Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Search - "password"
Why do shithead clients think they can walk away without paying us once we deliver the project !!!
So, here goes nothing..
Got an online gig to create a dashboard.
Since i had to deal with a lot of shitheads in the past, I told them my rules were simple, 20% advance, 40% on 50% completion and 40% after i complete and send them proof of completion. Once i receive the payment in full, only then i will hand over the code.
They said it was fine and paid 20%.
I got the next 40% also without any effort but they said they also needed me to deploy the code on their AWS account, and they were ready to pay extra for it, so i agreed.
I complete the whole project and sent them the screenshots, asking for the remaining 40% payment. They rejected the request saying my work was not complete as i had not deployed on AWS yet. After a couple of more such exchanges, i agreed to setup their account before the payment. But i could sense something fishy, so i did everything on their AWS account, except registered the domain from my account and set up everything. Once i inform them that its done and ask for the remaining payment.
The reply i got was LOL.
I tried to login to the AWS account, only to find password had been changed.
Database access revoked.
Even my admin account on the app had been removed. Thinking that they have been successful, they even published ads about thier NEW dashboard to their customers.
I sent them a final mail with warning ending with a middle finger emoji. 24 hours later,
I created a github page with the text " This website has been siezed by the government as the owner is found accused in fraud" and redirected the domain to it. Got an apology mail from them 2 hours later begging me to restore the website. i asked for an extra 10% penalty apart from the remaining payment. After i got paid, set an auto-reply of LOL to thier emails and chilled for a week before restoring the domain back to normal.
Dev : 1
Shithead Client: 025
Manager: Hurry up and login, I don’t have all day
Dev: One sec I have to lookup my password for the system
Manager: How can you not remember your password? Everything requires it these days
Dev: I use a different password for each service.
Manager: Wow you really like to overcomplicate things. Just use the same one for everything like I do, it’s way more efficient!
Why the Fuck would someone disable pasting on a password field!!!! How the fuck am I supposed to enter my shit from my password manager now?16
Doing some Christmas shopping.
Creating some throwaway accounts in various e-shops
Some e-shops send me my password via email upon registration.
I've spent the better half of a day emailing those e-shops to revise their IT security policies.
Haven't bought a single gift yet.
Time well spent!6
I just had to print out some bills for a colleague.
Nothing too bad you say?
Well.. She doesn't seem to care about security or privacy at all.
I opened the website of her email provider at my computer and moved away from the keyboard, so she could log in.
But instead she told me her email and password... In an office with some other colleagues... Multiple times and wrote it onto a piece of paper that the later left on my table.
After that I should look through her inbox to find the bills.
(Yup, I know a lot more about her now)
After finding and printing out her bills, she just thanked me and walked out of the office, because hey, why should I log out of her account?
It's nice that she trusts me... But that was a bit too much...4
Finally did the switch to Firefox and migrated my passwords to a proper password manager. Bye chrome!15
I found this old printout of my username and password for my school account from ca 2008. I really like how the password are the same as the username except for some capitalization 😂😅
Why the fuck do people not change their router admin password!? I was at a hotel today and could access their router admin interface with the default credentials. I guess this isn't purely the fault of the hotel because not all people know a damn thing about security and only use the interface to change the SSID and password of the AP. But why allow them to leave the default password? Why isn't this a standard feature to be forced to change the password :|13
Apple: this AppleID has been locked for security reasons.
User: Sign Out
Apple: Enter the Apple ID password to turn off Find My iPhone.
User: Turn Off
Apple: You must enter both your Apple ID and password.
Apple, please stop bugging me, all I need is to test my websites on Safari occasionally because some customers prefer to use iPhone. Just don't bother me with your Apple ID crap8
Registering a new account for microsoft teams:
`Your password cannot contain a space, &# characters combination, or the following characters: < >`
Are they storing the passwords in plain text? Are they not sanitizing the input? Why the fuck would they care if I put motherfucking emojis in my password? What the fuck are you doing to the passwords, Microsoft? TELL ME.4
Follow up to: https://devrant.com/rants/5047721/....
1- The attacker just copy pasted its JWT session token and jammed requests on the buy gift cards route
2- The endpoint returns the gift card to continue the payment process, but the gift card is already valid
3- Clients wants only to force passwords to have strong combinations
4- Talk about a FIREWALL? Only next month
5- Reduce the token expiration from 3 HOURS to 10 minutes? Implement strong passwords first
6- And then start using refresh tokens
BONUS: Clearly someone from inside that worked for them, the API and database password are the same for years. And the route isn't used directly by the application, although it exists and has rules that the attacker kows. And multiple accounts from legit users are being used, so the person clearly has access to some internal shit7
Had to change password on computer for administrative reasons (sysadmins and infosec make us change our pass every quarter). Changes didn't sync to everything so now I can't even log into my computer.
Need to go to the office tomorrow so some guy can type in an admin password on my pc and do stuff to it. If that doesn't work I will just be given a new laptop.
Seriously fuck this week6
The most annoying hack I've had to deal with was back when I did IT support, actually. Level 1 call center tech at the time. Apparently someone fell for a phishing email and gave out his outlook credentials. The phisher used that email account to send out another phishing email to roughly 1800 employees.
Security Operations noticed, because this guy's job didn't generally involve sending out mass-communication emails. They investigated, figured out what had happened, and opted for the nuclear option: they reset the password for EVERY SINGLE ACCOUNT that received the email. All 1800 of them. Over the weekend.
I walked into the call center Monday morning and checked the call stats, then did a double-take. There were over 300 people waiting in the queue. I almost left and called in sick. Turns out it wasn't that bad though. Annoying to reset so many passwords and having no downtime due to the full queue, but on the other hand my stats were better that day than any other, since every call was a 5-minute password reset.1
"I need the login credentials for the CMS service"
*sends the email confirmation email*
"No, I can't confirm your email for you. In plain English: send me the email and password to login."
Literally what the fuck is wrong with these people.
I swear we're all fucking doomed.5
TFW looking at the regex for the password validation is easier than trying to decipher wtf they want16
I think I may have shared this a while back. Just played with this a little for fun. I was playing with an ESP8266. Apparently it takes very little code to turn it into an access point and have it redirect to a landing page just like a hotel wifi does. Every platform I had connect to the AP seemed to work properly. I setup the AP without a password and let people log in. I named the AP "Virus Distribution Point". Here is what they would see:
Don't mind the name of the repo. It is a junk repo I made for making mom jokes.7
I deployed one of our staging websites to a free plan because the site is rarely used. Project Manager sends the stakeholders the new url. There will be a lot of 🤦♀️🤦♂️🤦 all around. Some of it’s my fault. A lot of it is just WTF.
Stakeholder: We still need the staging site because we don’t want to test in the live site…
PM: Okay. We didn’t say we were deleting the site. We are just moving it to a new and better hosting platform, so we’re letting you know the url has changed.
Stakeholder: This url is for the front facing page. How do I access the backend? [they mean the admin interface]
Me: The only thing that’s changed is the url for the staging website. So domain-A/account is now domain-B/account.
I thought that was a pretty straightforward way of explaining things, that even a non technical person would get it. They took the /account example as the literal login url.
Stakeholder: I forgot the password for our admin login and I submitted a password reset, but I realize I don’t know if I have access to the admin email. Or if it’s even a real email account.
I look back at the email chain and I realize that I gave the PM the wrong url.
Also, WTF x 2. How did this stakeholder not realize they were looking at the wrong website?? There are definitely noticeable style and content differences. And why would you have an admin login that uses a fake email??
Me: My apologies. I sent over the incorrect url. My instructions are mostly the same. All that’s changed is the domain.
Stakeholder’s assistant: [DMs me] How do we access the backend?
WTF…are they seriously playing this game and demanding I type out the url for them?! 🤬 I’m not playing this game and I just copy and paste the example that I already sent over.
They figure it out eventually. Apparently, they never used /account to login before They used /admin/index… but that would still bring them to /account, but with ?redirect=/admin/index appended to the url if they weren’t logged in. Again, WTF.
I know I made mistakes in this whole thing, but damn. I can’t even. I’m pretty sure this whole incident is fueling my boss’s push to stop supporting this particular website anymore so I can focus on sites that actually bring in revenue…and have stakeholders that aren’t looney and condescending like this.4
At the beginning of the last year of university a new flatmate arrived. His father dropped him at the apartment and then called me asking for the Wi-Fi password.
I told him I could not remember it on the spot and I would tell it to his son later.
I actually remembered it very well and I could say I didn’t tell him because of security reasons …
Actually I was embarrassed to say on phone: “PubesRule!”
The password was actually decided by a previous flatmate…😅3
FUCKING PIECE OF SHIT DOCKER LOSING ALL MY FUCKING DATA WHEN I JUST WANT TO RESET THE ROOT PASSWORD YOU PIECE OF SHIT CUNT!AAAAAAAAAAAARGHJ WHAT A SHITTY OBSCURE CONTAINERIZED PILE OF BEARSHIT15
I changed all my password to "incorrect"
So whenever i forget it will tell me "your password is incorrect"3
You know what fuck github , anyone remember when git cli was easy and straight forward to use
Now i have conflicting master branches because the remote is main and git automatically defaults to master.
Git still asks for a password while github can't wait to inform me how I have to go through the very long process of setting up an auth_token.
Apparently https remote origins for some reason don't work anymore, why because apparently i need to change them into ssh, good luck with the public key errors
This sucks , fuck github and fuck politics9
My Ubuntu VM just work fine for consecutive 217 days without restarting.
Need to change some config
And... I forgot the application access key... Damnit!!!
Lucky, I kept the access key in the password manager. Whew.5
I'm thinking on getting keypass as my password manager, since it's open source, can use csv files and works on a bunch of platforms.
Does anyone has experience with using it or can recommend, in their view, some better solutions?9
I thought I had lost a password to devrant on my old phone tried to rest my password I don't no which email I used among my army of emails address
Well my thoughts today are on a call worker who has a terrible work attitude.... fuck I hate3 this guy .. probably am tired of this job... is it too hard to ask for a company that has better pay and organised work flows .. here is hell hound projects come left right center everything is urgent the system is broke or roten from the core can never be fixed
client: "can you build out a staging server for us? here's all the code, everything you need"
me: "awesome, looking good, i have almost everything i need, just give me the credentials for the server, and I'll get started installing all the infrastructure"
client: "ok, try these!"
me: "doesn't work"
client: "this one?"
me: "doesn't work..."
client: "how about this one?"
me: "STILL NOT WORKING!!!"
imagine you want someone to do stuff on your server and you don't even know the root SSH password.... smh
why is this always a problem, use fucking 1password or something its 40 bucks a year, secure, and you can organize alllll your passwords. don't be a fucking boomer and write them on a piece of paper, or worse, apparently like my client, never know it or have it in the first place.5
Thats top notch design.
All actions happening on the page go to one endpoint. Removing old trusted computers, changing the password, changing 2FA, you name it.
Now if you want to remove all old trusted devices, you cannot remove all at once, there is no button for it. So you click one after the other. And then it stops working. Ok, then do the normal password rotation. Hmm, button has a loading spinner and then nothing happens.
Looking into the browser console:
- All requests go to /myaccount/security/graphql
- All requests get a 429 Too many requests
- Even if you just click a panel, it tracks the action to the graphql endpoint. Or at least tries to because even that gets shot down with a 429
Pretty dumb, eh? Must be some small shitty website. It's not. It's fucking paypal.1
We should find a way to replace passwords: any password manager which I tried is inaccurate in identifying login forms and is too hard to use for non technical people older than 40 and convince people to not use some stupid name + birth year combination as their passwords is a frustrating uphill battle.13
- yo bro do you have some time ?
- quick cause I'm taking a dump
- I think I have been hacked, got black screen kernel panick, linux freeze seldomly I have to reboot, no internet connexion
- save your stuff and reinstall linux
- I don't have enough stockage to backup
- Then buy one and save, probably either OS is fcked up or you have some hdd problems
Time that it will take: ~30min to reinstall whole shit
Peace duration: ~2years
Later on the same day
- I can't log into windows
- Did you change the password ?
- Yes but it does not work anymore
* looking at shit
* logs successfully. Reason: interface changed after automatic update.
* wait some more so fucking windows fucking starts
* Desktop is ugly as fck.
* Some stupid settings messed up (like high contrast set, black theme or so)
aunt (the same)
- I can't log into my (other) laptop either
* wait more more more
Guess what: automatic updaaaates. Freezes 100%cpu
* Being a very experienced user: wait before reboot because this suckass os will probably fail to boot otherwise
* Blackscreen with a percentage: Installing updates...
* Blackscreen with a percentage: Installing updates continuing...
* finally boot (feels like a miracle windows succeeds lol)
* still slow
aunt now sleeps
* look at running process and install programs
* sees shits like camera recognition (vendor installed), candycrush
* occasionnaly get adds
time lost: 2h
peace duration: ~3month
FFS I am a dev, not a fucking trash lover
It is already pain to fix someone os, but windows is the cream of cream
It brings no ease of use for novice user
It is so insanely slow
It has stupid settings set up by default!!!!!!!! Who FFS wants candycrush and ads
The maj are so fcking hazardous. It is 2022 pretty much the same as 15y back then. Updates take fucking eternity. And needs reboot. and are not even finished!!!
I swear I am gonna stretch my ass and install linux and any fckin other toolsuite needed so they can use Micro$$ word, which is the only fucking usecase they need windows for in the first case anyway
I SO wish this OS would die
I mean, even more than safari8
I’m side-eyeing my apartment building’s management for emailing me a non-password-protected document that includes my Social Security number. 🤨4
Just realised that devRant doesn't give me the option to change my password - I had to go through the forgotten password routine to do it.6
My brother works in fintech sector. He had created an Options strategy after months of hard work and deployed the strategy in production via CI/CD.
However, the strategy didn't deploy automatically on Monday and few trades didn't happen leading to loss. His boss came down firing at him as to why strategy was not deployed.
Turns out the IT team had changed the password on Friday evening as per their routine password updates.1
I’m in a tough spot - I’m completely overloaded with sysadmin type work (server upgrades, firewall and vendor coordination, security, password maintenance) that I don’t have time to complete any programming work assigned to me. My bosses are aware and have done their best to help, but I just can’t keep up (have two young kids too and just can’t work nights anymore without trouble at home). My bosses have been great, so I feel terrible about this, but I think I’m going to have to look for another employer, I can’t do this anymore. Am I a horrible person to leave them with so much work even though they tried to help me?8
> * npm login *
> puts everything right, uses token because of OTP
> npm login fails: incorrect user or password
you know what, fuck you5
Is it really good OpSec to log me out of outlook every hour when the password manager lets me automatically log back in?2
i'm sitting on the bus a few years ago, slamming the keyboard on my chromebook to try and get a wifi password. open crosh by accident. i went to check it out for a few days. i check back a few years later, every tab (basically everything for CrOS) autocloses if it has "crosh" in the url (regardless if it's crosh or not.) this pisses me off. i tell my brother about it, and he gets the terminal running for one day. how? i still dont know, sadly the program he installed (a harmless music notation app) breaks as well as the terminal. to this day i still wonder about what our IT department was thinking.
i once changed all of the passwords of my main online accounts(google, apple, facebook, telegram, outlook) as they weren't changed for years.
i decided unique and long passwords for each of them.😎
immediately after changing the passwords, i forgot all of them. 😵fortunately, i was able to reset.
Has this ever happened to anyone?3
Vivaldi browser is shit.
Simple isntructions on how to make most shitty browser ever:
1. Force users to use "really-fucking-long" password that will not match to any of their existing ones.
2. Invent some useless stupid "encryption password" (why does any normal browser work fine without that shit) and most ridiculous - automatically set it to be the same as the main password.
3. Of course you forget the pass you set because you dont remember what symbol you added 5 times in the end of your normal pass to fit their stupid rules.
4. You have to reset it
5. "Encryption password" does not reset with it, so you still dont remember it
6. Sync is not working!
7. If you think this is shitty enought, you are not right - they went futher. To reset that fucking "encryption password" you have to... ERASE ALL YOUR CLOUD DATA.
Fucking retarded piece of shit - never, never trust those morons who made this shit browser to sync any of your sensitive information.17
So i wanna try explain the concept of JWT to a 5(+55) year old, and also to myself who is noob at web stuff. please tell me if this is a correct analogy, because i am myself confuse regarding how its secure?
So A wants B, a blind jeweller, to keep his super valuable notebook page with bank passwords safe. B says "give me your sheet and 5 nickels". (Assume that every nickel is always 1gm, made up of pure iron . Assume these statements to be true and world-known )
B takes A's nickels, melts them, adds 20gm more iron, adds 25gm copper, adds 25gm aluminum and then adds 25gm carbon dioxide and makes a mixture that is impossible to revert , but will automatically disintegrate after 24 hours due to CO2 (again, pure true statement, but this formula is only known to B) .
He makes 2 exact copies of keys from the 100 gm mixture, gives one to A and says
("Anyone can either give me 5 nickels of same name, markings, and year and i will give them back this secret sheet. or they give me the same key fo next 24 hours,and i will still give them back the sheets. after 24 hours, this key will also not work. I will even keep this on public display that i make keys using the materials I just showed, and then also no one would be able to create he exact same replica because they don't know how much percentage of each material went into the mixture"
So is this true? I have heard my friend boldly claim that they don't store user passwords as plaintext or even encoded text but rather doing this :
user password + company's private key --->[public domain encryption algorithm] = irreversible public key which is saved against user profile as "password"
public key + other info + time bound expiring logic ---->[public domain JWT encrypted token maker algorithm] = reversible JWTToken which is sent back to user
if user sends back token, then
token --> [JWT decoder] = public key + other info
if public key matches the stored public key , then user is a real user and should be given data
if user sends back the original password, then
user password + company's private key --->[public domain encryption algorithm] = irreversible public key .
again if public key matches the stored public key, then user will again receive access?
So this means all the time we are transmitting a lightly jumbled up version of public key, which is itself a hard, almost irreversible jumbled up version of our passwords that can only be unjumbled via a private key (or jewellers mixture ratios) that companies hold dearly ?5
Microsoft Teams login says password is incorrect then and for a captcha
I type it again but fails...
I'm like wtf... Could it be the captcha...
Which I entered in all lowercase
It doesn't say the captcha is case sensitive though..
Next few times it gives me captchas with k... Teehee me like 5 tries to login
Are we trying to verify passwords/humanness or whether I can somehow tell the difference between K and k?1
I am creating a Facebook brute force software... Everything is perfect until it reaches the code that reads the password list.. Then it says no module found for read line!