Me: IT call center.

Lady: Hi! I cant access the shared folder!

Me: Ok. I'll try and help you out. Whats happening when you click on it?

Lady: ok ok... {clicks}... Now it's asking me to entered my password. Should I enter it?

Me: Do you know it?

Lady: Yeah.

Me: yeah try entering it.

Lady: YES. That worked! Thank you so so much!!!

Me: No problem. Have a good day!

I've forgot root password to open this one...Seems no soda for me today

TLDR : I left a company which doesn't understand the concept of email id and passwords.

Me (trying to login to the alumni website) *no register user option*

Customer support - you've to click on forgot password to create an account.
Me - Wonderful

*clicks on reset password*
*enters employee id, name, email, father's name, DOB, date of joining , date of leaving, current city because apparently if I just enter my employee id it is as if they never knew me. Sigh*
*your password will be sent to your email id*

Me - okay. *waits for two weeks because I assumed someone will manually go and create my account and email me, considering the state of system. *

After two weeks,

Me - I still haven't received my password on email after I created my account. Can you please check?

After one week,

Customer support - you need to click on forget password if you forgot your password.

Me - *inventing new curse words* I have not forgot my password, I never received it in the first place!

After one week,
Customer support - yes you'll receive your password on your email id.

Me - *runs out of curse words* seriously dude?
* proceeds to reset password*
System - your password has been reset. Your new password will be sent to your email id. *apparently anyone can reset passwords if you have the employee id, which is an integer*

After a week

Me - Am I going to ever receive the password? I've tried generating passwords, resetting my password. I never get my passwords. What should I do!!

Customer support - yes you need to click on Forgot password.

Me - are you fucking kidding me!!!
You fuckers need to be fired and replaced by a FAQ page which has no question and just a single answer, because a peanut has higher IQ than you. For any questions you may have, just reset password. Goddammit idiots!
Also, which email id are you sending my passwords to?

Customer support - myname@oldcompany.com

Me - you do realize that this is the alumni website for the company. Alumni means ex members.
Being ex members, you can assume we don't have access to our company email ids obviously?

Customer support - yes.

Me - how am I supposed to get the password using my old email id then?

Customer support - you need to click on forgot password option.

I think I should probably move to the Himalayas for my anger management issues. Plus it'll be probably easier to throw idiots off a mountain.

Close relative: Hey, what is my gmail password?
Me: I have no idea.
Him: but you created the gmail account for me a couple years ago.
Me: Yeah, I helped you to create it and I warned you to remember your password.
Him: didn’t you write it down somewhere?
Me: no, I didn’t, you fucking useless piece of shit. I am not your fucking password manager.

Sent an email out in work informing everyone that we had pushed updates out to all Windows PC's.

Got the following phone call 10 minutes later:

"Hi, I can't log into the banking account app on my iPhone. Did you do something to it with your updates?"

"Nope. They were PC updates."

"Well, I'm sorry but you're wrong. It must be you! It was working yesterday."

"Again, it's not us. What's the error message you're getting on your app?"

"Invalid password"

".....then could it just be that you're entering an invalid password?"

"No, I know the password. I only changed it yesterday!"

"So it was working before you changed the password?"

"That's what i said!
I'm telling you, it's your updates."

"Okay but before we go 'troubleshoot' it, how about ringing your bank firs-"

"Oh look, it doesn't matter if you don't want to help, I don't have time for this!
I'll ring your boss and he'll uninstall the updates for me and fix the app." *hangs up*

Creating a new account is always fun...

"This Is My Secure Password" <-- Sorry, no spaces allowed.

"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number

"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character

"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed

"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed

"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters

"Fuck" <-- Sorry, passwords must longer than 6 characters

"Fuck_it" <-- Sorry, passwords can't contain bad language

"Password_1" <-- Accepted.

I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...

He said no we can't get a password from MD5 hashed string. It's one way hashing...

So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.

I have not got any call from him since.

If you think you know the most idiot person in the world, you haven't met my brother.

His brain absolutely can't comprehend anything!

He forgot his Roblox password and told me to do something. I said I can't do anything about it. Then he yelled at the top of his lungs saying, "you don't know technology! You're too stupid and selfish. Fix it!"

I said I can't do anything about it. He throws the mouse at me and says, "I never get to have fun. You ruin my life!"

He's not a little kid btw. He's fucking 14.

Today my mom forgot to pay the wifi password, and she thinks its better not to pay it today so it can stop my brother from playing games. (He plays it from morning to night. No homework, no cleaning, no nothing. Just games all day.)

So he told me to fix it. I said I cant. There's nothing I can do. Then he punches my arm really hard. (He's taller and stronger than me so it really hurt) then he threw a shoe and said, "you're useless and stupid! You have your laptop so you can have fun but I never get to have fun. You ruin my life, and I hate you. I hate my life."

Then he ran to mess up my room by tossing things from the self, removing clothes from my closet, and messed up my bed. He pushed my sister, pulled my hair, and ran to his room, slamming the door.

Please. Please someone give him a brain! He desperately needs one. I said I can't fix it, and that my mom has to pay the WiFi bill, but he thinks I'm being mean.

He has the mind of a 5 year old. Dropping to the ground crying.

Got my new workstation.
Isn't it a beauty?

Rocking a Pentium II 366 MHz processor.
6 GB HDD.
64 MB SDRAM.
1 minute of battery life.
Resolution up to SXGA (1280x1024)
Removable CD-Rom drive.
1 USB port (we like to use dongles, right?)

Also it has state of the art security:
- No webcam
- No Mic
- Removable WiFi
- I forgot the password

And best of all:
It as a nipple to play with!!

Was at a friends place recently and he asked me to set a new WiFi password. Fair enough!
Me: what's the routers login?
He: Oo. No clue.
*me trying a few combinations*
*hmmm not working let's try one more time*
Router: you have entered the wrong credentials five times. Fill in a new password to regain access!

😵😨😧😱😷😲

So I work in IT for the police. I just received an "unneeded" encrypted smartphone.

I had to reconfigure it, in order to give it to the next policeman. Unfortunately nobody knew the password and there is actually no way to reset this damn thing.Trust me, i did my research.

About 2 days later i receive an angry call by the policeman that should be using the phone by now.

Policemen: "Why is my phone not ready yet?"
Me: "it's encrypted and nobody has the password."
Policemen: "Well just ask the previous owner then!"
Me:"It's a little difficult..."
Policemen: "Why?!?"
Me: "He shot himself."

Well, I though ... never mind

What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.

"Could I get your wifi password?"
"Just use the neighbour's"
"Don't you have your own?"
"Yes, but it's just a repeater of his"
The neighbor has no idea.
I love how people from the Balkans don't give a fuck about anything.

!rant
So it turns out that my dad accidentally took my spare laptop on a work trip. He's about as non-tech as you can get, and that laptop runs...Arch Linux. Yeah.

(call from dad)
M: hi dad
D: what's your desktop password?
M: (confused) {Password}
D: okay.
(cuts the call)

M: *shrug*

(call from dad)
M: hi dad
D: so where is PowerPoint?! where's the Windows button?! I've been at this for half an hour now and I have to edit a presentation for tomorrow!!
M: (realizes what's happened) oh...uh...dad...that's.. Linux...
D: don't you people do anything the way it's supposed to be done?
M: uh...
D: ugh! So you can't edit PPTs on this?
M: (processing...LibreOffice isn't installed on the laptop, and he will have to use the command line to connect to the internet to use Office Online or Google Slides since the Deepin WiFi module keeps fucking up for some reason)
D: well?
M: (internal sigh) No, you can't edit PPTs on that.
D: wow.
(cuts the call)

He either thinks we're all useless or that we have godlike computer skills to be able to edit PPTs on Linux. Oh well.

(He managed to use the hotel's "workstation" to get it done, so all is well. I should tell him to change his password though, hotel computers have rubbish security.)

Manager: "The password must be encrypted to store it inside the database."
Me: "Great! No problem."
Manager: "Then it must have a copy of the unencrypted password to send it by email."
😐

Sister = bee ( who isn't a stranger to Ubuntu)
Me = Cee

Bee: can I use your laptop?
Cee : why ? Use yours ,it's works fine.
Bee : no I want to use yours and I need to work with windows.
Cee: 🤯
Bee : my work can only be done using windows.
Cee : fine do whatever ( doesn't want to argue )
* Le bee opens MS word, and starts her work *
Cee : 😤😤Seriously?
Bee : I don't like libre
Cee : 😑😑😑^∞
* Few moments later *
Bee : my work is done ,you can have your laptop,btw it's updating.
Cee : 😑😑😑😑😑
* 2000 years later *
*Opens Ubuntu *
*Getting a weird bug*
*Tried to fix *
*Can't open OS files * 👏👏👏🎆
* Windows not shutdown properly *
* Opens windows *
* Not able to login via pin *
* Password ? not accepted *
* Changes outlook password *
* Please chose a password you haven't chosen before *
* Logs in *
* types old pin to change pin *
*You've entered wrong pin too many times *
*System hanging a lot *
* Removes pin *
* Gets huge mcAfee restart system popups , every 10 sec *
* Just shutdown , feels irritated for the rest of the day*

* Regrets dual booting, shd have wiped the windows partition 😫😫*

*Wonders,what the hell did my sister even do to my laptop ?*

Started using longer passphrases for logins, colleague starts to tell people I'm doing bad things because"no one needs a password that long"

I get reprimanded by my boss

How the hell does this even happen smh

Fuck these movie people:
You run "sudo apt-get update.." and you say we've got the signal. Your f*cking signal! Am sure someone even typed the password for you. I update my system every 5 minutes I have got no signal. F*ck you again. I'm not watching the movie again. P*ssing me off.

Please for the love of god name your variables in a sensible way! How the FUCK am I supposed to read your shitcode if you decide to write 6 (!!!) nested loops with variables each named by exactly one character. With no comments whatsoever!

I would rather crack password hashes than this nonsense.

I recently found a company that used employee social security numbers as their login username and their MMDDYYYY as their password (which could not be changed) also their entire network was using a router with no wifi password set. :/

*signs up for Skillshare*
> Sorry, your password is longer than our database's glory hole can handle.
> Please shorten your password cumload to only 64 characters at most, otherwise our database will be unhappy.

Motherf-...

Well, I've got a separate email address from my domain and a unique password for them. So shortening it and risking getting that account stolen by plaintext shit won't really matter, especially since I'm not adding payment details or anything.

*continues through the sign-up process for premium courses, with "no attachments, cancel anytime"*
> You need to provide a credit card to continue with our "free" premium trial.

Yeah fuck you too. I don't even have a credit card. It's quite uncommon in Europe, you know? We don't have magstripe shit that can go below 0 on ya.. well the former we still do but only for compatibility reasons. We mainly use chip technology (which leverages asymmetric cryptography, awesome!) that usually can't go much below 0 here nowadays. Debit cards, not credit cards.

Well, guess it's time to delete that account as well. So much for acquiring fucking knowledge from "experts". Guess I'll have to stick to reading wikis and doing my ducking-fu to select reliable sources, test them and acquire skills of my own. That's how I've done it for years, and that's how it's been working pretty fucking well for me. Unlike this deceptive security clusterfuck!

Come back from vacation to find that 80+ e-mails were sent out to the entire team for a critical process that was failing to run due to an incorrect password. No one did anything for a week. Fixed it in 30 seconds.

I... uhm... I... I can't... I ... I can't even.... THIS IS LIVE IN THE CLIENT'S SITE WHERE ANYONE CAN CREATE A LOGIN WITH NO VERIFICATION WHATSOEVER AND SEE THIS WHICH IS LINKED TO A BIG RED BUTTON THAT RESETS THE WHOLE DATABASE, YOU FUCKING DUMB PIECE OF SHIT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

// This event clears the entire solution in all active clients, truncates the database and also removes any stored PDFs in the server folder
$(document).on('click', '#resetDB', function () {
// This event only happens if the user correctly enters the password, this is to prevent other users than the admin from performing this action
var answer = prompt("Please enter the password required to perform this action.");
if(answer == "-REDACTEDBECAUSEHOLYSHIT-") {
socket.emit('resetDB');
} else {
alert("The password is incorrect, please try again!");
}
});

AAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!111!!1!!11!1!!1!1one!one!!!11

(I'm not inventing this, even though the "site" is internal only and not accessible through the web. That does *not* make it any less stupid!)

Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”

Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”

Day 1 10:00 am
Login to email account (Zimbra)
Your password is incorrect (I entered it correctly, this was a permanent issue ,used to happen in the company with many employees)
Reset your password by logging into internal company portal.

11:00 am
Logged into company portal, somehow. 2 Mbps internet shared among 104 people, you can imagine the speed.
Reset email password
* your password has been sent to your email id*
Are you fucking kidding me? U have emailed me the password to the same email I can't log in to?
Where did the architecture designer get this top notch weed from?

Day 2
Asked HR to reset my password (using a colleague's email)

Day 3
No reply from HR yet

Day 4
I went to meet HR, she's on vacation. So they have 1 person managing the password reset, for 5000 people with no backup person. Cool.

Day 5
Your internal company password has expired. Check your email for link to create new password. This is some next level shit going on.

Day 6
I called up Internal IT team to generate a new email for me.
They asked me to raise a ticket.
I can't raise a ticket because the only way to do so, is through the portal.

Day 7
Nothing. Btw, personal email and all social networks were banned. You can't even open stackoverflow.
And this was a research lab, amazing huh?

Day 8
Loss of pay for 4 days since I can't login to company portal to fill timesheet.

Day 9
HR comes back. Resets my password.
I try to generate my new password for portal.
The password policy:
Password can't be same as last 10 passwords
Passwords expire every week
8 characters minimum, 2 upper case, 2 lower case, NO SPECIAL SYMBOL. WTF. How long do u think its gonna take to crack that?

Fuckers had a company wise policy to automatically lock PC every 1 min if not used. Who the fuck can keep on using it continuously! I'm reading an article, and bam ! Locked. 2 wrong entries and that's it, repeat all steps again. Fuckers really didn't want to let me do my job, just keep on logging in all day.

> be me
> install linux on encrypted drive
> takes 8 hours to fill the drive with fake data so theres no chance of data leakage
> save encryption password to phone
> phone doesnt actually save password
> realize you dont have access to pc anymore
> cry
> reinstall linux

- I'm forced to do dev on Windows with no admin because security
- We receive patches to critical systems from outside company on FTP secured with password "asd123" and install them without reading because fuck security

So this just happened with my ISP, i have no words...

The fact you have my password in front of you in plain text is fucking terrifying and i know you do because i used to work for an ISP.

Colleagues sharing passwords.That was a big fat NO when I was a sysadmin - and for a good reason. But now, since I'm closer to development, it feels like no one really cares about the passwords. If I tell my colleague I'll take 10 minutes more because I can't log in, he OFFERS me his credentials. And sends them over saying "in case you need it". [the next day the same colleague was complaining his account is locked out. Oh, wonders! How on Earth...!]

But seriously, password sharing is a serious problem. I would fire the person on spot if I caught him sharing his credentials! This is the 8th deadly sin! IDC if they are for non-prod. Most people reuse their passwords in multiple systems, and even non-prod envs can bring the prod down! Or worse - install a trojan.

So here I am... thinking to myself how does this kid not know about the shift key?

Me: "Ok we're going to test see if you have sudo access. Please enter your password, now"
Student: ~stares at the black terminal box and begins pressing the caps lock key. The light doesn't display~
Student: "Um... what? Do I need to enter a new password?"
Me: "No"
Continues to click the caps-lock button and waiting for a light to appear on the keyboard. It doesn't. He continues clicking.
Me: "You need to press the shift button"
Him: "What???"
Me: "You need to press the shift button"
Him: "Um.. I don't understand"
Him: Presses shift button, nothing happens. Goes back to pressing caps lock button.
Me: "Your password has a capital letter in it right?"
Him: "Um... yeah."
Me: "Press the shift button to capitalize your letters."
Him: "I don't understand... Do I need to enter a new password?"
Me: "No... you need to press and hold the shift key to get a capital letter"
Him: "................................ ............................................ . . . . . .. .. .. .. .. .. . . . . . . . . . . . . ...................... . . . . . . . Oh..."
Him: "Presses and holds the shift button with his thumb and then presses the Z key."
Me: ~What in the hell are you doing?~ 🤦
Me: "Perfect it looks like you are a part of the sudoers list."
Me: "You can take you computer back."
Me: ~Do you fucking use the caps lock key to capitalize all the first letters in your sentences? Please tell me you don't!~

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

Dev gets hold of me, says my service is down in QA. Works if he hits it locally, works via Postman, but via the QA app server it gives a 401.

I’m like, look, if it works everywhere else, there’s something wrong on your side in QA.

He insists, no, I must help him, and begins CCing all the managers telling them this system has been down for days.

So I eventually climb into his system, check the credentials they’re using in the QA environment, and sure enough, the password is wrong.

My first poem for programmer girl 😘😘😘

My life is incomplete without you,
You are semicolon of my life

You are my increment operator,
you make my value increases

I am username and you are my password,
without you No one can access me

You are my initializer,
without you my life would point to nothing (NULL or “0”)

If I were a function you must be my parameter,
Because I will always need you

Can you be my private variable?
I want to be only one who can access you

You are my compiler,
My life wouldn’t start without you

You are my loop condition ,
I keep coming back to you

My love to you is like recursive function,
It will never ends & Will never enter into infinite loop

Forever and Ever

TL;DR: Fuck you Apple.

10:30 PM, parent needs iPhone update to update Messenger. How hard can this be?
Need to update iPhone from 9.x to latest, which is so outdated it still required iTunes. Fk.

Boot iTunes on Windows 10 pc that is at least 10 years old.
Completely unresponsive
Crash in task manager
Launch and is completely unresponsive. (Also starts playing unrequested music.. Oh joy..)
Fuck this, go to apple.com to download iTunes exe
Gives me some Microsoft store link. Fuck that shit, just give me the executable
Google “iTunes download”. click around on shitty Apple website. Success.
Control panel. Uninstall iTunes. (Takes forever, but it works)
Restart required (of fucking course).
2 eternities later. Run iTunes exe. Restart required. Fk.
Only 1 eternity later. Run iTunes, connect iPhone.
Actually detects the device. (holy shit, a miracle)
Starts syncing an empty library to the phone. Ya, fuck that.
Google. Disable option. Connect phone. Find option to update.
Update started. Going nowhere fast. Time for a walk at 1:00 AM punching the air.
Come back. Generic error message: Update failed (-1). Phone is stuck installing update. (O shit)
1x hard reset
2x hard reset
Google. Find Apple forum with exact question. Absolutely useless replies. (I expected no less)
Google recovery mode. Get into recovery mode.
Receive message: “You can update, but if it fails, you will have to reset to factory settings”. Fuck it, here we go.
Update runs (faster this time). Fails again. Same bullshit error message. (Goddammit, fuck. This might actually be bad.)
Disconnect phone.
… It boots latest iOS version. (holy shit, there is a god)
Immediately kill iTunes. Fuck that shit.
Parents share Apple account
Sign in, 2FA required.
Fat finger the code.
Restart “welcome” process.
Will not send code. What. The. Fuck.
Requests access code on other parent’s iPhone.
No code present. What???
Try restarting welcome process again. No dice. (Of course)
Set code on other parent’s iPhone.
Get message “Code is easy to guess”. Ya. IDGAF
Use code on newly updated iPhone. Some success.
Requires reset of password.
Password cannot be the same as old password (Goddammit)
Change password.
Welcome process done.
Sign in again on same phone after welcome process done in settings. (Nice.)
Sign in again on other phone with updated password
Update Messenger.
Update hangs. Needs more space.
Delete shit.
Update frozen in App Store (Really??)
Restart iPhone.
Update Messenger.
Update complete past 2. Well that was easy.

Apple, fuck you.
Some call Android unintuitive, but I look at the settings app on iPhone and realize you aren’t any better.
This company hasn’t been innovative since 2007. Over 1000 USD for a phone? Are you fucking kidding me?
Updating an iPhone from iOS 9.x is probably uncommon anymore. But this is a fucking joke. Fix your shit.
Shit like this is why I’ll never again own an Apple product. I have HAD IT with the joke of a business.

Thanks for reading.

I used to work in a call center for a local hospital.

One night, all of our lines are swamped. Literally no time for a break between phone calls, +15 minute wait times. I answer the next call:

Me: "Its a marvelous Monday at AskIT, how may I help you?"

Doctor: "This is Dr. [Noone Care]. I need you to fix my password now."

Me: "Absolutely! You should be able to enter a new password now."

Doctor: "MY HANDS ARE NOT FOR PASSWORDS, MY HANDS ARE FOR SURGERY!"

😩 So glad I don't work for doctors anymore. Oh and the best part is, he had selected the general phone queue, rather than the doctor queue (~3 minute wait time instead).

Bank forces me to change my password. Figured I'd use Safari's strong password generation. Submit. Password changed.

Go to log in with new password. Password not saved because I had previously told Safari not to save this site's password.

Okay… so the strong password you JUST generated and submitted without showing me is now my banking password but neither of us knows what it is?

Fucking brilliant. I mean at least let me fucking copy it so I can store it in my password manager. The most hilarious thing is the message that appeared on the generated password saying my password would be available from Safari preferences. Yup, nope. Nothing there except a note saying no passwords will be stored for this site.

This is the state of Apple in 2018, folks. Fucking sad.

Had a discussion with a developer about security. His software transfers all user data (password and files) unencrypted, so anyone can grab them with wireshark. I told him that this is a severe issue. He said no its no problem because if you get hacked its your own fault, because you probably used an insecure network. NO ! YOU FUCKING MALADJUSTED SHEEP-MOLESTING OBJECT OF EXECRATION, YOU SHOULD ALWAYS ENCRYPT SENSITIVE USERDATA NO MATTER WHAT NETWORK YOU USE. FUCKING KILL ME ALREADY.
Not implementing encryption is one thing but then acting like its no problem is a fucking nother one. Why do people not understand that security of userdata is important???

My brother: “There’s no way you can remove games from my computer!”
Me: “Oh really?”
Bro: “Yes! I got password on Windows!”

He didn’t knew I had remote control setup on my PC... So I hid games on his PC

About a year ago I switched my job.
At the start everything seemed like magic. I was the It director, I've finally was able to call the shots on technologies, on new software architecture.
First step was to check the current state of the company.
"qqqq" as each pc password? Ok
No firewall from outside? Lovely
Servers running on Windows Server 2008? Spectacular
People leaving pc on after work and left the machine unlocked just not to type the password? Hell yeah
The IT dude playing games instead of working? But ofcourse
Plaintext passwords publically accessible eshop? Naturally.
The list goes on and on.
After all this time, I'm working to fix every hole like that like crazy and because it doesn't show results, I'm soon to lose my job. Well better luck next time as an intern I guess :')

Once I moved to new flat that had no internet connection yet, so I went to restaurant located under my apartment, that had WiFi secured with password. I asked for it while waiting for the order - it was "A1B2C3D4". After a while I got anoyed that it was so slow, so checked if can acces router admin page and restrict access for their clients. It turned out I can and they used default login and password, so they ended up with only my MAC whitelisted. Seemed they had connected their own business PC ("office PC") via LAN too, so I was curious if they call ISP to check it out. I checked the router settings every day, even after I got my own internet connction and they had it blocked for about 3 weeks. Then they changed WiFi password, so I came again, asked for password (another shitty one), checked router admin page and... still default login and password...

My parents are real sticklers for who is allowed to be on Netflix. They only let people on when they are present, and they never click 'save password'.

Me being a poor college student and desperate for the Netflix password, created a fake website for one of my parents to sign into.

How did I do this? I created my own localhost server with a backend database for the password to go to. I then copied the Netflix home screen and log in and asked them to log me into their account.

They said I can be on for one hour, and then they were signing me out.

I agreed to these terms.

As a small twist, I had also copied the no internet tab from Chrome for the page to redirect to. Knowing that once they logged in they would be expecting the main UI.

They logged in and then waited for the page to load. I, of course, put in a delay for the page to load and then displayed the no internet tab. They were confused and asked me to refresh, still nothing. I asked them if the router was out, and they went to check.

While they were away I quickly switched back to the real Netflix website and yelled back saying I got it working again. They came back over and saw that it was asking for a password again. They signed in and saw the main homepage and none were the wiser that day.

Once they left I checked inside the DB and found the plaintext password they typed in... The damn password was so simple, I cursed myself for not having figured it out sooner. No matter, I had my parents Netflix password.

So you're probably wondering how they didn't see the URL above and think something was off?

I pressed F11 and fullscreened my entire browser. They did ask, and I simply replied with, I don't like seeing all the crap up above when I'm streaming. No further questions, perhaps I was lucky.

A few weeks before, my neighbor came to me saying his wifi is hacked and someone is abusing it.
So I tried the wifi and found out there is no password. And the one who was abusing a simple open wifi was me XD.
So I set a password for her and disabled wps. But hopefully no one (expect devrant) will know I used that much bandwidth.

MySQL should have a recycle bin. I just deleted whole "user" table by mistake... Forgot to add where clause properly... Had to restore 2 days old backup copy. I just hope no accounts were created or someone changed their password in last 2 days....

OK I can't deal with this user anymore.

This morning I get a text. "My laptop isn't getting emails anymore I'm not sure if this is why?" And attached is a screenshot of an email purporting to be from "The <company name> Team". Which isn't even close to the sort of language our small business uses in emails. This email says that his O365 password will soon be expiring and he needs to download the attached (.htm) file so he can keep his password. Never mind the fact that the grammar is awful, the "from" address is cheesy and our O365 passwords don't expire. He went ahead and, in his words, "Tried several of his passwords but none of them worked." This is the second time in less than a year that he's done this and I thought we were very clear that these emails are never real, but I'll deal with that later.

I quickly log into the O365 admin portal and reset his password to a randomly-generated one. I set this to be permanent since this isn't actually a password he should ever be needing to type. I call him up and explain to him that it was a phishing email and he essentially just gave some random people his credentials so I needed to reset them. I then help him log into Outlook on his PC with the new password. Once he's in, he says "so how do I reset this temporary password?" I tell him that no, this is his permanent password now and he doesn't need to remember it because he shouldn't ever need to be typing it anyway. He says "No no no that won't work I can't remember this." (I smile and nod to myself at this point -- THAT'S THE IDEA). But I tell him when he is in the office we will store the password in a password manager in case he ever needs to get to it. Long pause follows. "Can't I just set it back to what it was so I can remember it?"

!dev
GOD FUCKING DAMMIT

My Mother was intelligent enough to get her phone stolen and screams at me over the phone of my brother why I can't do more than telling her the last known location

BECAUSE THEY SHUT IT DOWN
I CAN'T DO SHIT WITHOUT THE PHONE HAVING AN INTERNET CONNECTION

But what if they go through my files go into my bank account

THEY CAN'T BECAUSE YOU HAVE A PASSWORD ON IT

but they could crack it or something

NO THEY CAN'T WITHOUT TRYING FOR MONTHS OR YEARS OF POSSIBLE COMBINATIONS

but

NO BUT JUST FUCKING CALM DOWN IF THEY AREN'T THAT BAD THEN THEY WILL CALL ME IF THEY ARE ASSHOLES THEY NEED AT LEAST MAKE A FACTORY RESET AND DELETE ALL YOUR FILES
I CAN'T DO MORE THAN THIS SO FUCKING SHUT UP AND DON'T LEAVE YOUR PHONE AT A FUCKING WAITING ROOM AND DON'T BELIEVE EVERYTHING ON THE FUCKING INTERNET ESPECIALLY FACEBOOK

Thanks know I can't concentrate anymore........

The gym I go to has an app for user's to scan a QR code when they arrive and it has multiple HUGE issues.

This app shows the credit card info used for the direct debit without anything being redacted.

When the gym is signing up someone they give them a password so they can login, not too bad except the password is always the person's first name with the first letter capitalised.

This gets worse when you figure out that their is no way to change the password given to you AT ALL.

And just to top it all off, when you click the "Forgot Password" link on the login screen, the app just sends you an email with your password (your first name) in plain text.

The app also doesn't log you out or notify you if your login is used on a different device.

So I have tested this with 2 of my friends that go to the same gym and, with only knowing their email and first name (which I could have gotten from their email if I didn't know them), I can get into their app and see their credit card info without them being any the wiser.

So my ISP decided it was ok for them to log into my router remotely and re enable the wifi.

I turned it off for a reason and no your excuse that it will improve my upload speed is bullshit you stupid patronising fucking shithead.

I'm now seriously looking into cancelling my service with you because you don't respect your customers or their wishes.

Also I'm guessing there's a default backdoor password into the router as I changed all the passwords I could find. Meaning the whole thing is horribly insecure.

So my boss booked me a spot at a conference about "the future of online payments" and I received an email with auto created account (there was no sign up) with a clear text password.

I'm feeling pretty confident that I can trust them to guide and advise me on best practices when it comes to handling sensitive information.

"I know, I'll set my password as '12345'. No one will guess it because it's too simple right? RIGHT?"

Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.

Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.

Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.

When you reboot your server and on boot it asks for the hdd encrypted password. I have no clue anymore. Oh how fucking happy I am that we have no users yet and are in closed alpha. Happy to learn this now so I'll never make this mistake again. 😨

*Sigh

Every single one of us here loathe this question "Hey can you hack a Facebook account for me?"

Even worse when the one asking is your mom.
😶😶😶

(Backstory, she and her friend runs a store. Shit happened between them. The friend is the one who setup the store's Facebook page. Now posting shit on that page. She's not tech savvy. I can probably brute force her password. No 2FA)

Dilemma. Dilemma.

Attempting to access my colleague's NFS directory on his VM, don't know the VM's IP address, hostname or password:

- 2 minutes with nmap to narrow the possible IPs down to ~30

- Ping each and look for the one with a Dell MAC prefix as the rest of us have been upgraded to Lenovo. Find 2 of these, one for the host and one for the virtual machine.

- Try to SSH to each, the one accepting a connection is the Linux VM

- Attempt login as root with the default password, no dice. Decide it's a lost cause.

- Go to get a cup of tea, walk past his desk.

- PostIt note with his root password 😶

FYI this was all allowed by my manager as he had unpushed critical changes that we needed for the release that day.

when you type faster than computer response:
------------------------
Ubuntu 16.04.5 LTS server tty1

server login: sysadmin
adminPassword:

Login incorrect
server login: sysadmin
Password:

sysadmin@server:~$ _
------------------------
"FUCKING SHIT !"
*sees if there are anyone in the back*
*saw no one*
"fiuuh... what a relief"

sysadmin@server:~$ clear

So... We have a "network admin" who manages our network and the servers (windows) and I manage the Linux servers... He is having a real hard time to understand that the servers have no password but use ssh-keys to login and keep asking me for the credential to have them somewhere in case "something happens" like I quit or die...

Real fact: 1999

IT: IT, how can I help?
MrB: I'm Butcheek. This program is shit, I can't even log-in!
IT: oh.. Ok Mr. Butcheek, let’s see if I can help...
MrB: of course you can: fix this shitty program and made me log in!
IT: I’ll try to do my best to assist you, can you...
MrB: I just want to log in! Can you speak my language? This new program is ridiculous, I wonder why you IT guys changed the old one, it was a mess but at least I could log in...
IT: I'm sorry you are experiencing this problem, but to assist you I need to know exactly what's the problem
MrB: I CANT LOG IN!!!
IT: ok, I understand this, but can you please provide some more information? Do you receive any particular error messages?
MrB: it says “wrong password” but it's not true!
IT: Ok, that's strange. Look, I'm resetting your password and then you will try again. At the first log in you will be asked to change it again, ok?
MrB: just be quick, I can't waste any more time on this!
IT: sure... Ok done. Please, can you try again? The password is “butcheek”
MrB: it asks for the username. What am I supposed to write here?
IT: “butcheek”
MrB: oh... Ok. And what's the password?
IT: “butcheek”
MrB:... No... Wait... Ok, “butcheek” is the password but what's the username?
IT: “butcheek”!
MrB: you don't understand, I have to put both username AND password!
IT: I know! “butcheek”! For both username AND password!
MrB: so I have to write “butcheek”-”butcheek”?
IT: yes, “butcheek”-”butcheek”!
MrB: so... “butcheek”...twice? Sounds weird... are you sure?
IT: yes I'm sure! However, you can choose either to write “butcheek” twice or “ASS” once, if you prefer...

Its been 1 month and still no reply from my university IT department after i inforned them the login was transmitting usernames and passwords unencrypted over http and that the password field was case-insensitive for some fucking reason.

Might have to break out the sniffer and setup a script to automatically email them different students account details until they fix it, i should cc the dean 😂

My girlfriend configuring her e-mail account in the app because her phone had to be reset to factory :
-I can't figure out how to do these setting, annoying...
-Oh yeah the imap and smtp servers can be tricky, let me put that
(I Google the settings for her mail provider and put them in)
-It still doesn't work.
-Uuuh, maybe with another security setting, try it.
-This shit still doesn't work, seriously my phone is broken.
-Have you verified the e-mail address and carefully typed the password?
-Yes of course, I've tried it several time
(I take the phone and check all the parameters... During a looooong time... Until it hits me.)
-Hmm... Can you read the e-mail you've entered?
-Yeah, it's my mail, blabla@hotmail.com.
-No can you read it again please?
-It's blabla, why?
-No, can you *spell* your e-mail?
-Yeah it's B-L-A-B-L-A-@-H-O-M-A... Ow shit...
- ¯\_(ツ)_/¯

NUKE IT FROM ORBIT. It was when i was doing an assignment with my roommate, i was compiling something on my pi and ran netstat afterwards for no reason. I had an ssh-connection from china (logged in too). The pi was shutdown ASAP, i salvaged everything i needed from the sd and dd'ed raspbian on the disk again.

Turns out you were able to login via root (i thought i disabled it) with the password i set (root...). I learned from this, now external logins are only allowed via private key and i have fail2ban set up

My friend coded a "secure" storage for text...

Text to store:
Mysupersecrettext

Storage file content:
password=Mysupersecretpassword
contentcount=1
content_1=Mysupersecrettext

In the application it asks for your password. It even shows a message for 5 seconds with "Decrypting your secure storage...". No more words needed...

So I just got this email from a tech company, I registered to send my CV some years ago , about a dev Job openning.

The descripition included:
Java and Angular ( first red flag )

So I go to their site to check it out ...
No https, ping the domain returns an ip from another continent with 500+ ms latency.

Major flaws on the site usability...
Super dumb password recovery method...

I'm fucking outta here dude. I might send them a proposition to fix their servers and at least put it behind letsencrypt though...

And these morons have big clients, like my bank... wtf...

I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.

But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:

1) a notification you’re account is no longer secure,

And,

2) an immediate ability to change passwords before any access is granted.

Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.

PS: Fuck you, you low life shithead!

Multi-factor authentication does not mean I have a password to your site AND have to login with Google. Also, I logged in with Google, you should have my email address now.

Oh, a user with that address already exists? No shit, it's me.

Your fucking login flow is broken.

Sooo I've been working on an ancient php 5.6 project that did not have any documentation and was a homemade "framework" created 7 years ago. The original creator is long gone and no one else knows a lot about this project.

When I first looked into it I almost immediately noticed the security flaws...

Old outdated libraries
a "development" feature to easily turn dev mode on/off
BY A GET PARAMETER!

it spits out full sql queries and php warnings -.-

Oh and did I mention that the site is a webshop.... and has a backdoor password?
AND THAT THE CUSTOMER REQUESTED THAT?

Seriously, fuck that incompetent ISP of mine.

Stores passwords in fucking plaintext. Does VoIP calling in plaintext! Passwords are sent over postal mail! Passwords are at least not sent in plain via email anymore when you want to reset them. The password reset form, "cannot contain `", "cannot contain "", "cannot contain '", "must contain a special character" because why the fuck not mess with people's password manager's password generation function over our own incompetence, right?! And showing all those errors for a single password? Eh, no. Let's just show one error that applies to whatever password you've given at that time. JUST ONE, because "reasons"! And to top it all off, when I finally made myself a nice password with some padding to remove unwanted chars and put that in my password store and on the website. THE BLOODY THING CAN'T EVEN FUCKING LOGIN?!

Now I ain't no ISP, but being a sysadmin clearly isn't a requirement when you're going to apply for work at an ISP, THAT DOES NOTHING BUT FUCKING SYSADMIN STUFF!!! Incompetent pieces of SHIT!!!

Where I work, the password needed to retrieve your paycheck in the system is your birthday. (Like November 3rd = 0311).

Guess it's no secrete how much money everyone makes?!

Oh... it's the passcode on our keycards as well!

The company has 2000+ employees and and makes more than $35 mil a year

When I was 14 or so, we had acces to some computers during break. I went through each and every one of them, rebooted into Safe Mode (yeah, Windows), logged in as admin with no password, and gave admin powers to my account (each student had one, at least). Then, installed a keylogger and one of those "trojaans" that let me remote terminal, keyboard and mouse control to all the PCs (I had tried telnet server, but this was soo much easier).

Then came the fun.

"Why does the start menu keep opening by itself?"
"Why is the CD tray opening and closing on its own?"
Etc.

Then I found out social media passwords like (translated from spanish) "bigdicks". Never used them, because I considered myself one of the gray hatted. I did it just for the fun.

I had security reopen our test-user last week. I could run the tests once, then they started failing with "blocked user due to too many attempts at logging in". Huh, that's weird. I go through everything, every script, every scheduled task, every nook and cranny of every drive on every machine I could reach, and make sure the password is updated everywhere. Reopen account. Same shit.

I email around to some people, they don't use it, one guy asks if I checked x, y and z, I did. Then he's sure we don't use it anywhere else.

It's one of our fucking contractors that took one of our scripts (that they're supposed to have duplicate copies of) and forgot to change to their own credentials. That's literally the agreement, take our scripts and change the user and run them on your machines.

Afhfjdkdhdjdbd stop locking me out of everything with your incompetence. I email them, some cunt gets back to me asking for the new password. NO. USE. YOUR. OWN. CREDENTIALS. I KNOW YOU HAVE THEM, THEY'RE HERE IN THE LIST AND BEING USED IN ALL OTHER SCRIPTS AAAAAAAAAHHH

Joined a call during a potentially important life event. Work laptop password expired this morning, personal laptop didn't connect to vpn, desktop not connecting to vpn. No one knew what's wrong on the call (just that it's not working).

Not a good call.

CEO at work has a Mac elitist as a friend who somehow indoctrinated err I mean convinced him to get apple everywhere, now the most common issue is updating Microsoft products on the Mac.....

Mac elitist guys first name is Steve lol no lie, he also services the Macs which he expects to do so when no one is around, oh and did I mention he wants us to leave our passwords on our desks LOL, he doesn't work for the company and I really really don't trust him, glad I have a git repo, and I hope he doesn't delete anything on my PC (very reluctant to leave my password on my desk, so I may just convince everyone that my Mac is fine, which seems like it's doing it's thing)

**Me, while working on sql based project**

Manager: Does anyone knows java! Want a sample login screen written in java.

**I'm the only one in my team to know java, thus raised my hand**

Me: It's done. Mailed you the .java file.

Manager: I can see my password

Me: I fuckn hate myself. ***Forgot to set password field as password type***

Manager: you are no different than others.

Me: Yeah..😶 **f@#& you**

Password policy for a big water company site in Spain.

Translation: Between 6 and 10 characters (only letters and numbers, no spaces)

In guess they have a VARCHAR(10) password field in their db?!?

So I manage multiple VPS's (including multiple on a dedicated server) and I setup a few proxy servers last week. Ordered another one yesterday to run as VPN server and I thought like 'hey, let's disable password based login for security!'. So I disabled that but the key login didn't seem to work completely yet. I did see a 'console' icon/title in the control panel at the host's site and I've seen/used those before so I thought that as the other ones I've used before all provided a web based console, I'd be fine! So le me disabled password based login and indeed, the key based login did not work yet. No panic, let's go to the web interface and click the console button!
*clicks console button*
*New windows launches.....*

I thought I would get a console window.

Nope.

The window contained temporary login details for my VPS... guess what... YES, FUCKING PASSWORD BASED. AND WHO JUST DISABLED THE FUCKING PASSWORD BASED LOGIN!?!

WHO THOUGHT IT WOULD BE A GOOD IDEA TO IMPLEMENT THIS MOTHERFUCKING GOD?!?

FUUUUUUUUUUUUUUUUUUUUUUU.

our neighbor has very fast Wi-Fi (~200 MBPS) . but, he didn't tell us the password and we don't know where to ask

sis : You said that you are a programmer right?
me : Of course!
sis : So why don't you do your job?
me : Create an app?
sis : No! hack his Wi-Fi
me : *Hacked the Wi-Fi and give her the password*

another day, mom's phone got crazy,

mom: Allen! Come and fix this phone
me : *After looking at the phone*
me : It is the screen saver I installed earlier

but why people think that programmers are "Computer gods" ?

So... I’m sitting here doing pretty much nothing, just reading through some rants when all of a sudden I get a wave of emails.

Pinterest!
We noticed a login from a new device or location and want to make sure it’s you.
Device: Firefox, Windows 8
Where: New Jersey, United States (Approximate)

OhhhhhKay then... so there’s a couple of problems with this, 1 I didn’t even know I had a Pinterest account, 2 I don’t have Pinterest in my password manager either.

So I follow the link and fair enough it’s actually pintest, so I attempt to login, to no avail, oh maybe it’s a social login..., ok let’s try google, nope that wasn’t it, deletes account, logins with Facebook, oh here we go, checks logins, 1 random jersey player, deletes account, swaps to Facebook, changes password (this fucker was already 100+ characters) and adds 2FA and contains no new logins 🤔

Ok... so what the fuck, either someone managed to get through a long ass password or something phishy is going on, the email for FB logins is seldomly used (maybe a handful of services at best) as I have another for all the junk and spam bullshit I expect from today’s “marketing”

Reset 65 passwords today already, a new personal best for one day! No idea why the reset password button is so hard for clients to use, aghh!

About browsers and whole SSL CERT thing...

Most likely everyone here noticed, that https site with broken certificate will throw these big red warnings, in your face and there is so much wording like "ITS NOT SECUREEEE" or "ITS HACKEDDD" almost like it was written by passionate fanatic.

But when you are on plaintext http browsers reaction is like ¯\_(ツ)_/¯
Even if you have plaintext with password, it will for example in chromium put small little red thingy that almost no one notices.

I believe that broken cert with some error like invalid date is MORE secure than plaintext password, yet still there is this hypocracy with browsers...

I dont say that broken SSL cert is good, or something, Im just pointing out contrast of "broken" https vs plain http.... One looks for casual Joe like end of the world is coming and second is bearly noticable. Da fuck?

I disagree with this approach

I know i know, its an old story.

but.

FUCK YOU AND YOUR STUPID PASSWORD REQUIREMENTS

NO SPECIAL CHARACTERS WONT MAKE IT SAFER

FFS. JUST SAY IT HAS TO BE 20 CHARACTERS AND BE DONE WITH IT

So our teacher just has us sign up for a learning site called Gizmos with a ton of students information. A lot of students forgot their password as always and some didn't register with an email so I expected the teacher to reset them..

Then the teacher had students come up to the front of the f****** class and SHOWED THEM THEIR PASSWORD IN PLAIN TEXT. WHAT THE HELL

Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.

To add insult to injury the first displayed "tip" take a look at the attached image.

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

So I Bought this bio metric pad lock for my daughter. She excitedly tried to set it up without following the directions( they actually have good directions on line) first thing you do is set the "master print" she buggered that up setting her print. So when I got home I was thinking, no problem I'll just do a reset and then we cant start again.

NOPE !!! you only have one chance to set the master print! after that if you want to reset the thing you need to use the master print along with a physical key that comes with it.

What sort if Moron designs hardware / software that is unable to be reset. Imagine how much fun it would be if once you set your router admin password it was permanent unless you can long back in to change it. Yea nobody has ever forgotten a password.

Well they are about to learn a valuable financial lesson about how user friendly design will influence your bottom line. people (me) will just return the lock to the store where they bought it, and it will have to be shipped back to the factory and will be very expensive for them paying for all of the shipping to and from and resetting and repackaging of the locks and finally shipping again to another store. Meanwhile I'll keep getting new locks until at no cost until she gets it right.

poor design

When you're signing up for an account on a government site not to be named in this rant and they limit your password to 6 alphanumeric characters and no special characters... Smh

Just watching some videos about feminism and I'm just thinking: "how fucking nutty are these people really?!"

Too drunk right now to write about the recent developments in Mozilla's adoption of "the big bad patriarchy and meritocracy" (and I don't have the password database mirrored on my recently unfucked WanBLowS 10 desktop yet so I've no idea how to authenticate to devRant on it yet) but I'll try to get it out there by tomorrow 🙂

Simply put, Mozilla.. I like you regardless of the whole Mr. Robot crap from earlier, and I'm sure you've got your heart in the right place.. although I'm using Brave nowadays - a creation from the board member you've shunned over this whole PC shit, Brandon Eich. But let me tell you this, Mozilla. Enough is enough. Don't be fucking idiots.

So we are implementing a big and very complete localization management system on my company. The system has great features, indeed, but:

1. We cannot use the browser back button, because it is js and it appears no one cared about it (I am not a js Dev, but you can UAE the back button on my site that has js);

2. It is very customizable, but not intuitive. So you have one million options and you never know where to change what you need;

3. It has a save button everywhere, but most options are saved automatically, so you never know when you need to save. Actually, people from the webapp company use the save button as refresh, once we cannot use the browser refresh button;

4. Combo boxes load the elements while you scroll them, so to scroll to the bottom, you need to keep scrolling several times, waiting it to load the elements;

5. It does not allow you to open more than one tab of it at the same time. So if you need to see more than one information from different items, you need to navigate and wait the loading times to see what you need;

6. Emails are not sent in a different thread. So each action that send emails you need to keep waiting until the emails are sent (sometimes there are several emails sent in one action) to continue using it;

7. They not only store and send back your password by email if you loose it, but, as admin, if I click the button to send the user password to him/her, it keeps a copy of the email with the user password in my sent items;

8. To be able to send emails (they are really necessary), I need to include my SMTP info with login and password. So they have not only the system password saved, but everyone email login and password as well.

I am sure there is more, but I can't remember for now, and we are still trying to figure it out how to back our data, as it appears the only possible backup is their own.

A guy who's parked next to me in the RV asked me today if I know anything about computers. Sure, what's it about?

He has forgotten his password for a Word .doc file, already installed all possible tools for password cracking, but none of them worked, and now
he can't find his vacation photos and surfing the internet suddenly doesn't work anymore.

Okay, no problem, I'll take a look at it. Windows 7 Home Edition, completely covered with malware, everywhere popups with pr0n ads.

I told him that I can't do much more than trying to recover the data and reinstall the OS. But before that, I'll make a image of the hard drive (thank god, only a 250 GB hdd). Then we'll see.

Unfortunately neither he nor I have a Windows DVD, so he will probably become a proud user of Antergos tomorrow.

auto.self.whatever.rant()

A few years ago, we had a lesson on git and stuff, and we had to create our first repository and push something on it to get familiar with the thing.

Our teacher jokingly said at the end "And always remember, no password in a repository!", and I thought to myself "who can be dumb enough to do actually do something like that?"

Now, guess which piece of shit had to reinstall two of his fucking servers because of security issues coming from not one but github repositories?

On chat today.
Dude: can you run a script for me? We don't have permission.
Me: what kind of script? Who wrote it?
Dude: posts screenshot of DML select/update statement he tried to run.
Me: I'm a DBA. We don't run DML for people.
Dude: Oh. Can you give me the password?
Me: examine script and notice he tried to run it on QA DB.
Me: No. We don't memorize passwords, and this is QA; you need to check the password out of the safe. You also need a change ticket to DevOps, and they will run it for you.

At that point I ended the discussion, because running anything in QA or Prod without a change ticket gets you fired. And I like my job. Really annoyed.

I had to make an account for my kid's school.

Last night I start. I put in a username, then it has a quality meter for the password. I put one in and it goes to like 90%. Ok, fine. I submit and...

Validation error on the username field. Message? [object Object].

Try all different kinds of username: no numbers, all caps, etc. But no luck so I give up.

Today I try again and get stuck again. Then I think... "Maybe the devs suck worse than I think..."

I change the password so that it's rated 100% and submit... Success.

Fucking devs.

My mum just had to call me to change our home WiFi password, because she can't change it on her laptop.

She's pretty bad with technology, but she had to call me to do it, because no one else knew how to. Including my brother-in-law who designs IT systems for major banks and system admins working for the government.

She had to call me, from Hungary to do it. I live in Scotland.

Today, this made me think: My bank limits the password I can choose to 16 chars, and only letters and numbers are allowed, no special chars. Meanwhile on Typeracer.com I was able to use 60 character password, including numbers, letters and special chars.

My father calls me very worried: hey, do you know your mother's email login username and password? We need it
Me: no? Why would I?
My father: well, she sent it to you on email when she created it, so you'd remember!

?? What?

Oh my fucking god people are stupid, or ignorant, or fucking both.

How hard is it to copy a password from an email and paste that fucker in and press login.
Seriously several times of “this is your email” and “THIS” is your god dam fucking password.
God kill me now.

(No the password isn’t stored in plaintext, I reset it myself before sending it to the user)

Security lifehacks 101

Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.

The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.

Hey Citrix:

FUCK YOU.

Learn to make an accessible log in page you fucks.

Maybe instead of vague fucking "you're user name and password is wrong" say things like "your account is locked because we somehow decided we don't like your password anymore. . . . without telling you"

Fucking 2 hours of my day wasted trying to log into my company's VM because first it wouldn't take my password (that I've had for over a month and doesn't expire for another month) over and over again. I changed it, logged in. Got up to do something that'd take less than 5 minutes. And OF COURSE the people who set up the VM made them log you out if you're gone for more than 3 minutes (fuck that guy too). Come back to a log in screen and it won't accept my new password.

Change it again. Except this time it won't accept my new password because it's "like my old password." It is in that it uses the alphabet and numbers, but it's also different in that those alphanumeric characters are LITERALLY DIFFERENT IN EVERY PLACE. I finally get it to accept a new password.

I'm also loving the whole "answer these security questions that literally anyone who does minimal research on you can answer" before I get to change my password. Yeah. Because finding my mother's maiden name or the city I was born in is so fucking hard. Literally impossible to find out what my Dad's dad's name is. Shit like that isn't publically available. Nope. Why the fuck are we still using "security" questions?

I log into Citrix again. And it takes me to . . . the log in for Citrix.

There is no word in elvish, entish or the tongues of men for this stupidity.

Fuck Citrix. Fuck the people behind the password manager (Aviator or something like that), and fuck whatever administrator setting turns my computer off due to inactivity in such a stupid short amount of time. 10 minutes, 15 minutes, that'd be fine. But it's more like 3 or 5, like wtf.

So today I found a way to break into any Apple Mac (provided the exploit hasn't been fixed by the owner) and access all private files, as long as I have physical access to it, in less than 5 minutes.

After finding this, a quick Google on the method reveals this has been a workaround for years.

And to think I once praised Apple for their security standards.

Edit: this was done to an in-house Mac that my company own, and had been password locked by a member of staff who had been fired, but held important company documents on the computer. It was in no way a breach of privacy.

These motherfucking incompetent programmers... Demon spaghetti code base saga continues.

So they have a password change functionality in their web app.

We have to change the length of it for cybersecurity insurance. I found a regex in the front end spaghetti and changed it to match the required length.

Noticed 7 regexes that validate the password input field. Wtf, why not just use one?! REGEX ABUSE! Also, why not just do a string length check, it's fucking easy in JS. I guess regex makes you look smart.

So we test it out and the regexes was only there for vanity, like display a nicely designed error that the password doesn't have x amount of characters, doesn't have a this and that, etc.

I check the backend ColdFusion mess that this charismatic asshole built. Finally find the method that handles password updates. THERE'S NO BACKEND VALIDATION. It at least sanitises the user input...

What's worse is that I could submit a blank new password and it accepts it. No errors. I can submit a password of "123" and it works.

The button that the user clicks when the password is changed, is some random custom HTML element called <btn> so you can't even disable it.

I really don't enjoy insulting people, but this... If you're one of the idiots who built this shit show and you're reading this, change your career, because you're incompetent and I don't think you should EVER write code again.

I know folks do their best, but come on Apple, this can't be that hard. Bought an IPhone at an estate sale (elderly individual died suddenly, so no one had knowledge of the apple id, passwords, etc) and I've been trying to convince apple to clear the activation lock. (AS = Apple Support)

<after explaining the situation>
AS: "Have you tried putting the phone in recovery mode? That should clear the lock"
Me: "I've already done that. It prompts for the apple id and password, which I don't have"
AS: "You need to talk to the owner and get the information"
Me: "As I explained, I purchased the phone at an estate sale of someone who died. I have the bill of sale, serial number, the box, obituary. What else do you need?"
AS: "Have you tried contacting a family member? They might have have that information."
Me: "The family members at the sale told us this is all they had. This kind of thing has to happen. I can't believe Apple can't clear the activation lock."
AS: "Yes, we can, but I'm very sorry we take security seriously."
Me: "I understand, what do I do now?"
AS: "Did you log out of the phone? Go to settings ..."
Me: "Yes, I tried all those steps before calling. It prompts for the AppleID and password."
AS: "Did you try entering the password?"
Me: "No, I don't have it. I already explained there is no way to know"
AS: "Yes..yes...sorry...I'm just reading the information in front of me. I found something, have you tried submitting a activation lock removal request?"
Me: "Yes, it was denied, didn't tell me why, which is why I'm calling. What about taking this phone to an Apple store? I have all the paperwork."
AS: "Sure, you can try. You might need the death certificate. The family or the coroner will have a copy."
Me: "What!? Apple requires a death certificate to unlock a phone!? I'm pretty sure not even the family is going to give a total stranger a death certificate"
AS: "Sorry sir, I'm just reading what is in front of me. Without that certificate, there is no way to prove the person died. You can try the Apple store, but they will likely require it."
Me: "That's a lot of drama for unlocking a phone. A *phone*"
AS: "Yes sir, I understand. If there anything else we can do let us know and thank you for being an a apple customer."

Next stop, the Apple Store.

if(password.equals(rs.getString("password")) {
// say no more
}

Yesterday while we finished having breakfast, the receptionist from the office approached us and said: "Guys, the company mail does not work! We lost the domain! They forgot to pay the bill!" and we all see each other's faces confused.

I don't like to link the work email on my personal phone, so I open the company's page on the phone and for some reason a DNS error appears. oh boy!

We all go crazy ass to the computers to see the mail and we can use it normally, my computer opens the company page normal, we send emails between us and everything works well…

I ask the receptionist if the test emails arrive and she says "No, I cannot even open the mail". (hmmm) I go to see what happens and she says "Look!" I see a label on the login page: "your password was changed 16 hours ago" (facepalm) I ask her if she have changed the password and she say NO. So I ask the support guy if he can reset her password and that's it. Magic, magic!

In the end we remember that not all of us have the same "computer knowledge" and discovered that the company's website only works if you enter “www”, very good custom software company! Very good!

Long story short: University fucked up single sign on.

For every online service I have, I set a different password, randomly generated ~ 20 characters long. At our university we have multiple systems but they offer a single sign on service which is quite nice because it is so non-transparent which service now uses which authorization. I changed my password a while ago and around the same time they also updated our mail client. Since then I am not able to log in which is not a big deal for me because I have mail forwarding.

Yesterday however I needed another service and also got rejected with my password. I knew from a friend that the passwords are fucked up and that some services have different restrictions (only 12 chars max.), so I decided to search how to reset my password. What the fuck was wrong with these people? It takes you five different pages to get the tiniest bit of information how to reset the password. Then on one page you can login with your single sign on and change the password. On that page you can also set the single sign on password, but if you enter an invalid password (in respect of the the other services) guess what? No feedback that you just locked yourself out of half the systems. Nice job. Also the password requirements are not next to the input fields where you change the password. Noo. That would be way to easy, remember the little small one line on the wall of text three pages ago? There you go.

Ok step one done. Now it should work, shouldn't it? Ohh no not so fast. One needs to activate the seperate service. Where you ask? Perfectly fine question. On the top of page four is a fucking one line table which looks like some five year old had some fun in excel. The button which takes you to the activation page is nearly invisible because of the non existing contrast. Also it is not a button but some arrow pointer thingy. Behind set arrow you have a page listing all differnt kinds of services, the description which you find on page two btw. No padding to decipher this shit what so ever. Nearly on the bottom is your needed button. Yes finally.

Finally I want to login, no good. Try again. Still no good. Go back to the fucked up excel table look at my username and think to myself what's the difference here? The table is so small and again no margin or padding. Apparently they cut of the last character of my normal username which i have which is fucking ridiculous.

What is wrong with you people, we are a TECHNICAL UNIVERSITY, is it so hard for you to find someone decend to unify this shit?

Does anyone else get intensely frustrated and stressed trying to explain something to someone who repeatedly fails to understand?

"ok so you click decrypt password and then you give it your private key"
"ok I clicked on download rdp file"
"no you want decrypt password"
"and then it will download a file"
"no you need to give it a file"
"which file?"
"THE FUCKING FILE IT SAYS RIGHT THERE STEVE"

Keep in mind this is the fifth time I've walked him through this

I don't want to put anyone to shame here, but this has been the most hilarious password reset in my life.

P.S.
It's an early service with no sensitive data, so I'm not concerned so much, but still, a system for automatic password reset, with the ability to change the temporary one, should be one of the first things in place before you go public. lol

Why is every company so BAD at working with spaces in passwords? Just trying to setup Hulu on my PS4, apparently I forgot my password? No, my password had a space in it. So maybe Hulu's just one of those companies that doesn't allow spaces in passwords? Wait no, I can log in with no problems on my Switch or PC with the space. It's just SPECIFICALLY the PS4 app that doesn't allow spaces. Cool cool cool.

Like, am I missing something? Is there some reason it's harder to hash than other characters? It's just an ASCII character, it's not like I'm copy/pasting in some fringe unicode shit. Some companies straight up ban it. Some like Amazon don't recognize it as a special character, while demanding I use a special character. Why is this so terrible?

F*ck WIX!!!

POS of software.

Was working with a client to change one email to contact and that shite kicked me out with no warning on changes. Reset the password and now I can't even login.

long rant;

How did I got into CS?

When I first got my laptop, I put on a password and forgot it. Nobody knew those things at that time around me (most of them, still don't) so I had to pay ₹350 (~$5) for formatting (OS reinstallation).
After a week, I again forgot the password and had no guts to ask more money from my family, because of the fear of getting scolded.

So, I took out the manuals that had shipped with the laptop, read them all. Found nothing.
But, on a very small page, a single line was written, "Insert the disc. Press F12 after pressing the power button".
I intuitively tried it and it worked (I had the OS DVD and no internet).

And I spent the next year experimenting with the windows OS (Vista).
Then tried all the other OSs.

Those were some times..2008..I guess.
Learnt OS without the internet. Nowadays people can't do it even with it.

What's your story?

TL:DR
Why do so shitty "API"s exist that are even harder to write than proper ones? D:

Trying to hack my venilation at home.
This API is so horrible D:
The API is only based on POST requests no matter if you want to write values or get values and the response only contains XML with cryptic values like:

<?xml version="1.0" encoding="UTF-8"?>
<PARAMETER>
<LANG>de</LANG>
<ID>v01306</ID>
<VA>00011100000000000000000010000001</VA>
<ID>v00024</ID>
<VA>0</VA>
<ID>v00033</ID>
<VA>2</VA>
<ID>v00037</ID>
<VA>0</VA>

Also there are multiple API routes like
POST /data/werte1.xml
POST /data/werte2.xml
POST /data/werte3.xml
POST /data/werte4.xml
And actually the real API route is only given in the request body and not in the path.

Why is this so shitty? D:<

Btw in terms of security this is also top notch. It just globally saves if one computer sends the login password.
I mean why even ask for a password then? D:
That made me end up with a cronjob to send a login request so I don't have to login on any device.

PS:
You see, great piece of German engineering.

half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.

Blaming myself for hours, how could I not save the password somewhere?

#Enter Password:
(I pressed enter, no password).
it works.

I love IT security

So, I just created an account on a premium objective information website. It basically sells access to several articles on laws and general "financial relevant subjects". It is important for my work and they have pretty strict password requirements, with minimum: 18 characters length, 2 HC, 2 LC, 2 special, 2 numbers.

Without thinking twice, openned Keepass and generated a 64 length password, used it, saved it. All's good. They then unlocked my access and... wrong password. I try again... wrong password.

Thinking to myself: "No, it can't be that, maybe I only copied a portion of the password or something, let me check on CopyQ to see what password I actually used."

Nope, the password is indeed correct.

Copy the first 32 characters of the password, try it... it works...

yeah, they limit password length to 32 characters and do not mention it anywhere ... and allow you to use whatever length you want... "Just truncate it, its fine"

TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.

Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.

Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.

Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.

I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.

What the duck? Could have been anybody giving any phone number. So much for extra security.

Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.

Before going home, decided to do an upgrade from ubuntu 16.04 to 18.04...

Leave it to do its charm.

*a morning later*
See laptop on off state, "hmm..."
Turning in on, *press power buton*
Booting... Purple-ish screen appear.. Nothing happened for 20 minutes.

"fck."

Hard reboot, going to grub menu,
1. Ubuntu*
2. Advance option

Choose ubuntu.
Booting...
"root mount not found, bla bla bla
Kernel panic..."

"fck."

15 chrome tabs later (on mobile),
Do something on shit...

Finally proceed to login screen.
Insert password, enter.

Loading... Blank... 3 seconds later, tadaaa.. Going back to login screen.
Do it trice, I'm stuck at login screen.

"fck."

20 chrome tabs later,

Finally got in. Have a "what's new" screen.

Ok, feels different... But its slow af. Hmm maybe reboot will do something.

Rebooting...

Login screen, insert password, enter..
3 seconds later..
Bam. Going back to login screen...

"fck."

Another chrome tabs later... Resolved the issue.

And finally I can take a breath, but still has a headache because of little thing likes:
1. Right click not working
2. Workspace not work as expected likes in 16.04
3. Screenshot behavior
4. No animation When moving a window to another workspace.

When almost anything is solved and I'm ready to do my works, I just realised something..

I just wasted 4 hours of my workday.

"fck."

Not as much of a rant as a share of my exasperation you might breathe a bit more heavily out your nose at.

My work has dealt out new laptops to devs. Such shiny, very wow. They're also famously easy to use.
.
.
.
My arse.
.
.
.
I got the laptop, transferred the necessary files and settings over, then got to work. Delivered ticket i, delivered ticket j, delivered the tests (tests first *cough*) then delivered Mr Bullet to Mr Foot.

Day 4 of using the temporary passwords support gave me I thought it was time to get with department policy and change my myriad passwords to a single one. Maybe it's not as secure but oh hell, would having a single sign-on have saved me from this.

I went for my new machine's password first because why not? It's the one I'll use the most, and I definitely won't forget it. I didn't. (I didn't.) I plopped in my memorable password, including special characters, caps, and numbers, again (carefully typed) in the second password field, then nearly confirmed. Curiosity, you bastard.

There's a key icon by the password field and I still had milk teeth left to chew any and all new features with.
Naturally I click on it. I'm greeted by a window showing me a password generating tool. So many features, options for choosing length, character types, and tons of others but thinking back on it, I only remember those two. I had a cheeky peek at the different passwords generated by it, including playing with the length slider. My curiosity sated, I closed that window and confirmed that my password was in.

You probably know where this is going. I say probably to give room for those of you like me who certifiably. did. not.

Time to test my new password.
*Smacks the power button to log off*
Time to put it in (ooer)
*Smacks in the password*
I N C O R R E C T L O G I N D E T A I L S.

Whoops, typo probably.
Do it again.
I N C O R R E C T L O G I N D E T A I L S.

No u.
Try again.
I N C O R R E C T L O G I N D E T A I L S.

Try my previous password.
Well, SUCCESS... but actually, no.

Tried the previous previous password.
T O O M A N Y A T T E M P T S

Ahh fuck, I can't believe I've done this, but going to support is for pussies. I'll put this by the rest of the fire, I can work on my old laptop.

Day starts getting late, gotta go swimming soonish. Should probably solve the problem. Cue a whole 40 minutes trying my 15 or so different passwords and their permutations because oh heck I hope it's one of them.
I talk to a colleague because by now the "days since last incident" counter has been reset.

"Hello there Ryan, would you kindly go on a voyage with me that I may retrace my steps and perhaps discover the source of this mystery?"

"A man chooses, a slave obeys. I choose... lmao ye sure m8, but I'm driving"

We went straight for the password generator, then the length slider, because who doesn't love sliding a slidey boi. Soon as we moved it my upside down frown turned back around. Down in the 'new password' and the 'confirm new password' IT WAS FUCKING AUTOCOMPLETING. The slidey boi was changing the number of asterisks in both bars as we moved it. Mystery solved, password generator arrested, shit's still fucked.

Bite the bullet, call support.
"Hi, I need my password resetting. I dun goofed"
*details tech support needs*
*It can be sorted but the tech is ages away*
Gotta be punctual for swimming, got two whole lengths to do and a sauna to sit in.
"I'm off soon, can it happen tomorrow?"
"Yeah no problem someone will be down in the morning."

Next day. Friday. 3 hours later, still no contact. Go to support room myself.
The guy really tries, goes through everything he can, gets informed that he needs a code from Derek. Where's Derek? Ah shet. He's on holiday.

There goes my weekend (looong weekend, bank holiday plus day flexi-time) where I could have shown off to my girlfriend the quality at which this laptop can play all our favourite animé, and probably get remind by her that my personal laptop has an i2350u with integrated graphics.

TODAY. (Part is unrelated, but still, ugh.)
Go to work. Ten minutes away realise I forgot my door pass.
Bollocks.
Go get a temporary pass (of shame).
Go to clock in. My fob was with my REAL pass.
What the wank.
Get to my desk, nobody notices my shame. I'm thirsty. I'll have the bottle from my drawer. But wait, what's this? No key that usually lives with my pass? Can't even unlock it?
No thanks.

Support might be able to cheer me up. Support is now for manly men too.
*Knock knock*
"Me again"
"Yeah give it here, I've got the code"
He fixes it, I reset my pass, sensibly change my other passwords.
Or I would, if the internet would work.

It connects, but no traffic? Ryan from earlier helps, we solve it after a while.

My passwords are now sorted, machine is okay, crisis resolved.

*THE END*

If you skipped the whole thing and were expecting a tl;dr, you just lost the game.

Otherwise, I absolve you of having lost the game.

Exactly at the char limit

THICK-HEADED FUCKNUTS!

I have absolutely no idea as to why these would ever be password requirements, can someone please try to explain WHY THE FUCK

this just happened a few seconds ago and I am just laughing at the pathetic site that is Facebook. xD
4 years ago:
So I was quite a noobie gamer/hacker(sort of) back then and i had a habit of having multiple gmail/fb accounts, just for gaming, like accounts through which i can log in all at once in the same poker room, so 4/5 players in the game are me, or just some multiple accounts for clash of clans for donations.
I had 7-8 accounts back then. one had a name that translated to "may the dead remain in peace "@yahoomail.com . it was linked to fb using same initials. after sometime only this and 2 of my main accs were all i cared about.even today when i feel like playing, i sometimes use those accs.

2 years ago.
My dad is a simple man and was quite naive to modern techs and used to hang around with physical button nokia phones.But we had a business change, my father was now in a partnership in a restaurant where his daily work included a lot of sitting job and and casual working. So he bought a smartphone for some time pass.
He now wanted to download apps and me to teach him.I tried a lot to get him his own acc, but he couldn't remember his login credentials.
so at the end i added one of my own fake ID's(maythedead...) so he could install from playstore, watch vids on youtube and whatever.

The Actual Adventure starts now
Today, 1 hour ago:
I had completely forgot about this incident, since my parents are now quite modern in terms of tech.
But today out of nowhere i recieved an email that someone has JUST CHAINGED MY FB PASSWORD FOR ONE OF MY FAKE ACCS!?!??
what the hell, i know it was just a useless acc and i never even check my fb from any acc these days, but if someone could login into that acc, its not very difficult to track my main accs, id's, etc so i immediately opened this fb security portal and that's where the stupidity starts:

1)To recover your account they FUCKIN ASKS FOR A PHYSICAL ID. yeah, no email, no security question you have to scan your driving license or passport to get back to your account.And where would I get a license for some person named "may the dead remain in peace"? i simply went back.
2) tried another hack that i thought that will work.Closed fb help page, opened fb again , tried to login with my old credentials, it says" old password has been changed,please enter new password", i click forget password and they send an otp. i thought yes i won, because the number and recover mail id was mine only so i received it.
when i added the otp, i was first sent to a password change page (woohoo, i really won! :)) but then it sends me again to the same fuckin physical id verification page.FFFFFFFFFuck

3)I was sad and terrified that i got hacked.But 10 mins later a mail comes ,"Your Facebook password was reset using the email address on Tuesday, April 10, 2018 at 8:24pm (UTC+05:30)."
I tried clicking the links attached, hoping that the password i changed(point<2>) has actually done something to account.NADA, the account still needs a physical license to open:/

4) lost, i just login to my main account and lookup for my lost fake account. the fun part:my account has the display pic of my father?!!?!
So apparently, my father wanted to try facebook, he used the fake account i gave him to create one, fb showed him that this id already has an fb account attached to it and he accidently changed my password.MY FATHER WAS THE HACKER THE WHOLE TIME xD.
but response from fb?" well sir, if you want your virtually shitty account back , you first will have to provide us with all details of your bank transactions or your voter id card, maybe trump will like it"

Q 1 options b 😂😂😂

It's 5pm whooooo!

Let's quickly bash this last query out for the day - seeing as I should have finished an hour ago anyway.

Spin up VM, it's been inactive for 6 months.... yay, login... "incorrect password" tries again "incorrect password", did I forgot it... no it's been the same for years,

ok let's try again slowly,
ok logged in,
jump into mysql,
write up this query,

join this table, join that table, join this other table, and this other, and this one, hahaha, and this one over here... sweet it's been months and I still no my way around this maze!

And now for the moment of truth... run!
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
And bam, black screen, loading spinner, "Windows is updating"

NOoOooOooOooo!

Fuck it I'm out!

I don't understand how is possible that programmers today are developing applications that are storing plain password in the database.

I know it's kinda boring topic since everybody here is talking about it this week, but it's really confusing to me.

Every now and then some DB gets hacked, millions of passwords are leaked and then you have developers, who should be smart and logical people, who decide to do that.

Ok, maybe the project deadline was close or something similar, but I think there is no excuse for something like that. No matter how close or behind deadline project is, you should always be able to explain to your boss/client what could happen.

Everyone here deserves the worst.

No, really, you all deserve those dark juicy stories. So here's why I hate password systems that don't have the user experience in mind.

Recently my university went under a huge update, most of it good, but this is DevRant, so let me tell you what's just the worst.

They asked me to change my password, they do this every month or two. So I did it, but as I clicked "Ok" a wild error appeared! It told me I had to use a password that was not one of the FIFTEEN that I'd used previously...

I tried everything, and despite everything else being poorly programmed, or what not, I thought it would be easy to spoof. Nope. Unfortunately this seems to be the ONE thing they did right. Looks like I'll have to go back to basics. Just add a number on the end of my previous password, up to fifteen, and reset :]

I think this rant needs to turn into an email headed straight to them :)

I'm seriously working with a system that saves the password AND the confirm password In the database... varchar field, copied info, no wonders it takes half an hour to make query.

I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:

- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)

...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.

Currently working on my first real REST api and I've arrived at the authentication part.

I'm not sure how to do this one, the client will have to login using username/password but then, what's the most conventional way of authentication logged in users through a REST api? (no oauth (yet))

This should be usable for anything like ajax requests to calls from the backend to curl requests.

Looking forward to ideas!

Security fail here. I've just started a PPI claim and have been provided a link to a so called "very secure" client area.

There are no username or passwords and the screenshot is not a first time sign up screen.

All I need to login is a surname, postcode and DOB - all information easy enough to find online.

Pretty bad IMO, esp, so considering the effort required to add a proper login using a username/password combination.

I mean I'm logged in now and have no option to set an account password :|

Motherfucking stupid windows 10.

Wanted to try out cortana with all features after disabling it via regedit.
So naturally I created a Microsoft account and linked my user to it. Of course I used a random password generator and saved it in a passwort vault.
Then an update happened, I restarted my computer and guess what this stupid piece of SHIT garbage software did?
It prompted me to enter my password. Not the password I had for my local user BUT THE MOTHERFUCKING 15-DIGIT RANDOM PASSWORT GENERATED AND NOT EVEN VIEWED ONCE FUCKING SHIT!!!
Did they even ask if I wanted that? No they fucking didn't. Did they WARN ME? NO. NO THEY FUCKING DIDN'T.

That's the last straw. I'll kick windows down the garbage bin where it belongs and programm my own AI with open source software.

I just realised there is no option to change the password on devRant. 🤔

Dev.to app asks me to type in my github username and password into the github login page opened in their app. Is there no better way to do OAuth on Android apps?

So, I was going to make a little startup script to a friends laptop. I opened it up to realize I didn't know the PIN (not sure why it used a PIN instead of a password, but it did).

I looked up at the username, and it was in the format [name][number]. I though, "surely, no...." and tried it.

Yup. His username was basically [username][mypassword].

*sigh*

Passwords.. how do you guys manage yours? I'm one of those who often used the same semi weak password for nearly everything

I'm more than likely going to get a password manager but I have no idea which, do you use any?

I am doing some freelance work for a client who is thankfully mindful about security. I found out that they are so strict with their access because they had a huge data breach last year.

Today I was given access to their repo for connecting to their AS400. In the docker file the username and password were included and were the same for dev and prod. They also are performing no sql injection prevention. They are just joining strings together.

I went to uni for CompSci with knowing no prior knowledge.

In my first year of uni I created a DigitalOcean droplet to host an SQL server. I didn't change the root password or disable password login out of convenience and as I didn't think anyone would be able to find the IP address to be able to hack it.

Within 3 hours DigitalOcean had locked my account for using my droplet to send DDoS attacks. Support contacted me to ask what was going on. I knew nothing at the time so I was a bit 🤷‍♂️.

And that's when I learned the importance of changing your root password.

Best:
- optimized a lot of queries and pieces of code
- graduated from the dutch equivalent of community college
- started a new education
- updated our password schema from a shameful algorithm to bcrypt

Worst:
- haven't been able to convince my colleague and bosses to automate stuff
- still no tests
- still a php dev
- still alone

2018:
Come at me with your c++ and robots! I'll fucking master you!

So I get home from work, sit down infront of my computer and start browsing a few sites.

The loading times was not as fast as they should so I checked out my network setup. I had been auto connected to my ISP provided modems WiFi, which happens every now and then, so I reconnect to my faster and better WiFi AP.

Invalid password. What? Ok.. Let me just type in the same password, slowly..
Invalid password. MF..... Same password, looking down at my keyboard.
Invalid password. GDMF...

Browse to my AP config site, type in username and password.
Invalid password. Oh no you fucking did not just deny me entry as well.
Ok. Something is up and I'm going to get to the bottom of this!

Boot up Kali, fires loads of crap at the WiFi and the site. Still no damn luck! WTH!
I go upstairs to my AP, turn it off and on again.

I can now login on both my AP WiFi and config page.
It had frozen.
Thats two hours of troubleshooting for a "have you tried turning it off and on again" solution.
I feel great about my competence after this.

I thought maybe it's time to change my Services NSW password, and chose =onWl?$2w/bxJ"UU as my new password...

I guess there's no escaping it. Aussies are dumb

I'm installing Unity. Choosing the "sign in with Google" option, this leads to a screen asking for my Google account and password - *inside the installer*. No external browser.
What made them think it's legitimate? Why can't they just open my web browser for this? Why should I trust them with my email password?

apparently my bank's password length limit of 10,000 is too much for paypal's app to handle and it fucking imploded. sadly, no screenshots were allowed by the app, but it fucking broke so hard it spat logs and shit at me with no formatting or anything. it was NUTS dude

oh FFS my university pissed me off so bad right now that I had to wait 20 min to cool down to be able to write a rant about it...

so, one of the university department offer an email address which is the official university approved email for student packs like jetbrain's. I wanted to renew my jetbrains subscription, but for that I have to get a verification email on that address..
But since the only time I use it is this annual renewal I dont know the webmail's url..
So I search for it on the department pages, services and its nowhere to be found. Finaly I found it on a student maintained wiki page.
I try to log in.. no luck. try another password, still not it. Try all of the passwords that I remember using in the previous 3 year and no luck.
well fck it the password change is managed by a website where I can log in with a different method, so I change the password and try to log in again.
No fcking luck! And at this point I bashed my head against the wall because I found out that the password change takes them about 1 or 2 hours... hours! wtf...

Student Account Password at the university. No changes the default. It's their DOB and first two letters of the name.

Injection steps:
Open Database ( I am the Placement Representative )
Copy DOB
Paste
Add the first two alphabet
Unlocked

When I just started programming I aways added fake loading screens and hard-coded login screens to my c# applications because it looked cool..

But I also always added an invisible panel to the top right so whenever you click that it would bypass the login screen.

I had to do that because 1. I will forget that password after 2 seconds, 2. I got no time for that login screen.

I've been using keepass for everything and just recently I've just come to realization of just how hard it is to get into my accounts now that I've done this.

Literally, I'm useless if i don't have a computer to get my passwords. (I know it's for android too, but i need the database)

I was trying to log into my spotify, but I couldn't remember my password. Then I thought, oh i know i'll just log into facebook and do it that way.

LOL JK you don't know the password
Fuck... what about my email???
LOL NOPE!

Seriously if i was held at gun point and told to log into anything I'd be dead. I've literally secured myself out of my own accounts...

I guess if there is any silver lining, it's that no-one, and I mean 'no-one' is getting into my accounts any time soon.

The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.

Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.

I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.

How bad is it for a fortune 500 company to open port 22 over the internet for all its linux servers?? Today, I reported this to my boss and he said "it won't be a problem, no one can login without a password".

the worst project I've ever worked on was a BIOS update utility for the desktop techs at work. They wanted a tool to open that would let them know when there's a BIOS update and install it for them. The problem was the file share that held the BIOS updates had no naming convention, Dell doesn't name all BIOS updates with Axx, people would fat finger the BIOS password and model numbers for the computers was a pain to match against the file share. After at least 800 lines of C# code I give it to them. A couple months go by and I still see them going machine to machine upgrading BIOSes in labs even though my tool does it to a lab silently with a switch... hhhhhh.

I DIDN'T SIGN UP FOR THIS !!!

After seeing bunch of posts about Enki, decided to give it a try,

enters my info on the sign up page
*email address is already taken* : WHAT !!

changes email address
*your username is already taken* : WHAT !!

goes back and search if there's any mails from Enki
*no results found* : Dafuq !!

Requests password reset
*Receives first mail from enki ever, with a reset link*

Did they change their name from something else to Enki or they have bunch of emails in their database to showoff user base ?

Can anyone shed some light on this, cause I'm 100% sure i didn't sign up for this before.

after resetting the password I'm able to login, but in the Notification section it says
*your email is not confirmed*

well i would confirm it, WHEN I GET IT !!

-- What if JavaScript never existed?
-- What if HTML was a programming language?
-- What if our data online isn't abstract but physical?
-- What if geeks have their own country?
-- What if humans exist and we are the aliens?
-- What if the internet is state-owned?
-- What if we could download food just like every other downloadables?
-- What if my VSCode won't kill me when switched to light theme?
-- What if there was no gender and the word "female" is just an alias for "male"?
-- What if bugs could find and fix themselves?
-- What if there's no need for an account password?
-- What if Linux was owned by Microsoft?
-- **What if I could tell my boss that I'm tired of his fucking job without actually telling my boss? This is the actual what if.**

Follow up on a previous rant:

I visited a customer to talk about the reporting discrepancy between two applications.

It turns out the applications were custom built by outsourced developers from Russia, that communicate with each other through a byzantine (and completely undocumented) series of web services, excel import/export tasks, and a customized SSRS environment.

These are spread across at least half a dozen servers, some on-premise and some cloud based, there are at least 3 SQL servers (2 running 2005, one running 2000), a 10 year old local install of TFS (which no one knows a username/password for), and who-knows-what-else.

They laid off their entire IT team years ago, and they have no backups.

I'm not certain anyone there even understands what the software is supposed to be doing beyond the most general terms.

No one knows if they even have source code.

Biggest case of "nope!" I've encountered in more than 20 years of IT experience.

- client announces that they are reducing the number of employees since Dec31
- I'm among the ones relieved from duty
- hours before the end date I receive a 'your account will expire in 7 days. Reset your password' email from that client

riiight, that's one chore I no longer have to worry about.

"I need the login credentials for the CMS service"

*sends the email confirmation email*

"No, I can't confirm your email for you. In plain English: send me the email and password to login."

"Ohhhhhhhhh"

Literally what the fuck is wrong with these people.

I swear we're all fucking doomed.

Me: Hey what's the default password for this?
Classmate: password?
Me: yeah the password. What is it by default?
Classmate: no that's it. Just "password"
Me: :/

As someone who uses UNIX and UNIX-like systems on a daily basis, and someone dealing with computer support in a school, I experience so, so many issues, many of which others have already ranted about.

For no reason at all, I find it incredibly frustrating how many high school students' understanding of sudo is limited to this:
Student: Hey, isn't sudo the minecraft command
Me: Erm
Student: You know, the one skeppy uses... to troll players? Anyway, you're doing it wrong. There should be a slash before you run the command
Me: aaargh.
and so on. Happens probably every 10th time I invoke sudo.

I mean, really? Surely these kids, with all their complaints and lines: hacking into the mainframe/whats the admin password/why did you block my VPN/ and so on, would know what sudo is. But NO, they just don't seem to get it. Sometimes I lose my hope in the futures of these kids.

ZNC shenanigans yesterday...

So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.

But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.

So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.

And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!

But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.

So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.

Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.

One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.

The $customer gets a device from us, with th wifi connected as specified in the order. $customer connects it to the mains and monitor, puts in the dongle and the connection is established.
Fast forward 3 weeks, now everything went south. The device does not connect to the network, the service is offline. Our first question: "Has someone modified the WiFi name or password?"
$customer: "No, there were no changes in the WiFi"

So the full arsenal of debugging the connection over LAN starts, interrupted by $customer unplugging the device "because he needs LAN now"

After sometime, we figured out, everything is fine with the device, and ask $customer once again, if the config $ssid and $password is correct.

$customer: "Oh, we changed the name to $ssid2 because it looks nicer, is that a problem?"

Internal: "Are you f*kin kidding me? I asked you exactly that"
Me: "Alright, that explains the issues. Please tell us in advance if you want to change something with the WiFi."

Boss: so we've got to call an app to verify data in this project. But I've got no more info and I'm on holiday next week. Please contact GuyA next week.
Me: ok I guess?
*writes email to GuyA*
GuyB: GuyA is on holiday please hold the line
*1 week later*
GuyA: we need more time it's not ready yet
*2 weeks later?
Me: so?
GuyA: yeah it's ready here's the wsdl etc your client already has the password
*1 week later*
Me: yeah so I got the data but the api says my auth isn't working
GuyB: yeah your user isn't activated on the test system. I'm gonna forward that and come back at you
*1 week later*
GuyA: so we're going live in about 2 weeks hows testing going?
Me: well I'm still waiting for the response and activation
*suddenly it works*
Me: yeah so auth is working but i can't find any data. Is there any special test data?
GuyA: oh no there is NO test data on the test system. You need to wait for GuyB but he us not here today...
Me: are you fking kidding Me?????

... no response since then and it's been days....

Today's shit list, compiled from multiple random apps:

* Your subscription renews without an email in advance (no time to cancel)

* Your chat bot asks me twenty questions about why I want to cancel my membership, then sends me to a live agent, who asks me the same damn questions.

* Your app emails me my password in plain text

* Meeting agenda squashed by execs:
"We don't talk about _____, but we're committed to transparency."

Rant rant rant!

Le me subscribe to website to buy something.

Le register, email arrives immediately.
*please not my password as clear text, please not my password as clear text *

Dear customer your password is: ***

You dense motherfucker, you special bread of idiotic asshole its frigging 2017 and you send your customer password in an email!???

They frigging even have a nice banner in their website stating that they protect their customer with 128bit cryptography (sigh)

Protect me from your brain the size of a dried pea.

Le me calm down, search for a way to delete his profile. Nope no way.
Search for another shop that sells the good, nope.
Try to change my info: nope you can only change your gender...

Get mad, modify the html and send a tampered form: it submits... And fail because of a calculation on my fiscal code.

I wanna die, raise as a zombie find the developers of that website kill them and then discard their heads because not even an hungry zombie would use that brains for something.

Security in defense is a joke.

New hire does not have accts set up told him over and over!

He decides to go into a classified area and just try. Common last name with first initial.

Guess what he was able to get in because no one changed the default password!

Yep now someone with an interim clearance got access to a machine that goes from unclass to secret and then top secret!

Very eventful day, please see enclosed several smaller rants.

===================

My college's systems are shit and not only do they use HTTP for everything, even the stores and financial aid purchase system, they have homebrew JS shit for PGP site encryption (nifty...), but they exchange the PRIVATE KEYS instead of the public keys. Over HTTP. Not even HTTPS. Also if you log in more than 10 times in 24 hours it's supposed to lock you out of your account until you call... except it locks EVERYONE out. Found this out when on campus, trying to get my textbooks, when suddenly everyone had login lockouts because i'm a "paranoid bastard" and "afraid of idiot college students" for not telling a PUBLIC PC to remember the one password (enforced by password auto-sync across all their shit, not ideal, no) guarding my SUPER-SENSITIVE FINANCIAL AND ACADEMIC DATA... among the other hundreds of issues this college has. I now see why this college is the only one I can afford...

===================

Can't pass-through raw DVD drive access to VMs as VM managers crash when I try (yes, even QEMU...) so i've gotta install Windows on a shitty 80GB laptop HDD for literally one quick project. On the bright side, if my theory proves correct, you'll no longer need modchips for PS2s.

===================

Found a couple odd lines in my xscreensaver config:

GetViewPortIsFullOfLies:False
nice: 10
pointerHysteresis: 10

the first 2 I can't seem to figure out what do, and the last taught me a new word. Fun!

===================

that's it, it's over, why are you still here

So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D