEIR CREDENTIALS. "git add ." will be the death of me.

IT dept releases update for Cisco Jabber for work environment and describes it as a minor update.

Me installs new version...
- completely new UI
- loses saved login credentials
- loses connected devices
- loses all settings
- loses history

My definition of "minor" is "slightly" different

The Instagram API sucks a Lot.

Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?

Fucking piece of shit

Clients r wankers. He wants to be able to send login details incl passwords in email to his clients when he adds them in the cms. The passwords are encrypted and generated on creation of a new user. Ive told him that sending credentials in email is shit and not secure. The stubborn bastard wont budge, so instead i've put explicit instructions to reset password once logged in with the credentials they send. Any other suggestions?

Storing DB credentials in a repo that were encrypted using functions... that are in the same repo (both encrypt and decrypt!)...

This is the last part of the series
(3 of 3) Credentials everywhere; like literally.

I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.

This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.

However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.

So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.

The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.

I am going to post cryptic ass shit on y'alls shit that gives over a fake sense of me knowing what I am talking about in terms of faking my credentials from working on big companies and having tons of knowledge of software development in an effort to convince you all in of my credentials to get massive upvotes by making you all think I am intellectually and technologically superior to you in multiple senses! I will use a thesaurus for this btw! not my general day to day speech! after all, it will give my fake ideals of credibility more success and acceptance! remember! i worked for all companies starving kids in different parts of the world did! nothing but my word for it!

Some people really need to consider the shit they read online from people that have been caught bullshitting all the time.
9/10 your shit is good enough, stop letting phonies make you feel inadecuate over their supposed success in this works ffs

@dfox Bug or something? Had this just before the update. Also I got a toast message saying 'invalid user credentials' when I tried to post this before the update.

I just got an email that a client changed their DNS zone files to point at a new server. Turns out that they haven't set the server up yet. Client is wondering why that domain's emails aren't working, and why their site is down. They didn't want to give me the Domain's portal login credentials until now, because they "could do it without [me]." Tomorrow morning should be fun.

Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|

-2 mins to weekend, getting ready for a Friday rage push.
Checkout master? Done. Staged everything? Done. Impersonating boss with git credentials? Done.
120 sec to push.
119...
118...
117...

So I found a thing. On my laptop, I am able to create a hotspot. So someone can connect to it and I can share my internet access. Couldn't I theoretically impersonate a wifi name, by setting up the hotspot to use the SSID of the target network, then the clients that already have access to the target network would feed me the network credentials? If so, how would I go about capturing the creds?

Who knew SQL Server Report Manager didn’t have a log off / sign out button when you log in via the web browser?

I didn’t until I tried to test someone’s new credentials and realised I couldn’t log out of my administrator account. MS doesn’t ship it in the box apparently. Because that’s clearly not a useful piece of functionality to have. Except, some people have developed their own hacks to get around it......

Wtf.. mind blown

Years ago at school I recreated the UNIX logon screen. With this, I collected login credentials and then displayed a message that the dish gets formatted now. To make it more realistic I had a progress bar and generated random file access in the disk, so the LEDs flashed. Loved it and even the sysadmin could see the fun (and educational background :P)

So a new dev had an issue, if the wrong credentials are in the code it will crash because the unauthorised error isn't being handled.

I physically added the error handler, to his code, on his machine ... 3 days later it's not there.

Asked him and he says "sorry I must have deleted it"

... that's grounds for dismissal right? ... like ... seriously

If I have one more developer commit database credentials to code I'm going to have a red stapler moment and burn something to the ground.

Things that seem "simple" but end up taking a long ass time to actually deploy into production:

1. Using a new payment processor:

"It's just a simple API, I'll be done in 2 hours"

LOL sure it is, but testing orders and setting up a sandbox or making sure you have credentials right, and then switching from test to life and retesting, and then... fuck

2. Making changes to admin stats.

"'I just have to add this column and remove that one... maybe like a couple of hours"

YOU WISH

3. Anything Javascript

"Hah, what, that's like a button, np"

125 minutes later...

console.log('before foo');
console.log(this.foo)
etc..

To all the websites that take more than 2 seconds to figure out whether your username/password combination is correct,

FUCK YOU.

I don't want to watch your sorry ass fucking shitty application server try to figure out if I entered my fucking credentials correctly for 50 fucking seconds since I have to try them multiple times because I have visited your worthless fucking website like once or twice and couldn't remember the password well.

A swedish insurance company has two different solution for logging in to their system.

1. An advanced high security single sign on solution involving active directory, verification of the network the request came from etc etc.

2. Using a link and passing your credentials in the query string!!! Like: insurancecompany.com?username=admin&password=password.

Solution 2 works with admin accounts from anywhere.

Started my new job as a devops engineer, its been al month and i have never seen the seen of aws console or travis ci, dont even have credentials for any company cloud services.

I guess i should change my job title to backend dev

Me: You provided the wrong credentials for AWS. That’s why it won’t work. Please provide updated ones using document I emailed you last month.

Client: I forgot how to do that. Will you be free tonight after 9pm?

Me:.....

Yes. This really just happened. No. I am not doing it unless they pay hourly.

I have started using the input lockout when supporting colleagues.

The phrase "don't touch anything" must be code for "close all my windows"

Last one actually rebooted her machine in the middle of a (manager requested) intervention...

I got some very strange looks in the office to my "good afternoon, I'm calling to inform you that you will need to speak to HR to reinstate your credentials as I have accidentally marked you as a leaver while doing some database maintenance, I'll transfer you now, please hold" phone call, especially as we don't actually have access to do that lol

I put her on hold to myself while I finished then advised that "I'm sorry HR are busy, but I've managed to undo the mistake anyway, my apologies"

Kept her away from the machine so it was lawful evil right?

Printer strikes again!
Boss is pissed off that the printer is not working for him but works for the accounting department. He slammed the "photocopy cover thingy" with a "putain" (which I doubt will make it work). I had told him multiple times last week that the credentials he entered is wrong and he needs to verify that first. He will hopefully eventually realise it. Till then
Printer: 01
Human: 00

A colleague just committed his username and password in git. When I kindly informed him, he told me that there are a lot of things on whiteboards around the office that should not be there. Oh, if that's the case, committing your credentials to git is fine.

We all make mistakes. But your response to them is everything.

TIL if you know the password for a WIFi SSID, you can replicate it with your hardware. All devices that have credentials for that SSID will connect to yours if your signal is stronger. The encryption just needs to be the same (wpa2/wep) The underlying UUID doesn’t matter.

Not bad for a quick and dirty man-in-the-middle attack. The WiFi spec needs a bit more work.
TLS all the things!

Next week, I'll be with a new company - this week I'm scouring the corporate laptop for all the places I stashed personal SSH keys and AWS credentials.

teamLeader: We can't release because your change doesn't work, it breaks on the machine ABC123
iHateForALiving: I diagnosed the issue and I still don't know what's related to. BUT I'm 100% sure it's not related to my change, or anything that has changed in the last 24 months. Anyway we can take a look at this, just give me admin credentials for this machine.
teamLeader: no we can't.
iHateForALiving: ... Wait what? How am I supposed to reproduce the issue? Why can't I access the machine?
teamLeader: It's in use by the testers.
iHateForALiving: What for?
teamLeader: ... Educational purposes!

They report some issue on some particular machine, then refuse to give us access to said machine to reproduce the issue because they have "educational purposes", me and God know fuck kind of education I have in mind for this circus but as soon as I get my hands on them they'll get a hint.

So I and my friend worked on a website for a guy about 6 months ago and he didn't payed us (we had a contract but he is a d##k). Whenever we use to ask for money he'd ask us to do something else or add another stuff on the website (told you d##k). So we decided to leave without taking the money and now he's still using the website that we made.
While working with him he shared his server credentials and they are still the same (we still have access to everything).
Now we were thinking to teach him a lesson, we don't want our money back.
So, devranters what's the evilest idea you can come up with?

So far my friends suggested me:
-mining cryptocurrency
-replacing websites homepage with some abusive content
-delete everything on the server
-revoke his access to server (he would somehow get that)

As I was refactoring a class in a TypeScript project, I changed calls from `this.config` to `this.getConfig()`.

Suddenly, the tests were failing as somehow the live credentials were used from within the test.

Digging deeper I discovered this.

interface Base {
public config;
public getConfig();
}

So far so good. Wondering why config needs to be public, though nothing too shabby, let's look further:

class MyImpl implements Base {
constructor() {
this.config = this.getConfig()
}

getConfig = () => someGlobalVar;
}

┻━┻︵ \(°□°)/ ︵ ┻━┻

Why would you do this? This breaks dependency injection completely.

In the tests, we were of course doing:

testMe = new MyImpl();
testMe.config = testConfig;

So even though you have a getter, you cannot call it safely as the global var would take precedence. It's rather used as a setter within the constructor. WTF.

Sad part is that this pattern is kept throughout the entire codebase. So yeah for consistency!?

(And yes, I found a quick workaround by doing

getConfig = () => this.config || someGlobalVar;

though still, who in their right mind would do something like this?)

Do you know what a meat proxy is? It's when you work as a consultant for a company, and the company doesn't give you credentials to deploy, debug, or interact in any way with your code. You then have to work through the sysadmin, while telling him how to go through every single step, every git pull, every line of code to edit. Kill me

I'm performing a pentest for my client.
So after scanning my client's network I understood they're using IIS 4.5 and windows server 2012 (or 2012 R2)
I know the systems are real old.
And there are known exploits for them.

The tricky part is I have to stay hidden and I only have my own credentials for logging in to the asp page. (Uploading a script is almost crossed cuz it will reveal my identity)
Also I have access to the local network with some of the other employees user/pass.

Any recommendation for exploiting and staying hidden at the same time ?

One more question : will exploits for newer versions work for the older ones necessarily?

Sharing your password with your coleagues is like sharing your underwear or your GF with them. It's not right and unless you're into some weird fetish you won't really want them back...

I've been asked to help in my previous project and I'm fairly certain my credentials are expired/locked/forgotten there. Guess whose managers will be encouraging sharing current dev's on that project passwords...

Our parent company wouldn’t give us DB login credentials to a customer server outside our territory... we tried the default username and password and it worked...

Speaking of.. What in your opinion would be an appropriate way to warn someone about security problems, like db passwords in git?

I once came across dozens of extremely sensitive services' infra accesses: alibaba/aliexpress, natuonal observatories, gov institutions, telecomms, etc. I had dozens [if not hundreds] routers' and firewalls' credentials along with addresses. I tried one to confirm validity - it worked. I wanted to warn them but did not want to get in trouble.

If it were servers, I'd set a motd or append some warning messages in .profile. But not sure how to do it for non-server devices

what would you do? How would you warn them?

P.S. Deleting that record was a smart move, buddy ;)

p.P.S. Sorry, wrong category... Can't edit now :(

I just found out today , that my pm had mistakenly committed the email id and password of his account(which he probably used for testing) in the public repo in github.
Although he subsequently removed it, I can see it in commit history.

The point is.....
I don't kinda like him...
Any mean ideas....?

Why don't people secure their devices if they are on a shared network? I just ran a network scan and found 3 raspberrys, all of them with the default credentials....

"What? You aren't sure where the Android Wifi credentials QR Code scanner is specifically located? But.. Aren't you the expert?" Trying not to freaking boil my blood right now.

Me: "can you please send my credentials for the database?"

Hosting provider: "Yea sure... We will set it up on our servers in no time"

*5 mins later: provider sends mail to me*

Me: *looks at mail*

Also me: *NOTHING TO DO HERE*

Congrats to jweiland.net for not being able to support their customers.

Update on the bank I’m working for: their security is shit and the way they manage customer data and credentials is sickening. On top of it all, there’s about 10 windows XP computers still online not to mention the ATM is running Windows XP. What the flying fuck.

Me: Can I use my own set of credentials to create this entity?
Twitter: Sure you can
Me: Thank you, that's very kind. Can I use these same credentials to see the entity I've just created?
Twitter:

I have a little big question

I don't have electricity most of the time but the ethernet cable from my internet provider is still working if i plug it in my laptop.
Except that i have to setup the credential from the provider, user and password.
Now!
I want to plug the ethernet into the raspberry pi (3B+) make it work , because idk where should i enter the credentials and then make hotspot so i can have a router powered up from the power bank.
A pi as router

Is it possible?

Because so far i have seen people who connect the pi to the router but mine requires electricity as any other else.

?? Welp

Having to explain why GET has its place, but shouldn't be used for anything that shouldn't be viewed ... especially to some one that should fucking know not to show the damn auth credentials. Great thanks for your user and pass, can I get your CC number next please.

Today was a SHIT day!

Working as ops for my customer, we are maintaining several tools in different environments. Today was the day my fucking Kubernetes Cluster made me rage quit, AGAIN!

We have a MongoDB running on Kubernetes with daily backups, the main node crashed due a full PVC on the cluster.

Full PVC => Pod doesn't start
Pod doesn't start => You can't get the live data
No live data? => Need Backup
Backup is in S3 => No Credentials
Got Backup from coworker
Restore Backup? => No connection to new MongoDB

3 FUCKING HOURS WASTED FOR NOTHING

Got it working at the end... Now we need to make an incident in the incident management software. Tbh that's the worst part.

And the team responsible for the cluster said monitoring wont be supported because it's unnecessary....

"I need the login credentials for the CMS service"

*sends the email confirmation email*

"No, I can't confirm your email for you. In plain English: send me the email and password to login."

"Ohhhhhhhhh"

Literally what the fuck is wrong with these people.

I swear we're all fucking doomed.

Like half of my meetings, that could have been emails. Yesterday I was waiting for some person for 20 minutes and then, he only asked me about credentials for test environment. He sure had to schedule a meeting for that...

In highschool we went through something like a malware/phishing prevention course.

It was pretty cool tbh, we spend the whole hour in a virtual environment where you'd see common malware and phishing attempts, but the really fun you could also "hack" other students.

Hacking them means you could cause some things to happen on their "PC". One of those was showing in a captcha on their screen and they had to type a the string of your choosing, before they could access the rest of the "virtual computer" again.

You can probably guess where this is going.
I was the first who had the idea to mix big i and small L and tested it on our teacher, who was also part of this environment and screenshared to the projector.

Thanks to sitting next projection I could see the pixels and I can confirm: same character, Pixel perfect!

I will forever cherish the memory of my the teacher begging me to undo the "hack" and the chaos that followed amongst my peers 😈

Also one of the excersizes was stupid. Click on a phishing mail and enter your credentials in the form. I asked the teacher WTF kind of credentials they even want me to enter to microsooft.cum and they just said "the credentials obviously" so I think they got their karma🖕

Am I the only one who thinks OSX is stupidly insecure unless you encrypt the whole disk? I mean, how dumb is it to boot into safe moot and provide a root shell without prompting for credentials?

>TINFOIL GUYS!!!!!
guys don't just deactivate your FB acc, request deletion, beacuse if you deactivate and use any services like any page login or any social services like insta, and you use your FB credentials to login, the gets reactivated and your news feed even shows what you have missed in the mean time , so all of the (your) data is still in their servers

Who is that genius at Microsoft thought about that if adding a new email to outlook on Android and credentials are wrong, CLOSE THE WINDOW AND GO BACK TO SETTINGS!!

Error message says wrong username/password then let me fucking fix them not go back and enter everything from scratch (outgoing, incoming servers, username, password)

Fuck this shit -_-

Credentials are in var/www/credentials.txt

It all started with an undelivereable e-mail.

New manager (soon-to-be boss) walks into admin guy's office and complains about an e-mail he sent to a customer being rejected by the recipient's mail server. I can hear parts of the conversation from my office across the floor.

Recipient uses the spamcop.net blacklist and our mail was rejected since it came from an IP address known to be sending mails to their spamtrap.

Admin guy wants to verify the claim by trying to find out our static public IPv4 address, to compare it to the blacklisted one from the notification.
For half an hour boss and him are trying to find the correct login credentials for the telco's customer-self-care web interface.
Eventually they call telco's support to get new credentials, it turned out during the VoIP migration about six months ago we got new credentials that were apparently not noted anywhere.

Eventually admin guy can log in, and wonders why he can't see any static IP address listed there, calls support again. Turns out we were not even using a static IP address anymore since the VoIP change. Now it's not like we would be hosting any services that need to be publicly accessible, nor would all users send their e-mail via a local server (at least my machine is already configured to talk directly to the telco's smtp, but this was supposedly different in the good ol' days, so I'm not sure whether it still applies to some users).

In any case, the e-mail issue seems completely forgotten by now: Admin guy wants his static ip address back, negotiates with telco support.
The change will require new PPPoE credentials for the VDSL line, he apparently received them over the phone(?) and should update them in the CPE after they had disabled the login for the dynamic address. Obviously something went wrong, admin guy meanwhile having to use his private phone to call support, claims the credentials would be reverted immediately when he changed them in the CPE Web UI.

Now I'm not exactly sure why, there's two scenarios I could imagine:
- Maybe telco would use TR-069/CWMP to remotely provision the credentials which are not updated in their system, thus overwriting CPE to the old ones and don't allow for manual changes, or
- Maybe just a browser issue. The CPE's login page is not even rendered correctly in my browser, but then again I'm the only one at the company using Firefox Private Mode with Ghostery, so it can't be reproduced on another machine. At least viewing the login/status page works with IE11 though, no idea how badly-written the config stuff itself might be.

Many hours pass, I enjoy not being annoyed by incoming phone calls for the rest of the day. Boss is slightly less happy, no internet and no incoming calls.

Next morning, windows would ask me to classify this new network as public/work/private - apparently someone tried factory-resetting the CPE. Or did they even get a replacement!? Still no internet though.
Hours later, everything finally back to normal, no idea what exactly happened - but we have our old static IPv4 address back, still wondering what we need it for.

Oh, and the blacklisted IP address was just the telco's mail server, of course. They end up on the spamcop list every once in a while.

tl;dr: if you're running a business in Germany that needs e-mail, just don't send it via the big magenta monopoly - you would end up sharing the same mail servers with tons of small businesses that might not employ the most qualified people for securing their stuff, so they will naturally be pwned and abused for spam every once in a while, having your mailservers blacklisted.

I'm waiting for the day when the next e-mail will be blocked and manager / boss eventually wonder how the 24-hours-outage did not even fix aynything in the end...

So you're getting an error message that says "incorrect credentials"? Read the fucking message and check the spelling of your fucking email address.

Gotta love it when everything works flawlessly with the test API endpoint and credentials, but when I try to go live, there's suddenly a ton of additional configuration to get the third-party APIs working.

Why the fuck do you even provide a testing environment, if it's completely different from the live one?

all documentation points to an Invalid auth token being code 400 (ignore the fact that this is a code in the JSON response and not HTTP)

Me: here iz credential. Plz send datas
API: haha fock off and die mate, then credentials you got there aren’t workin’
API: code 998 invalid auth token
Me: *speechless* so that’s why it took me longer than it did to find that error, because YOUR CODE WAS MISSING ALL MY CHECKS FOR CODE 400.

Why can’t people design apis properly.

My manager gave me a project about integration & deployment to another internal product which involves consuming oauth credentials which were already available in AmazonS3. The worst part of this is I wont have any access to any AWS resources and no sandbox environment.

And I'm like. How the fuck should I do this? Should I just conceptualize and pray to the machine spirits and hope that this wont have any fucking issues?

10 years ago my bosses came to me: Make a few adjustments to the logic of this website. Should be a quick thing they said. Got a zip file later. Hundreds of php files. Inside, thousands of lines of the best PHP/HTML Spaghetti I've ever seen. No CSS though, but lots of nested table layouts. The best part: everything was in french, content, comments, varnames. The original dev didn't use includes for the most repetitive stuff, even db credentials were copied in every file. Took me a week.

Two weeks later: Change that and that please....

We decided to write everything from scratch then.

I don't fucking care if you don't understand what I'm trying to convey, I've documented how to configure email with your fucking iPhone (even though I don't own one), I will not fucking guide some FUCKING idiot from management to teach them configure the same documented thing.

It's fucking email, you log in with your credentials and settings are fetched, how is this difficult to understand you FUCKING idiot?!?!??

Also, pic related, translation "I don't give rat's ass" or "I don't fucking care"

Debugging an elusive database query problem. Attached to server process about 10 steps into the call stack trying to figure out why a a column value is not being properly cast. In comes Windows. You picked the most inappropriate time to restart for updates without asking me. Restart VM, authenticate with VPN, wait for 2FA, start up Visual Studio, enter credentials for the millionth time to authenticate with version control since the remember me checkbox doesn't work, open solution. Now where was I? Then Windows pops up a notification to inform me the updates couldn't be installed. The following comic strip comes to mind.

So, I move house with my amazing, already configured and stable router with built in VPN, DDNS, Port forwarding and DHCP addresses.

Received ISP shitty router at new address and want to use as modem only, so I go read the manual.

"Bridge mode requires you to configure your other router with PPPoE and the ISP's credentials"

Landline is not working, so I cannot call the number to retrieve my password. After 2 days of waiting, engineer visits, installs master socket, dial tone yaaay.

Call number to get password, automated voice message has such a bad sound quality that I cannot figure out if it's saying F or S, and there are two of those letters.

Put ISP router in bridge mode, set other router to PPPoE and put credentials, nothing. Try with F and F, S and F, F and S, S and S... Nothing. Put it back to dynamic IP address, it works.

I resign myself and manually configure everything I had on the good router to the ISP one. A few issues with my server and DDNS, but hey, internet works.

Start missing the other functionality, try the password idiocy again. Nothing.

Next day, go to work, talk to a colleague that lives close and has the same provider: "I just put it into bridge mode and it worked".

Go back home, bridge mode on ISP router, Dynamic IP on good router, no credentials. It works.

Why do I always overcomplicate stuff?

Just rebooted my work station during a video conference because the VPN was flaking out.

After reboot, launch Teams to get back to the meeting. The VPN credentials dialog then pops up, but IS NOT MODAL, so I end up sending my password to the group chat...

Time to change my password, I guess.

I have started a new journey on a company on Jabuary 25. I put a lot of effort but apparently the client told my employer I took too many time in my onboarding process (they expected me to be ready in two weeks or less) and they deactivated my slack account (this was on monday, because although I had holidays I turn on my machine in order to advance). The client said this on friday and I got awared on monday. I feel frustrated... Because I put a lot of effort resuming the documentation and even my team mates said it was unfair; some of them took longer than two weeks and they havent make a PR.
So it seemed to me strange as I said... Some of the conclusions we arrived were: We should ask for credentials 1 week before. The other thing was: The guy who technically interviewed me was really important in the project and he has a cool posibility on Barcelona (spain). We assumed that the client feel angry or sad about this and because they want to keep still the relation but want other provider to supply that dev guy, they arose with silly and stupid time requirements. I did all I could taking into account they didnt give me all the credentials at the same time; the first one came one week after.
Soooo here I am... Enjoying a good bench time and learning angular !!!!... sincerely... I wanted to release some shots to the air jaja

When trying to log into a financial site and it tells you your credentials are incorrect, when they aren't, all because you are using something other than Chrome or Safari is a new low.

Why would I strive to be productive if 90% of my work consists of me waiting for approvals, access, credentials, attending meetings about meetings?

I haven't said anything yet, but an AltRant notification server exists. Support for it will arrive very very soon on the AltRant app. It will run locally on the end user's personal computer, and it does not require a constant connection to the phone. Both devices need to be connected to the same local network on first connection, but after that you can wander out of your house or disconnect from the local network and still receive notifications.

DISCLAIMER: ALL SENSITIVE USER CREDENTIALS ARE NOT STORED *ANYWHERE* EXCEPT ON THE LOCAL USER'S MACHINE. NO DATA IS SENT TO ME. THE SERVER IS OPEN-SOURCE, HAS NO RELEASE BINARIES AND RUNS ON PYTHON.

Note to @dfox: if you want this to not exist or not be supported inside AltRant, please tell me or send me an email about it.

Client wants some CMS text to be automatically translated. So I checked and Google seems to have a solution for that. I thought to to be as simpel as doing a request and parsing the response. That's how API's work, right?

No. First I must create an account, that account must have a credit card, then I need to setup credentials, the default ones working with path variables, an API key... etc etc etc.

I feel so stupid for just not understanding their docs. I'm just a dude that installs a CMS and makes pretty CSS for it. I've worked with REST APIs before (Mollie, Carerix) but none of them ever demanded the level of knowledge and setup the Google Translate API demands.

Am I just a bad developer or is this shit just too complex for your average web developer?

Using the company's desktop computers to solve cryptographic puzzles (like mining) on the company's computers while the boss and someone from the IT were asking to have a look on the machine after one guy already snatched my keyboard.

Very scary moment indeed but surprisingly it turned out: the real reason why they came was because a techadmin recently removed a shared system account but some faulty clients kept flooding the servers with outdated login credentials which also triggered mass SMS on the mobile devices.

Luckily I could somehow take an opportunity to remotely call the script which pulled the emergency brake which I prepared to shut down everything. Close call.

Nowadays I think it itsn't worth to take the risk just to do something that could also be done with the own home computer even it takes five times longer.

So one of my employees pointed it local setup on the live database to test some weird behavior in an algorithm. Then he starte the next task and wiped his database to reload the fixtures. After that he realized, that he still had the live database credentials in his configuration file.

Go assign a super simple ticket to your "product owner" or "manager" or whoever the hell claims they "work so hard" and "have the vision" or whatever blah blah blah when in reality YOU'RE the one working 12 hour days, completing the features used by THOUSANDS.

Just try it. They'll never complete it. I guarantee it. Here I am looking at one that is three weeks old asking to update the f&*(@#$ credit card credentials for a simple log service to be reactivated.

So sick of this backward world where us devs never get any credit.

Who wants to start a software union with me?

Just found out that MQTT.fx stores user credentials in plain text in a xml file.
WTF?!
I mean it's only stored locally but it's still a bit worrying.

How do you keep track of your servers? their credentials/ssh keys, opened ports, services, IP, domain etc?

Some internet security officers (working for the government on internet privacy related stuff) tells the media that they can decrypt your Facebook credentials in less than 7 seconds.
Everyone let's take a break to laugh at these morons hahaha

Google, please explain to me: Why the fuck would you create a hardcoded requirement in your libraries to use a plaintext json file with credentials to your API?

Credentials which give full access to all of the company email, addresses, cloud services, etc?

And why would you accompany this in your docs with example implementations which read as if they were an intern's first coding project — non psr compliant PHP, snippets of Go which won't compile due to type errors...

I'm starting to become convinced that the whole of the Google Cloud API was actually written by thirteen year old who found their parent's liquor cabinet.

Fuck this I'll build my own Google.

When you forget to open cmd as admin and it blocks your commands for lack of credentials

My journey into learning Docker, chapter {chapter++}:

Today I learned that when you use a database image in your docker-compose file, and you want to rebuild the whole thing for reasons (say, a big update), then if you change your credentials ("root" to "a_lambda_user" or change the db's password) for more security, and you rebuild and up the whole thing... It won't work. You'll get "access denied".

Because the database (at least mysql and mariadb) will persist somewhere, so you need to run "docker rm -v" even though you didn't use any volumes.

I love loosing my fucking time.

- Implemented oauth1 - no body hashing
- URL contains credentials in plain text
- Used Azure API management feature as a proxy of the our API, however the documentation was on the our API, thus exposing the API URL with no management to developers.
- easy resource DDoSing because each trial user got a DB, the registration process did not have bot checks. You could literally freeze the db instance by spamming registration requests.

Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.

What disturbs me is when companies uses invalid ssl certs for internal services where you have to login with your company credentials.

gitlab pipeline fails because it apparently has the wrong credentials

i don't recall doing anything to the credentials on my merged feature branch

worked fine last week

i am not familiar with the pipeline, i don't see any recent changes to it

I committed my credentials and pushed to GitHub once. Took me a week to notice. Luckily it was just a personal project and no one noticed.

Teachers painfully trying to diagnose internet problems when it literally says in the corner of the windows 7 install that the WiFi credentials are incorrect

I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant

(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)

Using my new dashboard from previous rant already and came across this, sounds really creepy and doesn't even pay well for 550$