Me: Hi, how can i help you today?
User: Hi IT, I can't enter to my computer, i put my password and it says it's incorrect.
Me: Ok, hold me a few.

(10 seconds without do anything)
Me: Try again.
User: It worked! Thanks!!

Holy fuck, muscle memory just saved my ass.

At a train station wanting to do some work on my mini laptop which has disk encryption (LUKS I think). Realised that I forgot the password partly 😬

Few tries.... incorrect. FUCK.

*hey, let's try to let my hands do the work based on muscle memory!*

*starts typing the password (its insanely long) and presses enter*

*succesfully unlocked, booting...*

😅

Me - "Has anyone changed the password on the print computer"
Him - "It's the same one."
Me - "Carrots99?"
Him - "Yeah, what's the message that comes up?
Me - "Password is incorrect."

The dumbest conversation I've ever had in my fucking life. You little shit, I know you changed the password just to fuck with people. You've been reading too many books on elevating yourself, tried to be important for something. It means fuck all if you can't remember what you changed it to. So you held up two hours of my work, not to mention everyone else, because you can't help but stick your beak in shit. You dont think people can't see what youre doing? Watching you scurry over to the computer with a big smile, only a to fuck off silent as a mouse not to be seen mumbling some shit about a system administrator. Yeah you forgot it you prick.

Stop sucking up to the boss, and commanding people on what to do, when you're as junior as junior gets. Don't change our fucking passwords, just so you can have the whole team approach you the next day asking for you, then not remember them. You cunt.

I suddenly remembered this after being gone from my previous company for nearly a year.

So, I worked there as a tech supporter and Linux engineer.
What would often happen was clients calling with an issue regarding software of some sorts and about half the time, instead of LOOKING AT THE GODDAMN ERROR MESSAGE they'd just click it away fast and complain shit wasn't working.

I specifically remember this one case:

*big client mails complained that one of their clients' email isn't working. Screenshots weren't possible apparently so after emailing back and forth for way too long, we decide to do a screen sharing session (which we never do).*
(for the record, already emailing for hours, client very frustrated, me as well because the behavior of the software sounds impossible)

Me: alright, close everything, then open it again so I can see what happens.
Client: *opens mail client, error appears, client clicks error away faster than an arch user being able to mention they use arch*
Me: uhm.... I assume you already know what that message said and that it has nothing to do with the issue?
Client: it has nothing to do with the issue.
Me: okay... But have you at least looked the message?
Client: no but it has nothing to do with the issue.
Me: but, how'd you know if you won't look at it?
Client: it has nothing to do with the issue, okay?
Me: okay.... so, what's happening here?
Client: the user isn't receiving email anymore at this point!
Me: alright, have you checked the settings and everything?
Client: of course, all good
Me: okay but can we at least restart the software again to at least check the error message?
Client: FINE. *restarts client (pun intended, of course)*
Error message: username or password incorrect, can't connect to the server.
Client:..........
Client:............
Client:...............
Client:..................
Client:.....................
Client:..................
Client:...............
Client:............
Client:.........
Client: 😐
Client: 😶
Client: 😅
Client: 😬
Client:..... Right, I changed the password...
Client: *sets correct password*
*poof, error message gone*
Client:..... Thanks 💀
Me: you're welcome 😄

💀

Get a call saying password incorrect.

*Me testing login details*.... Works fine.

Tell user that it was a typo.
*They get angry*
*They start whispering to coworker "oh so it's a capital?!"

Next thing I hear, NVM I found the issue.

*Hangs up*

The first time I decided to hack around a bit:D

One of my teachers made a quiz software, which is only used by him(his lectures are about databases), and it is highly unsecure. When I heard that it is written in C# I decided to look in it's source code. The biggest problem I ran into: this program is only available on the computers in his classroom, and he monitors the computers display. However, I successfully put it into my pendrive without getting caught.

So when I got home, I just had to use a .NET decompiler(in this case: dotPeek) to get the fully functional source code. The basic function of the program was to download a quiz from his database server, and when it was finished, grade it client-side. Than, I realized how bad it was: It contains the number of questions, the number of correct and incorrect answers.
I've just made a modified .exe, which contained really little modification(like correctAnswers=maxQuestions, incorrectAnswers=0). Everything looks the same, you just have to click over it, and everytime it will return with 100%.

And the bonus: The program connects to the database as a user with root access, and without password. I was able to log in, download(dropping was available too, but didn't try) databases(with all the answers) and so on.

Never had to use it though, it was just a sort-of experience gaining.:)

Come back from vacation to find that 80+ e-mails were sent out to the entire team for a critical process that was failing to run due to an incorrect password. No one did anything for a week. Fixed it in 30 seconds.

I... uhm... I... I can't... I ... I can't even.... THIS IS LIVE IN THE CLIENT'S SITE WHERE ANYONE CAN CREATE A LOGIN WITH NO VERIFICATION WHATSOEVER AND SEE THIS WHICH IS LINKED TO A BIG RED BUTTON THAT RESETS THE WHOLE DATABASE, YOU FUCKING DUMB PIECE OF SHIT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

// This event clears the entire solution in all active clients, truncates the database and also removes any stored PDFs in the server folder
$(document).on('click', '#resetDB', function () {
// This event only happens if the user correctly enters the password, this is to prevent other users than the admin from performing this action
var answer = prompt("Please enter the password required to perform this action.");
if(answer == "-REDACTEDBECAUSEHOLYSHIT-") {
socket.emit('resetDB');
} else {
alert("The password is incorrect, please try again!");
}
});

AAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!111!!1!!11!1!!1!1one!one!!!11

(I'm not inventing this, even though the "site" is internal only and not accessible through the web. That does *not* make it any less stupid!)

'Incorrect password.'

"I must've forgotten the password. Let me change it".

'Old and new passwords cannot be same'

o_O

Day 1 10:00 am
Login to email account (Zimbra)
Your password is incorrect (I entered it correctly, this was a permanent issue ,used to happen in the company with many employees)
Reset your password by logging into internal company portal.

11:00 am
Logged into company portal, somehow. 2 Mbps internet shared among 104 people, you can imagine the speed.
Reset email password
* your password has been sent to your email id*
Are you fucking kidding me? U have emailed me the password to the same email I can't log in to?
Where did the architecture designer get this top notch weed from?

Day 2
Asked HR to reset my password (using a colleague's email)

Day 3
No reply from HR yet

Day 4
I went to meet HR, she's on vacation. So they have 1 person managing the password reset, for 5000 people with no backup person. Cool.

Day 5
Your internal company password has expired. Check your email for link to create new password. This is some next level shit going on.

Day 6
I called up Internal IT team to generate a new email for me.
They asked me to raise a ticket.
I can't raise a ticket because the only way to do so, is through the portal.

Day 7
Nothing. Btw, personal email and all social networks were banned. You can't even open stackoverflow.
And this was a research lab, amazing huh?

Day 8
Loss of pay for 4 days since I can't login to company portal to fill timesheet.

Day 9
HR comes back. Resets my password.
I try to generate my new password for portal.
The password policy:
Password can't be same as last 10 passwords
Passwords expire every week
8 characters minimum, 2 upper case, 2 lower case, NO SPECIAL SYMBOL. WTF. How long do u think its gonna take to crack that?

Fuckers had a company wise policy to automatically lock PC every 1 min if not used. Who the fuck can keep on using it continuously! I'm reading an article, and bam ! Locked. 2 wrong entries and that's it, repeat all steps again. Fuckers really didn't want to let me do my job, just keep on logging in all day.

I put both my username and password as "incorrect". So that everytime i mess up, my computer reminds me that my login is incorrect!

Auth Endpoint:

user name and password correct:
- response 200: with session key and profile info
user name and password incorrect:
- response 200: blank

smh

I make a typo in the username
"username doesn't exist"
I fix the typo and mess up the password
"incorrect password"

... I smell a potential exploit here...

Yea, that's seems about right.When the user gives incorrect password,throw an Internal Server Error.
Great API design!

when you type faster than computer response:
------------------------
Ubuntu 16.04.5 LTS server tty1

server login: sysadmin
adminPassword:

Login incorrect
server login: sysadmin
Password:

sysadmin@server:~$ _
------------------------
"FUCKING SHIT !"
*sees if there are anyone in the back*
*saw no one*
"fiuuh... what a relief"

sysadmin@server:~$ clear

Computer - Enter password
Man - password

Computer - Your password is incorrect
Man - incorrect

Computer - try again
Man - again

A friend of mine did this.

Login: yes
Password: Don't have one
Password is incorrect

Login: yes
Password: incorrect

You're password incorrect is incorrect...

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

That oh shit moment when you just installed arch and exit your root shell after creating a new user for yourself only to realize that you didn’t add yourself to sudo group.

*logs back in as roo——*
*password incorrect*
*tries again*
*password incorrect*
[repeat about 5 more times]

Fuck.

So apparently I made the SAME typo twice while setting the password and then the first login was a lucky third typo in a row.

Gotta reinstall now. Glad I didn’t have any desktop environment installed yet.

sudo pacman -S [package]

Sudo: password for algo:

*Types y to accept package install*

Password incorrect, try again

ALMOST HALF AN HOUR SPENT TRYING TO LOG INTO MY FUCKING RASPBERRY PI OVER SSH.

you know what the problem is?

I’m not gonna tell you because I want you to feel the agony too.

> be me
> want to set up a nextcloud instance on pi to play with
> boot up
> ssh pi
*enter password*
*password incorrect*
^tries like 60 more times with different things
> pulls HDMI out of PC
> connect to pi direct
*please login*
*enter password*
Hackerman_voice_im_in.mp3
Wtf.xml
> check the logs
>try login from phone
Fuckyou.jpg
>Tries resetting password
Fuckyou-final.jpg
>tried logging into other pi
Fuckyou-final2.jpg
>*wtf’s harder*
Andthenithitme.png
>type @ sign
Pi: “
> OHHHHHHH

Hey Citrix:

How about if my account is locked, you give me an error saying "my account is locked" and not "incorrect username and password"

SO I CAN KNOW WHAT I NEED TO DO TO FIX THE ISSUE YOU JACKASSES.

WTF is wrong with these Govt websites...!!!

Trying to login
"Password is incorrect"
Clicked on reset password,
Now guess what happened next...

They said,

.
ENTER YOUR CURRENT PASSWORD!!!

It's 5pm whooooo!

Let's quickly bash this last query out for the day - seeing as I should have finished an hour ago anyway.

Spin up VM, it's been inactive for 6 months.... yay, login... "incorrect password" tries again "incorrect password", did I forgot it... no it's been the same for years,

ok let's try again slowly,
ok logged in,
jump into mysql,
write up this query,

join this table, join that table, join this other table, and this other, and this one, hahaha, and this one over here... sweet it's been months and I still no my way around this maze!

And now for the moment of truth... run!
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
And bam, black screen, loading spinner, "Windows is updating"

NOoOooOooOooo!

Fuck it I'm out!

Fire your whole fucking web team Bethesda

* Your design is a classic ipecac. Whatever the fuck you are doing doesn't in frontend doesn't justify the 4Mb of bandwidth I wasted on a single js file. Why the fuck can I see the whole fucking node_modules directory when looking at the sources?
I know this is supposed to be a webpage for a game development studio, but I'm seriously wondering if your budget would even get me a prostitute.
I'm a greedy fuck and want a free game. apparently your servers are only good enough to register me, but login is apparently too much to ask for. Yeah sure. Oh and also thank you for choosing an "incorrect username and password" error message by default, even though your fucking gateway timed out. Please be kind enough and punch me directly into my face next time. Not like I'll ever access that shit ever again

Being the dumbest smart person is way better than being the smartest dumb person. Here is looking at anyone ever trying to tell me how to do my job yet you cannot read a fucking error messag. Yes incorrect password means you got it wrong, dim witted cunt

I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.

*leaning back in the story chair*

One night, a long time ago, I was playing computer games with my closest friends through the night. We would meet for a whole weekend extended through some holiday to excessively celebrate our collaborative and competitive gaming skills. In other words we would definitely kick our asses all the time. Laughing at each other for every kill we made and game we won. Crying for every kill received and game lost. A great fun that was.

Sleep level through the first 48 hours was around 0 hours. After some fresh air I thought it would be a very good idea to sit down, taking the time to eventually change all my accounts passwords including the password safe master password. Of course I also had to generate a new key file. You can't be too serious about security these days.

One additional 48 hours, including 13 hours of sleep, some good rounds Call of Duty, Counter Strike and Crashday plus an insane Star Wars Marathon in between later...

I woke up. A tiereing but fun weekend was over again. After I got the usual cereals for breakfast I set down to work on one of my theory magic decks. I opened the browser, navigated to the Web page and opened my password manager. I type in the password as usual.

Error: incorrect password.

I retry about 20 times. Each time getting more and more terrified.

WTF? Did I change my password or what?...

Fuck.

Ffuck fuck fuck FUCKK.

I've reset and now forgotten my master password. I completely lost memory of that moment. I'm screwed.

---

Disclaimer: sure it's in my brain, but it's still data right?

I remembered the situation but until today I can't remember which password I set.

Fun fact. I also could not remember the contents of episode 6 by the time we started the movie although I'd seen the movie about 10 - 15 times up to that point. Just brain afk.

Got a strange thing today in class, as a teacher in programming. We have a lab where the computers haven't yet their final configuration ended, so the user used by the students is the administrator of the computer. And today, a student calls me and tell "sir, the password isn't the one you gave to us" (temporary the same for each machine until we fix the configuration).
Go to student's place, password incorrect with a hint "you know the code : up, up, down, down... oh, you don't know, huh? Too old! Too bad!"
Password was - off course - "konami".

But... how a student born in 1997 can think he can troll me with the konami code?!
He wasn't even born when I played on the NES as kid!

Sometimes I'd like to teach my students how to fly by tossing them by the windows...

SO MAD. Hands are shaking after dealing with this awful API for too long. I just sent this to a contact at JP Morgan Chase.

-------------------
Hello [X],
1. I'm having absolutely no luck logging in to this account to check the Order Abstraction service settings. I was able to log in once earlier this morning, but ever since I've received this frustratingly vague "We are currently unable to complete your request" error message (attached). I even switched IP's via a VPN, and was able to get as far as entering the below Identification Code until I got the same message. Has this account been blocked? Password incorrect? What's the issue?

2. I've been researching the Order Abstraction API for hours as well, attempting to defuddle this gem of an API call response:

error=1&message=Authentication+failure....processing+stopped

NOWHERE in the documentation (last updated 14 months ago) is there any reference to this^^ error or any sort of standardized error-handling description whatsoever - unless you count the detailed error codes outlined for the Hosted Payment responses, which this Order Abstraction service completely ignores. Finally, the HTTP response status code from the Abstraction API is "200 OK", signaling that everything is fine and dandy, which is incorrect. The error message indicates there should be a 400-level status code response, such as 401 Unauthorized, 403 Forbidden or at least 400 Bad Request.

Frankly, I am extremely frustrated and tired of working with poorly documented, poorly designed and poorly maintained developer services which fail to follow basic methodology standardized decades ago. Error messages should be clear and descriptive, including HTTP status codes and a parseable response - preferably JSON or XML.
-----

This whole piece of garbage is junk. If you're big enough to own a bank, you're big enough to provide useful error messages to the developers kind enough to attempt to work with you.

Got tired of Windows 10 giving me BSODs

Tried fixing it (previous rant)

Decided to get rid of it

Purged Windows 10 along with Mint for good

Booted Solus (It's awesome)

Installing..

Installation failed - Input/Output error(5)

?

Maybe ISO got corrupted

Downloaded ISO again (painfully slowly)

Installing...

Success!

Booted to Login screen

Incorrect username/password (shit)

Tried again x times (absolutely correct username and password, I'm sure)

Doesn't work

Booted from the same USB again

Format and Install (again)

Installing..

Installation failed - Input/Output error(5)

:(

I'm not sure what's going wrong here..

My laptop is soulless right now..

I deployed one of our staging websites to a free plan because the site is rarely used. Project Manager sends the stakeholders the new url. There will be a lot of 🤦‍♀️🤦‍♂️🤦 all around. Some of it’s my fault. A lot of it is just WTF.

Stakeholder: We still need the staging site because we don’t want to test in the live site…

PM: Okay. We didn’t say we were deleting the site. We are just moving it to a new and better hosting platform, so we’re letting you know the url has changed.

Stakeholder: This url is for the front facing page. How do I access the backend? [they mean the admin interface]

Me: The only thing that’s changed is the url for the staging website. So domain-A/account is now domain-B/account.

I thought that was a pretty straightforward way of explaining things, that even a non technical person would get it. They took the /account example as the literal login url.

Stakeholder: I forgot the password for our admin login and I submitted a password reset, but I realize I don’t know if I have access to the admin email. Or if it’s even a real email account.

WTF

I look back at the email chain and I realize that I gave the PM the wrong url.

Also, WTF x 2. How did this stakeholder not realize they were looking at the wrong website?? There are definitely noticeable style and content differences. And why would you have an admin login that uses a fake email??

Me: My apologies. I sent over the incorrect url. My instructions are mostly the same. All that’s changed is the domain.

Stakeholder’s assistant: [DMs me] How do we access the backend?

WTF…are they seriously playing this game and demanding I type out the url for them?! 🤬 I’m not playing this game and I just copy and paste the example that I already sent over.

They figure it out eventually. Apparently, they never used /account to login before They used /admin/index… but that would still bring them to /account, but with ?redirect=/admin/index appended to the url if they weren’t logged in. Again, WTF.

I know I made mistakes in this whole thing, but damn. I can’t even. I’m pretty sure this whole incident is fueling my boss’s push to stop supporting this particular website anymore so I can focus on sites that actually bring in revenue…and have stakeholders that aren’t looney and condescending like this.

I need some opinions on Rx and MVVM. Its being done in iOS, but I think its fairly general programming question.

The small team I joined is using Rx (I've never used it before) and I'm trying to learn and catch up to them. Looking at the code, I think there are thousands of lines of over-engineered code that could be done so much simpler. From a non Rx point of view, I think we are following some bad practises, from an Rx point of view the guys are saying this is what Rx needs to be. I'm trying to discuss this with them, but they are shooting me down saying I just don't know enough about Rx. Maybe thats true, maybe I just don't get it, but they aren't exactly explaining it, just telling me i'm wrong and they are right. I need another set of eyes on this to see if it is just me.

One of the main points is that there are many places where network errors shouldn't complete the observable (i.e. can't call onError), I understand this concept. I read a response from the RxSwift maintainers that said the way to handle this was to wrap your response type in a class with a generic type (e.g. Result<T>) that contained a property to denote a success or error and maybe an error message. This way errors (such as incorrect password) won't cause it to complete, everything goes through onNext and users can retry / go again, makes sense.

The guys are saying that this breaks Rx principals and MVVM. Instead we need separate observables for every type of response. So we have viewModels that contain:

- isSuccessObservable
- isErrorObservable
- isLoadingObservable
- isRefreshingObservable
- etc. (some have close to 10 different observables)

To me this is overkill to have so many streams all frequently only ever delivering 1 or none messages. I would have aimed for 1 observable, that returns an object holding properties for each of these things, and sending several messages. Is that not what streams are suppose to do? Then the local code can use filters as part of the subscriptions. The major benefit of having 1 is that it becomes easier to make it generic and abstract away, which brings us to point 2.

Currently, due to each viewModel having different numbers of observables and methods of different names (but effectively doing the same thing) the guys create a new custom protocol (equivalent of a java interface) for each viewModel with its N observables. The viewModel creates local variables of PublishSubject, BehavorSubject, Driver etc. Then it implements the procotol / interface and casts all the local's back as observables. e.g.

protocol CarViewModelType {
isSuccessObservable: Observable<Car>
isErrorObservable: Observable<String>
isLoadingObservable: Observable<Void>
}

class CarViewModel {
isSuccessSubject: PublishSubject<Car>
isErrorSubject: PublishSubject<String>
isLoadingSubject: PublishSubject<Void>

// other stuff
}

extension CarViewModel: CarViewModelType {
isSuccessObservable {
return isSuccessSubject.asObservable()
}
isErrorObservable {
return isSuccessSubject.asObservable()
}
isLoadingObservable {
return isSuccessSubject.asObservable()
}
}

This has to be created by hand, for every viewModel, of which there is one for every screen and there is 40+ screens. This same structure is copy / pasted into every viewModel. As mentioned above I would like to make this all generic. Have a generic protocol for all viewModels to define 1 Observable, 1 local variable of generic type and handle the cast back automatically. The method to trigger all the business logic could also have its name standardised ("load", "fetch", "processData" etc.). Maybe we could also figure out a few other bits too. This would remove a lot of code, as well as making the code more readable (less messy), and make unit testing much easier. While it could never do everything automatically we could test the basic responses of each viewModel and have at least some testing done by default and not have everything be very boilerplate-y and copy / paste nature.

The guys think that subscribing to isSuccess and / or isError is perfect Rx + MVVM. But for some reason subscribing to status.filter(success) or status.filter(!success) is a sin of unimaginable proportions. Also the idea of multiple buttons and events all "reacting" to the same method named e.g. "load", is bad Rx (why if they all need to do the same thing?)

My thoughts on this are:

- To me its indentical in meaning and architecture, one way is just significantly less code.
- Lets say I agree its not textbook, is it not worth bending the rules to reduce code.
- We are already breaking the rules of MVVM to introduce coordinators (which I hate, as they are adding even more unnecessary code), so why is breaking it to reduce code such a no no.

Any thoughts on the above? Am I way off the mark or is this classic Rx?

I changed all my password to "incorrect"
So whenever i forget it will tell me "your password is incorrect"

Tried to log into my laptop 4 times and got wrong password. Fumed for full 5 mins before realizing that I was using password of workplace laptop.

fml

Please don't use shake animations to signify errors, dear user interface designers.

The shake animation is a bad idea introduced to the UX (user experience) world by Apple in 2013 with iOS 7 and Mac OS, and is popularly used by FilePond in response to a failed upload. At some point, this animation was added to the Cinnamon desktop environment login screen in response to a wrong password.

The shake animation is not helpful at all. If anything, it is irritating and provocative.

The red "incorrect password" or "failed upload" text clarifies it well enough. There is no need for a shake animation to rub it into the user's face.

For credential errors on login forms..

Do you guys follow the “OWASP standard” and won’t let the user know which field (email or password) was incorrect, just a general message or the more UX-way and let them know that it is for example the password that doesn’t match with given email (if it exists)? 🤔

Had a minor “discussion” about this with our sales-guy this afternoon why that I’m (as the full-stack, and only, developer there) not that of a fan about the UX-way.. (even thou ‘security’ is a “myth”). 😁

$ Login: phoomparin
*types in password*
Incorrect Password.
*rushes to type user and passwd again*
Password shows in cleartext...

I've been wondering about renting a new VPS to get all my websites sorted out again. I am tired of shared hosting and I am able to manage it as I've been in the past.

With so many great people here, I was trying to put together some of the best practices and resources on how to handle the setup and configuration of a new machine, and I hope this post may help someone while trying to gather the best know-how in the comments. Don't be scared by the lengthy post, please.

The following tips are mainly from @Condor, @Noob, @Linuxxx and some other were gathered in the webz. Thanks for @Linux for recommending me Vultr VPS. I would appreciate further feedback from the community on how to improve this and/or change anything that may seem incorrect or should be done in better way.

1. Clean install CentOS 7 or Ubuntu (I am used to both, do you recommend more? Why?)
2. Install existing updates
3. Disable root login
4. Disable password for ssh
5. RSA key login with strong passwords/passphrases
6. Set correct locale and correct timezone (if different from default)
7. Close all ports
8. Disable and delete unneeded services
9. Install CSF
10. Install knockd (is it worth it at all? Isn't it security through obscurity?)
11. Install Fail2Ban (worth to install side by side with CSF? If not, why?)
12. Install ufw firewall (or keep with CSF/Fail2Ban? Why?)
13. Install rkhunter
14. Install anti-rootkit software (side by side with rkhunter?) (SELinux or AppArmor? Why?)
15. Enable Nginx/CSF rate limiting against SYN attacks
16. For a server to be public, is an IDS / IPS recommended? If so, which and why?
17. Log Injection Attacks in Application Layer - I should keep an eye on them. Is there any tool to help scanning?

If I want to have a server that serves multiple websites, would you add/change anything to the following?
18. Install Docker and manage separate instances with a Dockerfile powered base image with the following? Or should I keep all the servers in one main installation?
19. Install Nginx
20. Install PHP-FPM
21. Install PHP7
22. Install Memcached
23. Install MariaDB
24. Install phpMyAdmin (On specific port? Any recommendations here?)

I am sorry if this is somewhat lengthy, but I hope it may get better and be a good starting guide for a new server setup (eventually become a repo). Feel free to contribute in the comments.

Incorrect password

If you have a hard time remembering your password, just make it the error message you would typically receive. For example, if you type in an incorrect password it will tell you "your password is incorrect" aha you can quickly remember that your password is in fact "incorrect".

> * npm login *
> puts everything right, uses token because of OTP
> npm login fails: incorrect user or password

you know what, fuck you

I changed my password to "incorrect", so anytime I forget and enter the wrong thing, the computer tells me what it is.

Microsoft Teams login says password is incorrect then and for a captcha

I type it again but fails...

I'm like wtf... Could it be the captcha...

Which I entered in all lowercase

It doesn't say the captcha is case sensitive though..

Next few times it gives me captchas with k... Teehee me like 5 tries to login

Are we trying to verify passwords/humanness or whether I can somehow tell the difference between K and k?