I had a secondary Gmail account with a really nice short nickname (from the early invite/alpha days), forwarded to another of my mailboxes. It had a weak password, leaked as part of one of the many database leaks.

Eventually I noticed some dude in Brazil started using my Gmail, and he changed the password — but I still got a copy of everything he did through the forwarding rule. I caught him bragging to a friend on how he cracked hashes and stole and sold email accounts and user details in bulk.

He used my account as his main email account. Over the years I saw more and more personal details getting through. Eventually I received a mail with a plaintext password... which he also used for a PayPal account, coupled to a Mastercard.

I used a local website to send him a giant expensive bouquet of flowers with a box of chocolates, using his own PayPal and the default shipping address.

I included a card:

"Congratulations on acquiring my Gmail account, even if I'm 7 years late. Thanks for letting me be such an integral part of your life, for letting me know who you are, what you buy, how much you earn, who your family and friends are and where you live. I've surprised your mother with a cruise ticket as you mentioned on Facebook how sorry you were that you forgot her birthday and couldn't buy her a nice present. She seems like a lovely woman. I've also made a $1000 donation in your name to the EFF, to celebrate our distant friendship"

So, since I hear from a lot of people (on here and irl) that Linux has a 'very high learning curve', let me share my experiences with the first time my dad touched Linux (Elementary OS) without me interfering at all! (keep in mind that he is very a-technical)

*le me boots the system* (I already did setup a user account for him and gave him the password).

Dad: *enters password and presses enter*
Me: "Hmm that went faster than expected."
Dad: "Uhm I know how to login son, it's not that hard and pretty obvious".
Me: "Alright, why don't you try to open up the default word documents editor on here! I'll be right back!"
Me: *Goes away and returns after a minute*.
Dad: *already a few test sentences typed in LibreOffice writer* it's going pretty well :)!
Me: "Oo how did you find that?!"
Dad: "Well, there's a thingy that says 'applications' so I clicked in and found it in the "Office" section, do you think I am blind or something?!"
Me: 😐. uhm no but I just didn't think you'd find it that quickly. Now try to install Chromium browser! *thinking: he'll fail this one for sure* I'll be right back :).
Me: *returns again after a minute or so*
Dad: *already searching for stuff through Chromium*
Me: "wait, how the hell did you do that so quickly, it's not the easiest thingy for most people".
Dad: "Jesus, it's not that hard! I went to the application browsing thingy, typed 'software' and then a sorta software store icon showed up so I clicked it and it opened a windows with a search bar saying something like 'search for applications/software'. clicked in it, typed 'chromium', saw it coming up, there was a very clear 'install' button, it asked for my password, I put it in and after a little it gave a notification that it was installed. Then I went to that application browsing thingy again and typed Chromium. Then I hit enter because it selected an icon called chromium...."
Me: O.o. Okay this is going very good, now open an email client and login to your email address!
Dad: *goes to application browsing thingy, types 'email', evolution icon shows up, dad clicks it, email address setup steps show up and dad follows them quickly. After about a minute, everything is setup.

I expected this to be a hard process for someone who dealt with Windows his entire life but damn, I underestimated it.
Asked him if he found it easy/what he liked about it:
"Well, it's very clear where I can find everything, default browser/email/word document editor programs are easy to find and that's about all I need so yeah, great system!"

I am proud of you, dad!

So my actual job is being a nurse at the local hospital, with coding being just a hobby. However, the way some IT–Related things are treated here are just mind-blowing. Here are some examples:

Issue: Printer is not recognized by network anymore due to not being properly plugged in

Solution: Someone has to tell the house technician, if the house technician is currently not available, ask his assistant who only works part time and like twice a week. House technician took the printer (God knows why), came back 2 days later and plugged it back in.

Issue: Printer 1 of 2 on ICU has run out of ink and since all computers default to printer 1, nobody can print.

Solution: Call the house technician, blah blah, house technician comes, takes ink cartridge of printer 2 and puts it into printer 1.

Issue: Public WiFi is broken, can be connected to but internet access is missing. Probably config issue as a result of a recent blackout.

Solution: Buy a new router, spend 5 days configuring it and complain about how hard networking is.

Issue: Computer is broken, needs to be exchanged with a new one, but how do we transfer the data?

Solution: Instead of just keeping the old hard drive, make a 182GB backup, upload it to the main file server and then download it again on the new computer.

Issue: Nurse returns from vacation, forgot the password to her network account.

Solution: Call the technician who then proceeds to open a new account, copies all the files from the old one and tells her to pick an easier password this time. She chooses "121213".

My last school used my SSN as the default account password.
Just to test, I used the “forgot password” functionality, and they sent me my SSN over clear text.

As a developer, I see that as 2 mortal sins 😡

!rant

I was in a hostel in my high school days.. I was studying commerce back then. Hostel days were the first time I ever used Wi-Fi. But it sucked big time. I'm barely got 5-10Kbps. It was mainly due to overcrowding and download accelerators.

So, I decided to do something about it. After doing some research, I discovered NetCut. And it did help me for my purposes to some extent. But it wasn't enough. I soon discovered that my floor shared the bandwidth with another floor in the hostel, and the only way I could get the 1Mbps was to go to that floor and use NetCut. That was riskier and I was lazy enough to convince myself look for a better solution rather than go to that floor every time I wanted to download something.

My hostel used Netgear's routers back then. I decided to find some way to get into those. I tried the default "admin" and "password", but my hostel's network admin knew better than that. I didn't give up. After searching all night (literally) about how to get into that router, I stumbled upon a blog that gave a brief info about "telnetenable" utility which could be used to access the router from command line. At that time, I knew nothing about telnet or command line. In the beginning I just couldn't get it to work. Then I figured I had to enable telnet from Windows settings. I did that and got a step further. I was now able to get into the router's shell by using default superuser login. But I didn’t know how to get the web access credentials from there. After googling some and a bit of trial and error, I got comfortable using cd, ls and cat commands. I hoped that some file in the router would have the web access credentials stored in cleartext. I spent the next hour just using cat to read every file. Luckily, I stumbled upon NVRAM which is used to store all config details of router. I went through all the output from cat (it was a lot of output) and discovered http_user and http_passwd. I tried that in the web interface and when it worked, my happiness knew no bounds. I literally ran across the floor screaming and shouting.

I knew nothing about hiding my tracks and soon my hostel’s admin found out I was tampering with the router's settings. But I was more than happy to share my discovery with him.

This experience planted a seed inside me and I went on to become the admin next year and eventually switch careers.

So that’s the story of how I met bash.
Thanks for reading!

Client comes to me after a year to publish an update to his app.

I accept, start looking for my release key.... Found it.

Fuuuuuuucccck what's the password? I can't remember

Googled what to do if forgot password of keystore: Nope can't do shit other than brute Force. You've to forget your app and publish as a new app. Nice.

I must have written it somewhere... I'm sure. Check my password manager: Nope.

Start brute forcing:
Default pass: android. Nope
Name of app? Nope

After 10 mins of brute forcing:
Why would I not store the password in my password manager? The only reason I can think is the password is too stupid to be stored.

Try "password". App signed successfully.

I'm ashamed of 1 year older me xD

Friend of mine killed his MacBook with some Softdrink.

Just poured it all over his poor a1502.

He let it dry for a few days, it starts to work again.
Except the battery.

Goes on Amazon and buys a new battery.

New battery doesn't work either and so he tells me about it and I as stupid as I am couldn't resist the temptation to finally work on a MacBook like my "hero" Lois Rossmann does.

So turns out the board is good.
Cleaned it up and basically nothing happened to it.

So what's the deal with "los batlerias"?

The first got hit by liquid, the second had a broken connection to a cell.
That could have happened through my friend, installing it without testing it first, or at the seller, so it being a DOA battery.

Now away from the stupidity of my friend and the situation to the actual source for this rant.

Once something happens to a modern Managed battery, the Battery Management System (BMS) disconnects the voltage from the system and goes into an error state, staying there and not powering anything ever again.
For noobs, it's dead. Buy a new one.

But It can be reset, depending you know how to, and which passwords were set at the factory.
Yes, the common Texas instruments BQ20Zxx chips have default passwords, and apple seems to leav them at default.

The Usb to SMBus adaptors arrived a few days ago and I went to prod the BMS.

There is a very nice available for Windows called BE2works, that I used the demo of to go in and figure out stuff. The full version supports password cracking, the demo not.

After some time figuring out how Smart Battery Systems (SBS) "API" works, I got to actually enter the passwords into the battery to try get into manufacturer and full access mode.

Just to realise, they don't unlock the BMS.

So, to conclude, my friend bought a "new" battery that was most likely cut out of a used / dead macbook, which reports 3000mah as fully charged instead of the 6xxx mah that it should have, with 0 cycles and 0hours used.
And non default access.

This screams after those motherfuckers scaming the shit out of people on Amazon, with refurb, reset, and locked fucken batteries.

I could kill those people right now.

Last but not least,
My friend theoretically can't send it back because I opened the battery to fix the broken connection.
Though maybe, it'll get send back anyway, with some suprise in the package.

Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P

I was at the airport, 2AM, waiting for the plane I was supposed to board to come from another airport... Got bored, scanned the WiFi networks, found an open network with the ID of the airline I had booked with, joined, and tried port 22 on the gateway... It was a Cisco router with the default password... Needless to say, I thought I needed to teach those guys a lesson... Messed the routing table, changed its IP, disabled DHCP, and restarted the router. Needless to say, we couldn't board because they couldn't check us in...

The tech stack at my current gig is the worst shit I’ve ever dealt with...

I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.

Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!

I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.

RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.

Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.

We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.

Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!

I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.

I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!

But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.

School has default router username and password. And it's not just a shitty tp-link router. It runs linux.

Made a simple reverse shell and I have a fully functional linux computer. Not really a hack, but it's sad.

Soon to get to the school server!

TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!

As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.

Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.

I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."

Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!

Once I moved to new flat that had no internet connection yet, so I went to restaurant located under my apartment, that had WiFi secured with password. I asked for it while waiting for the order - it was "A1B2C3D4". After a while I got anoyed that it was so slow, so checked if can acces router admin page and restrict access for their clients. It turned out I can and they used default login and password, so they ended up with only my MAC whitelisted. Seemed they had connected their own business PC ("office PC") via LAN too, so I was curious if they call ISP to check it out. I checked the router settings every day, even after I got my own internet connction and they had it blocked for about 3 weeks. Then they changed WiFi password, so I came again, asked for password (another shitty one), checked router admin page and... still default login and password...

"The default password is your birthday"
They don't even make you change it

So my ISP decided it was ok for them to log into my router remotely and re enable the wifi.

I turned it off for a reason and no your excuse that it will improve my upload speed is bullshit you stupid patronising fucking shithead.

I'm now seriously looking into cancelling my service with you because you don't respect your customers or their wishes.

Also I'm guessing there's a default backdoor password into the router as I changed all the passwords I could find. Meaning the whole thing is horribly insecure.

My mobile provider doesn't allow me to set a password that contains any other symbol than letters and numbers for the website where you can look at how much data you consumed (and can order new data, change plans, etc.). Are you kidding me. This is making shit insecure, you fucks!

Yes I believe you’re Google and I will click that link.
I don’t care that IP from that you sent it to me is from some company in India.
Probably Google outsourced it’s email service there.

But wait why is this link pointing to Chinese website?
Ouch you provided some ip under A dns record so let me nmap it...
So there’s bunch of services you have there.
ftp, ssh, msrpc, netbios-ssn, snpp, microsoft-ds, sun-answerbook ...wait what ?
Let me curl that 8888 port.
Oh you have login / password form and it’s pagoda linux panel.
Wait a second I will read about it maybe some default login / password will work...

Ok so maybe I just make a script to brute force it as you wanted to brute force my computer motherfucker.

Ok wtf? How is it that I can give myself admin access to almost any Apple computer just by turning it on, holding down two keys, and then removing one file called “.AppleSetupDone”, without any kind of authentication? And I get access to all of the data on the device too. Within two minutes of having physical access to the computer.

This is a company with millions of devices in use, why is this even possible? And the only way to prevent it is to have a firmware password, which, by the way, is not a default option...are you serious

Attempting to access my colleague's NFS directory on his VM, don't know the VM's IP address, hostname or password:

- 2 minutes with nmap to narrow the possible IPs down to ~30

- Ping each and look for the one with a Dell MAC prefix as the rest of us have been upgraded to Lenovo. Find 2 of these, one for the host and one for the virtual machine.

- Try to SSH to each, the one accepting a connection is the Linux VM

- Attempt login as root with the default password, no dice. Decide it's a lost cause.

- Go to get a cup of tea, walk past his desk.

- PostIt note with his root password 😶

FYI this was all allowed by my manager as he had unpushed critical changes that we needed for the release that day.

On a 5 hour bus ride for which the company advertised that they have WiFi. Technically they did, it just didn't seem to be connected to anything. (it was but it was unusable). I tried logging into the router as i always do and one default "admin" password later i was in.
I didn't want to mess up anything too badly, however i did change the wpa password to "YouShouldMakeThisABitMoreSecure"

Last night I was exploring the feasibility of cracking the WPA2 key of my own router at home. I set out on a late night adventure, set up a couple devices and, knowing the default password convention of the manufacturer, setup a Hashcat instance with the relevant masks on my laptop, created a Crunch wordlist and ran aircrack on my Raspberry Pi 3, and thought "Hey - maybe there's something for Android too."

Hashcat on Android is a cat based social media app. I'm a little scared.

Early in my career, I worked at a large American telecom for a couple years. All their HP-UX servers had the root password set to "hpworld" which was the vendor default.

More than 2 years ago I alerted management that the default password we use for client accounts (and two of the variations) were pwned in database breaches. Today we receive an all-staff email that management "has reason to believe this password may have been compromised" and that we needed to change it across the 1200+ accounts where it's being used (200+ clients, several accounts per client).

Is it unprofessional to send a few "I told you so" memes and gifs?

Another rant about my school: the default password system.
Each student's username is FirstnameLastname, and the same applies to teachers. The passwords assigned are <First initial><Last initial> for students, and the same for teachers with "teacher" appended to the end. As students, we figured out this system pretty quickly, and we were able to log into the computer system as any teacher who we knew had requested an account. (Teacher accounts had unfiltered Internet access, student accounts did not).
I now teach in this school, where they recently got Google Classrooms accounts for each teacher during Covid. The accounts use the same naming/password scheme! I somehow doubt the teachers replace their passwords, so any student clever enough to figure out the system can log into their Google for Education account.

A bit different than wk93, but still connected and a fun story.

Back in high school when it began to digitalize everything, so began our teachers journey with technology. We, as IT class were into these things, but as far as I can say, others in the school including both teachers and students were like cave mans when it came to IT.

Most of them kept the different wifi networks password on the windows desktop, in a file 'wifipassword.txt'. When we were on robotics seminar, we had to use a teacher's laptop. The wifi network was incredibly fast and powerful,, yet so poorly configured that even the configuration page user/pass was the default admin/admin, because the IT admin wasn't the most skilled one.

We got the idea to sell the password of the wifi network to other students. Not much, for about 1 dollar a week. The customer came to us, we took the phone, took note of the MAC address, entered the password, and if the guy were to stop paying every week, we just blacklisted that MAC on the next robotics course.

Went well for months, until a new sysadmin came and immediately found it out, we were almost fired from the school, but my principal realized how awesome this idea was. You may say that we were assholes, and partially that is true, I'd rather say we made use of our knowledge.

Me and my developer friend worked with my ex-colleague with this fitness directory website because he promised to give us {{ thisAmount }} upon the {{ completionDate }}.

He was my friend and I trusted him.

It took me weeks of sleepless nights building the project. I had a full-time job that time, and I worked on the project during evenings. All went well, and as we reach the {{ completionDate }}, the demo site is already up and running.

A week before the {{ completionDate }}, he hired his new wife as the COO of the startup. It was cool, she keep noticing things on the site which shouldn't be there, and keeps on suggesting sections that has to be there. I was okay with it, until I realized that we are already a month late with the deadline.

Every single hour, I get a message from them like, "it's not working", "when can you finish this feature?", blah blah blah.. and so on.

I got frustrated.

"I want my fucking life back", I told them. No one cared about the {{ completionDate }}, the sleepless zombies they are working with and our payment. They keep on coming up with this "amazing" ass features, and now they are not paying because they said "it's not complete".

Idiot enough to trust a friend. I was unprotected, there was no legal-binding document that states their obligation to pay.

My dev friend and I handed over the project to this web development company which they prefer, and kept a backdoor on the application.

I kind of moved on with the payment issue after a month. But without their knowledge, I kept an eye on the progress and made sure that I still have the access to their server, DNS, etc..

BUT when they announced the official launch on social media, I realized that I was on the wrong train the whole time.

They switched to a different server.

They thanked all the people involved with the project via social media, EXCEPT me and my coding partner who originally built the site from ground up. A little "thank you" note from them will make us feel a little better. But, never happened.

I checked up the site and it was rewritten from originally Laravel 5 to CodeIgniter 1. That is like shifting from a luxury yacht where you can bang some hot chicks, to a row boat where your left hand is holding the paddle whilst your right hand is wanking yourself.

I almost ran out of bullets.

Luckily, CodeIgniter 1 was prone to SQLi by default.

I was able to get the administrator password in plain text and fucked with their data. But that didn't make me feel better because other people's info are involved.

So, I looked for something else to screw with. What I found? A message with the credit card details.

Finally, a chance to do something good for humanity. I just donated a few thousand dollars to different charity websites.

Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|

Developers overwrote default password storage alghoritm PBKDF2 to MD5.

So, I was able to hack into a local business (legally) in under two minutes today... great and scary right? Get this, it was from my iPhone. All switches were still the default username and password... after seeing that they didn't think anything was wrong and didn't sign the contract... imagine what I could have done with my laptop and my PWNtools...

Fuck it, more (l)user data for me to log.😏

Fire your whole fucking web team Bethesda

* Your design is a classic ipecac. Whatever the fuck you are doing doesn't in frontend doesn't justify the 4Mb of bandwidth I wasted on a single js file. Why the fuck can I see the whole fucking node_modules directory when looking at the sources?
I know this is supposed to be a webpage for a game development studio, but I'm seriously wondering if your budget would even get me a prostitute.
I'm a greedy fuck and want a free game. apparently your servers are only good enough to register me, but login is apparently too much to ask for. Yeah sure. Oh and also thank you for choosing an "incorrect username and password" error message by default, even though your fucking gateway timed out. Please be kind enough and punch me directly into my face next time. Not like I'll ever access that shit ever again

I'm tasked with hacking a million dollar production machine and all the PLCs have the same password for the root user, which also happens to be the name of the company producing this shit....

!rant

Need some opinions. Joined a new company recently (yippee!!!). Just getting to grips with everything at the minute. I'm working on mobile and I will be setting up a new team to take over a project from a remote team. Looking at their iOS and Android code and they are using RxSwift and RxJava in them.

Don't know a whole lot about the Android space yet, but on iOS I did look into Reactive Cocoa at one point, and really didn't like it. Does anyone here use Rx, or have an opinion about them, good or bad? I can learn them myself, i'm not looking for help with that, i'm more interested in opinions on the tools themselves.

My initial view (with a lack of experience in the area):

- I'm not a huge fan of frameworks like this that attempt to change the entire flow or structure of a language / platform. I like using third party libraries, but to me, its excessive to include something like this rather than just learning the in's / out's of the platform. I think the reactive approach has its use cases and i'm not knocking the it all together. I just feel like this is a little bit of forcing a square peg into a round hole. Swift wasn't designed to work like that and a big layer will need to be added in, in order to change it. I would want to see tremendous gains in order to justify it, and frankly I don't see it compared to other approaches.

- I do like the MVVM approach included with it, but i've easily managed to do similar with a handful of protocols that didn't require a new architecture and approach.

- Not sure if this is an RxSwift thing, or just how its implemented here. But all ViewControllers need to be created by using a coordinator first. This really bugs me because it means changing everything again. When I first opened this app, login was being skipped, trying to add it back in by selecting the default storyboard gave me "unwrapping a nil optional" errors, which took a little while to figure out what was going on. This, to me, again is changing too much in the platform that even the basic launching of a screen now needs to be changed. It will be confusing while trying to build a new team who may or may not know the tech.

- I'm concerned about hiring new staff and having to make sure that they know this, can learn it or are even happy to do so.

- I'm concerned about having a decrease in the community size to debug issues. Had horrible experiences with this in the past with hybrid tech.

- I'm concerned with bugs being introduced or patterns being changed in the tool itself. Because it changes and touches everything, it will be a nightmare to rip it out or use something else and we'll be stuck with the issue. This seems to have happened with ReactiveCocoa where they made a change to their approach that seems to have caused a divide in the community, with people splitting off into other tech.

- In this app we have base Swift, with RxSwift and RxCocoa on top, with AlamoFire on top of that, with Moya on that and RxMoya on top again. This to me is too much when only looking at basic screens and networking. I would be concerned that moving to something more complex that we might end up with a tonne of dependencies.

- There seems to be issues with the server (nothing to do with RxSwift) but the errors seem to be getting caught by RxSwift and turned into very vague and difficult to debug console logs. "RxSwift.RxError error 4" is not great. Now again this could be a "way its being used" issue as oppose to an issue with RxSwift itself. But again were back to a big middle layer sitting between me and what I want to access. I've already had issues with login seeming to have 2 states, success or wrong password, meaning its not telling the user whats actually wrong. Now i'm not sure if this is bad dev or bad tools, but I get a sense RxSwift is contributing to it in some fashion, at least in this specific use of it.

I'll leave it there for now, any opinions or advice would be appreciated.

Some Project Manager outsourced a redundant RADIUS setup with MySQL backend. We got 2 copies of a daloradius appliance running on Ubuntu 10.04. Once I saw this, I started to get a bit suspicious and requested to audit the system and database redundancy. With the system in production, and without getting back any documentation, I got into the VMs using the default root password. This was not even the worst part, as I found. One server was using a local MySQL instance, while the other was also using the first one's MySQL instance. When I reported this, I was told to comment clearly any changes to the configuration files, which resulted in commenting the word SHAME above each change.

Taking charge of an existing project...

Me: "This certificate requires a password. Can you send it to me"
Other dev who was earlier responsible for the project : "Just use the default one"
Me: " And what's that?"
Other dev: "CHANGEIT"! All caps
Me: 😐

Our parent company wouldn’t give us DB login credentials to a customer server outside our territory... we tried the default username and password and it worked...

Security in defense is a joke.

New hire does not have accts set up told him over and over!

He decides to go into a classified area and just try. Common last name with first initial.

Guess what he was able to get in because no one changed the default password!

Yep now someone with an interim clearance got access to a machine that goes from unclass to secret and then top secret!

Way back, 20 or so years ago, when I went to the university, every student got an account so that we could work with the Unix machines. Every user got the same default password, -apollo-, still remember it until today, and one day I felt a little bit evil and I tried to login to the administrator account, of course the first password I tried was the default password and it worked!!! I got super scared and told an older student about it, who was brave enough to scare the administrators a little bit by leaving a message like "you have been hacked!!!" or something similar. I was just too scared to do anything about it. All I wanted to do was see IF I could login ☺️ my few minutes of being Mr. Robot... Guess hacking was not for me 😃

Student Account Password at the university. No changes the default. It's their DOB and first two letters of the name.

Injection steps:
Open Database ( I am the Placement Representative )
Copy DOB
Paste
Add the first two alphabet
Unlocked

you know you are in some deep shit when project manager asks for username and password on dev environment

... and as bonus: IE is his default browser

Me: Hey what's the default password for this?
Classmate: password?
Me: yeah the password. What is it by default?
Classmate: no that's it. Just "password"
Me: :/

What is it with the rising trend of password fields allowing you to see your password, and (worse than that) often having it as unmasked by default?!

Who woke up one day and said "Damn, you know what would be a great idea? Unmasking the password field, so everyone can see it! Why didn't we think of that before?!"

Dahh.

So for those of you keeping track, I've become a bit of a data munger of late, something that is both interesting and somewhat frustrating.

I work with a variety of enterprise data sources. Those of you who have done enterprise work will know what I mean. Forget lovely Web APIs with proper authentication and JSON fed by well-known open source libraries. No, I've got the output from an AS/400 to deal with (For the youngsters amongst you, AS/400 is a 1980s IBM mainframe-ish operating system that oriiganlly ran on 48-bit computers). I've got EDIFACT to deal with (for the youngsters amongst you: EDIFACT is the 1980s precursor to XML. It's all cryptic codes, + delimited fields and ' delimited lines) and I've got legacy databases to massage into newer formats, all for what is laughably called my "data warehouse".

But of course, the one system that actually gives me serious problems is the most modern one. It's web-based, on internal servers. It's got all the late-naughties buzzowrds in web development, such as AJAX and JQuery. And it now has a "Web Service" interface at the request of the bosses, that I have to use.

The programmers of this system have based it on that very well-known database: Intersystems Caché. This is an Object Database, and doesn't have an SQL driver by default, so I'm basically required to use this "Web Service".

Let's put aside the poor security. I basically pass a hard-coded human readable string as password in a password field in the GET parameters. This is a step up from no security, to be fair, though not much.

It's the fact that the thing lies. All the files it spits out start with that fateful string: '<?xml version="1.0" encoding="ISO-8859-1"?>' and it lies.

It's all UTF-8, which has made some of my parsers choke, when they're expecting latin-1.

But no, the real lie is the fact that IT IS NOT WELL-FORMED XML. Let alone Valid.

THERE IS NO ROOT ELEMENT!

So now, I have to waste my time writing a proxy for this "web service" that rewrites the XML encoding string on these files, and adds a root element, just so I can spit it at an XML parser. This means added infrastructure for my data munging, and more potential bugs introduced or points of failure.

Let's just say that the developers of this system don't really cope with people wanting to integrate with them. It's amazing that they manage to integrate with third parties at all...

TLDR; Default admin login on WEP encrypted WLAN router for getting free stuff at my hair stylist studio.

Free WLAN in my hair stylist studio: They had their WEP key laying around in the waiting area. Well, I am not very happy with WEP, thought that they never heard of security. Found the default GW address, typed it into my browser and pressed Enter, logged in with admin/1234 and voila, I was root on their ADSL router 😌 Even more annoyed now from such stupidity I decided to tell the manager. All I told him was: You use a default login on your router, you give the WiFi password for free, WEP is very very insecure and can be hacked in seconds, and do you know what criminals will do with your internet access? He really was shocked about that last question, blank horror, got very pale in just one sec. I felt a little bit sorry for my harsh statement, but I think he got the point 😉 Next problem was: he had no clue how to do a proper configuration (he even didn't knew the used ISP username or such things). Telled me that 'his brother' has installed it, and that he will call him as soon as possible. Told him about everything he should reconfigure now, and saw him writing down the stuff on a little post-it.

Well, he then asked me what he can pay me? Told him that I don't want anything, because I would be happy when he changes the security settings and that is pay enough. He still insisted for giving me something, so I agreed on one of a very good and expensive hairwax. Didn't used it once 😁

Some weeks later when I was coming back for another hair cut: Free WLAN, logged in with admin/1234, got access and repeated all I did the last time once more 😎

HOW CAN YOU NOT LEARN FROM FAILS??

When you use the default username and password 🤪

Any better caption ?

ZNC shenanigans yesterday...

So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.

But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.

So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.

And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!

But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.

So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.

Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.

One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.

Hey passwd, when I want my password to be short then I want it fucking short. Don't tell me that "f" is too weak and prevent the action. A mere warning would suffice. (And I now know that if run as root it doesn't check the password criteria. Still, the default is annoying.)

I needed a short password to workaround a weird frozen system issue on unlocking the keyring in the latest Ubuntu release. It would freeze completely while I was typing my password, and hence by making my password short, I was quicker than the freeze, and hence got a useable system again.

When a national organization leaves the administrator password on a tool that manages the entire IT Department to the default password.
Also when said default password is publicly documented, known by all trained administrators of this tool, and said tool is exposed to the Internet.

I need some opinions on Rx and MVVM. Its being done in iOS, but I think its fairly general programming question.

The small team I joined is using Rx (I've never used it before) and I'm trying to learn and catch up to them. Looking at the code, I think there are thousands of lines of over-engineered code that could be done so much simpler. From a non Rx point of view, I think we are following some bad practises, from an Rx point of view the guys are saying this is what Rx needs to be. I'm trying to discuss this with them, but they are shooting me down saying I just don't know enough about Rx. Maybe thats true, maybe I just don't get it, but they aren't exactly explaining it, just telling me i'm wrong and they are right. I need another set of eyes on this to see if it is just me.

One of the main points is that there are many places where network errors shouldn't complete the observable (i.e. can't call onError), I understand this concept. I read a response from the RxSwift maintainers that said the way to handle this was to wrap your response type in a class with a generic type (e.g. Result<T>) that contained a property to denote a success or error and maybe an error message. This way errors (such as incorrect password) won't cause it to complete, everything goes through onNext and users can retry / go again, makes sense.

The guys are saying that this breaks Rx principals and MVVM. Instead we need separate observables for every type of response. So we have viewModels that contain:

- isSuccessObservable
- isErrorObservable
- isLoadingObservable
- isRefreshingObservable
- etc. (some have close to 10 different observables)

To me this is overkill to have so many streams all frequently only ever delivering 1 or none messages. I would have aimed for 1 observable, that returns an object holding properties for each of these things, and sending several messages. Is that not what streams are suppose to do? Then the local code can use filters as part of the subscriptions. The major benefit of having 1 is that it becomes easier to make it generic and abstract away, which brings us to point 2.

Currently, due to each viewModel having different numbers of observables and methods of different names (but effectively doing the same thing) the guys create a new custom protocol (equivalent of a java interface) for each viewModel with its N observables. The viewModel creates local variables of PublishSubject, BehavorSubject, Driver etc. Then it implements the procotol / interface and casts all the local's back as observables. e.g.

protocol CarViewModelType {
isSuccessObservable: Observable<Car>
isErrorObservable: Observable<String>
isLoadingObservable: Observable<Void>
}

class CarViewModel {
isSuccessSubject: PublishSubject<Car>
isErrorSubject: PublishSubject<String>
isLoadingSubject: PublishSubject<Void>

// other stuff
}

extension CarViewModel: CarViewModelType {
isSuccessObservable {
return isSuccessSubject.asObservable()
}
isErrorObservable {
return isSuccessSubject.asObservable()
}
isLoadingObservable {
return isSuccessSubject.asObservable()
}
}

This has to be created by hand, for every viewModel, of which there is one for every screen and there is 40+ screens. This same structure is copy / pasted into every viewModel. As mentioned above I would like to make this all generic. Have a generic protocol for all viewModels to define 1 Observable, 1 local variable of generic type and handle the cast back automatically. The method to trigger all the business logic could also have its name standardised ("load", "fetch", "processData" etc.). Maybe we could also figure out a few other bits too. This would remove a lot of code, as well as making the code more readable (less messy), and make unit testing much easier. While it could never do everything automatically we could test the basic responses of each viewModel and have at least some testing done by default and not have everything be very boilerplate-y and copy / paste nature.

The guys think that subscribing to isSuccess and / or isError is perfect Rx + MVVM. But for some reason subscribing to status.filter(success) or status.filter(!success) is a sin of unimaginable proportions. Also the idea of multiple buttons and events all "reacting" to the same method named e.g. "load", is bad Rx (why if they all need to do the same thing?)

My thoughts on this are:

- To me its indentical in meaning and architecture, one way is just significantly less code.
- Lets say I agree its not textbook, is it not worth bending the rules to reduce code.
- We are already breaking the rules of MVVM to introduce coordinators (which I hate, as they are adding even more unnecessary code), so why is breaking it to reduce code such a no no.

Any thoughts on the above? Am I way off the mark or is this classic Rx?

Not only is the default password they set a piece of shit, the password field actually shows the password even after you save it, why even bother with security?

Hash your fucking passwords!

The internet kills my insides.

I know a doctor's practice which gives you your first name as a default password for your account. Watertight security for all these medical records :)

#justAthought

I was reading about public and private keys yesterday, and i had a thought: don't you think the concept of "username" is being so badly misused?

It can act as a great firewall, but we are just misusing it as an alternative to "login via email", because we are now so dumb to remember our email.
You might think of my rant as being going back in time, but think about this: my profile shows the name titanlannister. if someone got access to my password, he/she can immediately take over my complete identity because devrant allows us to login via username/password combo.

Now think of this: my username shows titanlannister. Anyone of you can write a post and mention me via @titanlannister, and this system will notify me. However even if you get my password, you are unable to hack into my profile, because my profile is only accessible via my email id/password combo, which you still don't know.

This, I would call as Platform Public Key which adds a kind of semi firewall over default public/private key combination .

What do you think?

No idea what the fuck just happened, but my home router just dropped the internet connection and started demanding that I change the admin (default) password.
Now, I know that default passwords are bad and all that, but why the fuck now? This thing has been sitting there for over a year, and it only decided to complain now?

There have been some weird things going on lately, and I'm starting to worry that some of my systems may have been compromised in some way... but I'm not sure what/how, nor how to look for it...

Any tips for identifying a breach and disaster recovery?

Calls himself hacker
Doesn't know the default password for Kali

This, thankfully, I didn't create myself. A shop I recently ordered something from had the worst username / password default combo.
After registration they gave you a default Password, your zip code. And your unchangeable username is your customer id, a five digit number which just increments for each new user. And because it is a shop which is only used by people of the same region there are maybe 10 different zip codes.

I just found out why so many accounts of mine had a lot of login attempts recently. Turns out Epic Games had a leak in 2016 with no info to its users about it. So my email and default shitty password i dont use anymore but for useless accounts got leaked...

After falling down the Manjaro hole for months I yesterday decided to leave Manjaro for Pop!_OS. I lose a bit of performance and battery life, I gain a ton of UI polish, I gain a lot of package support, and I lose some hard earned nerd points.

My NAS has an easy to install Debian tool for file sync. I can use Etcher for making bootable USB/SD for my raspberry pi. Firefox is the default browser and I can use all my plugins and password manager out of the box. Apt is easier to use than pacman. Easier Python development setup. Docs are more often written for Debian. (For some reason I spent hours trying to get powerline and oh-my-zsh working right in manjaro’s xfce terminal before giving up.)

If you create a website with a login function, please mention the password requirements on the login page (not just the signup page, in the login page too). So i know which of my default passwords i used for this website.

I hate hate hate Windows. I'm forced to use it and the amount of problems is too damn high. I was able to cope with the shit but now it must be the top of the mountain. When I boot that tiny piece of sh** I get to the page where *normally* the login is.. but I just don't get a Username + Password box . The page stays blank with the default wallpaper. Why is stuff like that even happening? Not a single *solution* I found on the internet worked. FML.. going to reset that thing now

some call
- yo bro do you have some time ?
- quick cause I'm taking a dump
- I think I have been hacked, got black screen kernel panick, linux freeze seldomly I have to reboot, no internet connexion
- save your stuff and reinstall linux
- I don't have enough stockage to backup
- Then buy one and save, probably either OS is fcked up or you have some hdd problems

Time that it will take: ~30min to reinstall whole shit
Peace duration: ~2years

Later on the same day
aunt
- I can't log into windows
- Did you change the password ?
- Yes but it does not work anymore
* looking at shit
* logs successfully. Reason: interface changed after automatic update.
* wait.
* wait some more so fucking windows fucking starts
* Desktop is ugly as fck.
* Some stupid settings messed up (like high contrast set, black theme or so)

aunt (the same)
- I can't log into my (other) laptop either
* logs
* wait more more more

Guess what: automatic updaaaates. Freezes 100%cpu

* Being a very experienced user: wait before reboot because this suckass os will probably fail to boot otherwise
* Blackscreen with a percentage: Installing updates...
* reboots
* Blackscreen with a percentage: Installing updates continuing...
* finally boot (feels like a miracle windows succeeds lol)
* still slow
aunt now sleeps
* look at running process and install programs
* sees shits like camera recognition (vendor installed), candycrush
* occasionnaly get adds

time lost: 2h
peace duration: ~3month

FFS I am a dev, not a fucking trash lover
It is already pain to fix someone os, but windows is the cream of cream

It brings no ease of use for novice user
It is so insanely slow
It has stupid settings set up by default!!!!!!!! Who FFS wants candycrush and ads
The maj are so fcking hazardous. It is 2022 pretty much the same as 15y back then. Updates take fucking eternity. And needs reboot. and are not even finished!!!

I swear I am gonna stretch my ass and install linux and any fckin other toolsuite needed so they can use Micro$$ word, which is the only fucking usecase they need windows for in the first case anyway
I SO wish this OS would die

I mean, even more than safari

Thus happened recently.

I installed vestas on our organisation's lab server. I was trying to add the user's key to gitlab.

But vestas doesn't support ssh keys by default, and i thought to go by https way

I don't remember my password, so instead of opening saved logins I was going to install gitlab on our organisation's sub domain.

Later I created custom keys inside the user's directory -_-

I recently logged into my care provider's online services for the first time, to schedule a doctor's appointment.
The login form requested the usual: username and password - but also a birth date. Which their developers implemented with the default Android datepicker control.

Meaning I had to click 'back' 339 times to get to December 1989.

fuuuuck.

So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.

We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.

So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.

“I don’t think this will be very secure”

Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.

We go back and fourth and I said I’ll get it checked with security just to keep him happy.

The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.

Updated the tickets. All dandy.

Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.

Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.

Jesus Christ I wonder why I bother sometimes.

I've been wondering about renting a new VPS to get all my websites sorted out again. I am tired of shared hosting and I am able to manage it as I've been in the past.

With so many great people here, I was trying to put together some of the best practices and resources on how to handle the setup and configuration of a new machine, and I hope this post may help someone while trying to gather the best know-how in the comments. Don't be scared by the lengthy post, please.

The following tips are mainly from @Condor, @Noob, @Linuxxx and some other were gathered in the webz. Thanks for @Linux for recommending me Vultr VPS. I would appreciate further feedback from the community on how to improve this and/or change anything that may seem incorrect or should be done in better way.

1. Clean install CentOS 7 or Ubuntu (I am used to both, do you recommend more? Why?)
2. Install existing updates
3. Disable root login
4. Disable password for ssh
5. RSA key login with strong passwords/passphrases
6. Set correct locale and correct timezone (if different from default)
7. Close all ports
8. Disable and delete unneeded services
9. Install CSF
10. Install knockd (is it worth it at all? Isn't it security through obscurity?)
11. Install Fail2Ban (worth to install side by side with CSF? If not, why?)
12. Install ufw firewall (or keep with CSF/Fail2Ban? Why?)
13. Install rkhunter
14. Install anti-rootkit software (side by side with rkhunter?) (SELinux or AppArmor? Why?)
15. Enable Nginx/CSF rate limiting against SYN attacks
16. For a server to be public, is an IDS / IPS recommended? If so, which and why?
17. Log Injection Attacks in Application Layer - I should keep an eye on them. Is there any tool to help scanning?

If I want to have a server that serves multiple websites, would you add/change anything to the following?
18. Install Docker and manage separate instances with a Dockerfile powered base image with the following? Or should I keep all the servers in one main installation?
19. Install Nginx
20. Install PHP-FPM
21. Install PHP7
22. Install Memcached
23. Install MariaDB
24. Install phpMyAdmin (On specific port? Any recommendations here?)

I am sorry if this is somewhat lengthy, but I hope it may get better and be a good starting guide for a new server setup (eventually become a repo). Feel free to contribute in the comments.

Hello there!

So apparently changing the root password on my embedded linux system from the default to anything else breaks ssh. The only error i get is, that the password has "expired".
Dis is gonna take a long time to figure out, cuz no system logger and only serial access...

Relatively often the OpenLDAP server (slapd) behaves a bit strange.

While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.

Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?

To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...

The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).

But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.

The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.

Web development -

Caution: boring question

Have anyone worked on anything like a form builder like by giving a name generating a table with default columns and new folder for controller , models inheriting a base class that can provide a CRUD functionality ?

In my company they have a cool module builder that allow you to add any field email ,file, password,connector field - connect two modules one 2 one relationship clonable field many to many built on php.

I tried and created one using python Flask framework but without restarting app the routes are not getting registering asked in stack overflow got downvoted

Any thoughts?

I recently started working on laravel. As the community says it was easy to get along with the framework and its methodologies. But then i had to do multiple login with framework in same domain.

Oh man, i spent a week to make it work. All those guards and middlewares realted to login was driving me crazy. The concept was clear, but somehow the framework was like "You! I shall make you spend a week for my satisfaction". The project demo was nearing and i was doing all kind of stuff i found. Atlast after continous tries it worked. Never in my 4+ years as a developer i had to face such an issue with login.

So here is how it works,if anyone faces the same issue:
(This case is beneficial if you're using table structures different from default laravel auth table structures)

1. Define the guards for each in auth.php
Eg:
'users' => [
'driver' => 'session',
'provider' => 'users',
],
'client' => [
'driver' => 'session',
'provider' => 'client',
],
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],

2. Define providers for each guards in auth.php
'users' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
'table' => '<table name>', //Optional. You can define it in the model also
],
'admins' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],
'client' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],

Similarly you can define passwords for resetting passwords in auth.php

3. Edit login controller in app/Http/Controller/Auth folder accordingly
a. Usually this particular line of code is used for authentication
Auth::guard('<guard name>')->attempt(['email' => $request->email, 'password' => $request->password]);
b. If above mentioned method doesn't work, You can directly login using login method
EG:
$user = <model namespace>::where([
'username' => $request->username,
'password' => md5($request->password),
])->first();
Auth::guard('<guard name>')->login($user);

4. If you're using custom build table to store user details, then you should adjust the model for that particular table accordingly. NOTE: The model extends Authenticatable
EG
class <model name> extends Authenticatable
{
use Notifiable;

protected $table = "<table name>";

protected $guard = '<guard name>';

protected $fillable = [
'name' , 'username' , 'email' , 'password'
];

protected $hidden = [
'password' ,
];

//Below changes are optional, according to your need
public $timestamps = false;
const CREATED_AT = 'created_time';
const UPDATED_AT = 'updated_time';

//To get your custom id field, in this case username
public function getId()
{
return $this->username;
}
}

5. Create login views according to the user types you required

6. Update the RedirectIfAuthenticated middleware for auth redirections after login

7. Make sure to not use the default laravel Auth routes. This may cause some inconsistancy in workflow

The laravel version which i worked on and the solution is for is Laravel 6.x