Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Today I discovered by myself that...
...in a shell...
...when entering a password (e.g. ssh)...
...and you make a typo... 🤦♂️
...you don't need to smack that backspace key like a maniac! You can just use the clear line shortcut: control+U (^U). This clears all input to the left of your cursor and this also works for passwords.26 -
Creating a new account is always fun...
"This Is My Secure Password" <-- Sorry, no spaces allowed.
"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number
"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character
"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed
"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed
"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters
"Fuck" <-- Sorry, passwords must longer than 6 characters
"Fuck_it" <-- Sorry, passwords can't contain bad language
"Password_1" <-- Accepted.25 -
"your password must contain a capital letter, two numbers, a symbol, an inspiring message, CV, a gang sign, a dragon blood"
7 -
At my company we need to change our passwords every month and every month I add a an extra exclamation mark at the end of my password. Now after 5 years there is an unbearable amount of exclamation marks so I tried to change my my password to 'beefstew'.
Apparently it wasn't stroganoff.9 -
When you are resetting your password and the website emails you your current password in plaintext. 🤦5
-
This project manager, man....
> Sends email to a client "Dear Ms X, here's your password for the Jira board: [...] Please handle it with care and keep it secret."
> Email goes out to 5 people.
6 -
My last school used my SSN as the default account password.
Just to test, I used the “forgot password” functionality, and they sent me my SSN over clear text.
As a developer, I see that as 2 mortal sins 😡12 -
Google: Don't use a password from another site, or something too obvious like your pet's name.
Me: 5f4dcc3b5aa765d61d8327deb882cf9918 -
Trying to login...
"Sorry your password is expired. You have to change the password every 60 days".
«Oooh, c'mon...» Inserting a new password...
"The password must contain at least 1 lowercase letter, 1 uppercase letter, 2 numbers and 1 non-alphanumeric character.
«Please, fuck off and die...» Typing again and eventually entering to private area...
My phone vibrate, there is a new SMS: "Your new password is H0lySh1t!"
WTF. Are you serious?14 -
1. Create user on website.
2. Receives mail with username and password.
3. Changes password.
4. Receives mail with new password.
5. Delete account and look for another service.3 -
My boss wrote the password to access the office on his whiteboard, which you could see from outside of the building.3
-
Q: What's your WiFi password?
A: It's fourwordsalluppercase, one word all lowercase.
http://youtu.be/bLE7zsJk4AI2 -
- Password can't contain less than 3 chars
- Password can't contain more than 12 chars
- Password must contain only alphabetical and numerical chars
- Password must contain at least one uppercase letter
- Password can't contain a sequence of repetitive chars
- You already used this password in the past
- Password can't contain parts of passwords already used in the past
- Password can't contain your name, birthday or any other personal information
- Password can't be an anagram
- This password is too weak
"Remember that you have to update your password every 6 months".
Who the fuck has enough imagination to invent a new password that meets all these requirements every fucking 6 months?
And if so, how the fuck you can also remember it?
Fuck off… I don't really need access to my university account, right? 😡22 -
"The password must be 6 to 32 characters long and must contain atleast one uppercase character, one lowercase character, a special character, the md5 hash of your last name, a dried olive branch and the blood of a unicorn."6
-
Guy: I don't trust password managers
Me: so how do you remember passwords?
Guy: oh, I just keep them in a note in the iPhone notes app/iCloud.9 -
I accidentally sent my password to slack channel!!
I have deleted it and changed my password of course, but it still doesn't make the embarrassment go away. Especially because my password is something ridiculous like :
Materialisticbitch88$$$
Some people have already seen it!!
RIP my reputation.
:/22 -
Even though I'm a web developer I work in a very small IT department, which includes just me and my colleague.
Yesterday we got a pretty usual request. Someone forgot the password to an excel file. We already started a brute force attack, but we had some fun going through the worst passwords we ever stubbled over in our carrier.
He was like:"Maybe it's just his name?"
Me: "Oooh or maybe it's just the brand and 123?"
We laughed a lot. Not really considering we could crack this "important" file.
But it really worked out. The password was the brand of the business unit and "2017".
I've sent everthing back to the user, telling him exactly how we cracked it... His answer was:"Oh yeah! I knew it was something easy, so me and x could remember it easily!"
...
Why do you forgive easy passwords anyway? If I can crack it within 5 minutes... Everyone can! ...
And if you do it to "remember it easily"? Why the fuck don't you remember it?4 -
You, stupid fucking game, have just sent me my new password in plain text via email?
"the password is encrypted and cannot be sent again"???
So… you send the password in plain text, and only then encrypt it, right?
But it's still in plain text in your email logs, fucking bastards.
10 -
*enters password*
*misspells a letter*
*OMG BACKSPACE! BACKSPACE!*
*retypes whole password again* 😂😂6 -
First rant, please take pity on the noob! 😐
Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫
Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...
... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.
So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.
Makes you consider the amount of control these big companies have over your life 😶16 -
So according to some reddit user IKEA sends your password as a GET parameter in plain text.
https://reddit.com/r/CrappyDesign/...
Seems to be a network authentication thingy, but still 🤔
35 -
My git password is only muscle memory at this point.
If I accidentally try to think about what I'm typing I end locking myself out for the rest of the day.5 -
Set up an account at Wells Fargo today and they told me the password requirements... This is a joke right?
12 -
This lady was screen sharing during a meeting. At the GUI login for her Linux box, she accidentally typed in her password for the username. In front of 50 people, she showed everyone her password was "Tittays69" 😂2
-
Other guy: Hello! I need your help! I don't have my password for my gmail ! Help!
Me: Okay, ... (proceed to guide him where to recover the passwords), Now enter you email in.
Other guy: Well i don't remember it either, Help me get my email.
Me: ...
Fml7 -
My insurance company sending me the payment slip by post with my username and password to the online account for easy access. How sweet of them. 10/10 customer satisfaction.
I see your "Storing passwords in plain text". I raise you to "sending passwords via post in plain text".
16 -
If I were in charge of the company's upcoming-required-password-change notification system, during the month of October users wouldn't get an email.
Instead, the phone would ring.
When they answer, at first there'd just be hissing and crackling.
Then after a few seconds, a kid's voice would whisper,
"Three daysss..."3 -
I am currently at vacation and staying at a campsite.
There is a WLAN called 'Seecamping1'.
Well I had to try cracking their password...
First attempt: The name of the WLAN, didn't work.
Second attempt: 1234567890
...
Guess what.
It worked lol8 -
I now know another person's password without even wanting to.
He was sitting in the row in front of me, logging into our course page and then *brrrrraaaaapppp* - ran his index finger along the top number row and hit enter.
1234567890
I don't even know what to say.13 -
Colleagues sharing passwords.That was a big fat NO when I was a sysadmin - and for a good reason. But now, since I'm closer to development, it feels like no one really cares about the passwords. If I tell my colleague I'll take 10 minutes more because I can't log in, he OFFERS me his credentials. And sends them over saying "in case you need it". [the next day the same colleague was complaining his account is locked out. Oh, wonders! How on Earth...!]
But seriously, password sharing is a serious problem. I would fire the person on spot if I caught him sharing his credentials! This is the 8th deadly sin! IDC if they are for non-prod. Most people reuse their passwords in multiple systems, and even non-prod envs can bring the prod down! Or worse - install a trojan.18 -
Created webmoney account with password lenght of 81 character
Tried to login to my account
Password lenght cannot be more than 60 character
Now i have to reset my password to b e able to access it7 -
So this just happened with my ISP, i have no words...
The fact you have my password in front of you in plain text is fucking terrifying and i know you do because i used to work for an ISP.
10 -
I imagine those researcher must be like : "Would you give us your password? It's for a research project"
3 -
So my neighbor needed my help with her notebook. She said she has to provide a new password everytime she logs in. I asked her to log in in front of my eyes. She entered her password and clicked "forgot password" instead of "login" 😐
Did you ever hear of "return" ?4 -
That awkward moment when you are focused on talking to a friend, and you realize that you wrote your password in the wrong field9
-
My brother singed up for a browser game.... They sent him his log data (including password) via email7
-
Walking up to my computer, on autopilot i typed my password to unlock it, pressed enter ...aaand realised it was unlocked and I just sent my password in the clients general slack channel.
Quickly changed it to a smiley and pretended it was raining..
Any one else who mistakenly typed a password or other secrets in a slack channel or similar? XD
10 -
Girlfriend: There are so many passwords to remember, man. What's my amazon password, baby?
Me: Just use a password manager?
Girlfriend: That sort of thing exists?13 -
Once I had to do a 'hands on' pair programming session for a position I applied for... Together with the lead dev we would switch coding every 15 minutes It was somewhat of a horror story...
The assignment was to implement an password reset flow, connecting it to the api and then handling the entire password reset flow, in Angular becahs ye know has to be Angular...
After drafting the ui and setting up the click events, I wanted to hookup the api calls, but then it was time to switch around...
The fucktard dev first started to adjust my classmappings to be more in line with his preference, without touching the css classnames... Ok... Micro managing ... Check...
So after breaking the styles, he wrote the fetches to the api endpoints and that was his 15 minutes of shame...
I continued only to find out the endpoints we were using had errors in them and would not return anything workable...
The dev said he'd tested the endpoint before and it worked, but clearly it didn't...
After about an hour of going back and forth trying to get this to work he got a call from a client because server was down (surprise), he excused himself and had to prioritize on this, running out and leaving me there for the remaining morning ...
I just sat there waiting for the HR checkout talk, only to lean towards rejecting the position...
Fucking waste of time, and in the end the feedback was they doubted MY TECHNICAL SKILLS ... And wouldn't make me an offer 😂👍 nice story bro...
K THX BAI!7 -
This was typical for me:
Yesterday evening I was installing a webserver on my Raspberry Pi for experiments with WordPress. I began some days ago, but I had to stop because the downloads took at least to long.
So I started to logi in:
Username: Raspberry
Password: Pi
-> False Password
Wondering why it is not working a tried again. Same result. After some time I remembered that I changed my password.
Username: Raspberry
Password: Ih4G2tgY*
-> false password
*example
Tried again. Still false password. Then I remembered, that I used my another standard password.
Username: Raspberry
Password: U2gra94hY*
-> false password
After that I felt a mix of angry and helplessness. After some other failed attempts I gave up.
I formatted the SD-Card and installed Raspian again.I started my Pi
Username: Raspberry
Password: Pi
-> false password
My thought: WTF, why does this not work!!
This was the moment when I got the brainwave that the Username wasn't Raspberry, it's Pi.
Username: Pi
Password: Raspberry
-> access
Then I hated myself.9 -
Customer: «We want all the users belonging to this organization share the same username and password»
[Editor's note: we are talking about 500 users, more or less half of the total in the system]
Customer, after some minutes: «It's very important for us having the web interface using HTTPS, because we care security a lot».
So, please, go fuck yourself. And die.6 -
My dad got a job at TD (bank)
We where talking about their computers and stuff. Then we started talking about passwords.
Keeping in mind that this is a bank....
Here is their password rule:
6-12 char long
All lower case
Only letters and numbers
(Passwords are stored on a legacy system)
Why?
Why should I trust that bank??
And also.. how do they expect to be extremely secure??10 -
"please use a secure password*"
* But don't make it too secure, 20 Charakters is enough.
Why would you fucking do this? The only reason I can think about is a scenario like this:
"How do we store the passwords in the database?"
"Just like anything else?"
"So I create a VARCHAR(20)?"
"Yeah why not? It's good enough for a name, and you shouldn't use your or anyone else's name as a password, so it should be perfect"10 -
Aww SwiftKey, after two letters youre suggesting the right password, that's so nice of you...
Wait a minute... WHY DO YOU EVEN KNOW THAT?
You're not a password manager and you don't do that with other passwords, what's wrong with you?4 -
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7 -
The last startup I worked at didn't give us the WiFi password because they "didn't want people to get distracted by unnecessarily using internet on their phones". Little did they know that making a hotspot from a laptop is totally a thing...5
-
Registered for a job application website and on profile page I see my password in clear type! ...
Time to change password to an easy one and remove profile as fast as possible...
Story goes on: changed password which included a special char successfully.
Tried to remove the account but was told password has invalid chars.
Logged off to see if the password still works. Can't login anymore...
Instant rant mail to admit.9 -
Really!? WTF would you even write a confirmation message reminding me to contact the admin if I didn't request my password change on this screen!?!? Of course I wanted my password changed, I just entered my new password. That type of crap is what you should e-mail me AFTER my password changes.
2 -
So I thought I will set up a PIN to make logging into the corporate PC easier. Hm... based on these requirements I can probably stick with password.
12 -
Translation: “The Password is to long. Please choose a Password that is not longer than 12 Characters.”
Oh, and the Password can only contain Letters and numbers 🙃
14 -
Switched banks, got new e-banking, unable to set up a new password.
It contains invalid characters.
IT'S A FUCKING BANK ACCOUNT I SHOULD BE ABLE TO USE HASHTAGS OR EVEN HAVE FUCKING SPACES IN IT IF I FEEL LIKE IT.7 -
public String getDbPasswd(){
try{
String dbPasswd = SomeInhouseEncryptionLib.getPasswd("/hard/coded/path/to/key");
return dbPasswd;
} catch(Exception e){
LOGGER.log(Level.SEVERE,e)
return "the-actual-password";
}
return null;
}
And this is now in production
FML3 -
My argument: Password change policies (every 3, 6 moths, etc.) are a detriment to security because users will either come up with simple, throw-away passwords (knowing they will need to change them soon anyways) or use the same password anyways with a few variations.
Discuss.22 -
I bought flowers for my date. Online.
When I registered, the website send me via email my 30 character long password.
😥
So I try "forgot password". The genius website sent me, guess what, my 30 character long password...
For fuck sakes!!!! You had one job.... Hash the fucking password!!!!
I'm afraid these people will probably get hacked soon (murphy law).
Sha256.. Guys please...12 -
Client: why do I have to use such a hard password for this website?
Me: For security reasons to protect your content and identity of your clients.
Client: Can't you just use the password that I'm used to? I use it on my banking software, and I've never been hacked so it should be good enough for you!
Me: what's the password that you want me to set up for you?
Client: you ready to take it down?
Me: go ahead.
Client: T ... U ... R ... D. You got that?
Me: ... Yes ...
*sigh*6 -
My mobile provider doesn't allow me to set a password that contains any other symbol than letters and numbers for the website where you can look at how much data you consumed (and can order new data, change plans, etc.). Are you kidding me. This is making shit insecure, you fucks!17
-
...when users create a ticket or call support because they forgot their password. Even though there is a big 'forgot your password?'-button right below the login form.
I always wonder if they also call Google or Facebook when they forget their password on those accounts...2 -
What. The. Actual. Fuck.
My co-workers just tried to convince me that the following is a secure password:
"ThisIsASecurePassword2018"
Just... I mean... Why? *sigh*
Their argumentation is based on the new NIST guidelines.
If they've read these guidelines CAREFULLY though... (not only the appendix) it actually states "Don't use words from the dictionary". Passwords like these should even be rejected right away.15 -
>Get password vom dev.
>Try to connect to MongoDB.
>Had some changes in how to connect because of Kubernetes and stuff.
>Always get authentication error.
>copy password again
>stop and restart portforwarding
>wait almost 1,5h (was lunchtime) for DevOps guy
>sit next to him and ask for help
>he unhides the password and deletes two spaces...
fml4 -
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
It wasn't.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.2 -
A colleague asked the boss to add a password to the company password manager so we could access it securely. She replied to the message with the password. We're doomed.1
-
Amazon: you're logged into 53 devices.
Me: ooooh Kay, since when do I have that many devices. let's sign out of em all and change the password for some piece of mind.
Spongebob: * a few hours past *
Spam email: someone in the US has logged into your account - click here to verify through some random URL that doesn't even contain "Amazon" in it 🥳
-
I suddenly have that feeling Amazon sells you're account setting changes and not just your personal details.3 -
When I see two fields, one for username and one for password, I expect I can fill them out immediately subsequently with only a tab in between. While typing my password I DON'T want to get sent to a page where I can enter my password only: I was entering it already! Sometimes I even make it until I pressed the enter key that was supposed to log me in, but then I'm kindly requested to reenter my password. At that moment I not-so-kindly think: FUCK YOU Microsoft, you should know better. Even when logging into Visual Studio for fack sake3
-
Was looking through the most used passwords list (the one that had 'removed my password from lists...'). 'password' is like one of the top one, and then 'PASSWORD' is 810th !?!?!?! At least it's before hentai...
8 -
This is just priceless. I submitted my thesis to an academic congress, which sent me this confirmation email. They are so 'concerned about security' that they assured me the email is legitimate by including MY PASSWORD.
3 -
If we compare this list with last year’s list, nothing much has changed. The top three worst passwords of last year were ‘123456’, ‘password’, and ‘123456789’. Source : Splashdata
Top 10 worst passwords in 2019 below:
1. 123456
2. 123456789
3. qwerty
4. password
5. 1234567
6. 12345678
7. 12345
8. iloveyou
9. 111111
10. 12312316 -
Got a new eval board. It came in with a stock firmware, had its own IP and naturally its own webGUI. I wanted to check what was under the hood. So I SSH'd in to the device, and was prompted to enter the username. There weren't any specs or documentation.
*Hmm, let's try root*
User: root
Password: *Eh? Well, what the heck* admin
.
.
.
root@evalboard#
Muhahaha!!! Meet your hacker, eval board!3 -
TIL how to enable "insults" on the terminal. So every time I type my password wrong it insults me :D5
-
A well known, big company in my country just sent me my password in plain text upon registering.
These devs actually got paid to do this...6 -
So, among the ridiculously long list of password requirements, password is not case sensitive BUT it has to contain uppercase and lowercase letters?
17 -
I just got sent an email after registering an account at a webshop which contained my username and password.. *sigh*12
-
When you're at a friend's house and they say they just changed their Wi-Fi password to 192837465. She was confused why I was laughing.11
-
I know i know, its an old story.
but.
FUCK YOU AND YOUR STUPID PASSWORD REQUIREMENTS
NO SPECIAL CHARACTERS WONT MAKE IT SAFER
FFS. JUST SAY IT HAS TO BE 20 CHARACTERS AND BE DONE WITH IT
14 -
Tldr; make sure what you study is relevant to the field and you enjoy it otherwise don't waste your time.
BTW: devrant is awesome it gets me through the day.
So I am almost 3/4ths through a master's in cs and I am contemplating why I went to school in the first place/dropping out.
My program is basically an extension of the bs I got from the same school meaning we learn very general cs topics. There is only one ai class for example.
I had a junior developer position before I even got my bs so now that I am this far along and looking at job openings I'm wondering what why and how my school is able to get away with teaching us this shit.
After all my schooling I learnt more on my own and through Google. I have little to show for my school work other than a degree that says I did a bunch of busy work. And the specific things that I did learn I will never ever remember. Seriously. Who here knows what a MIB and OID are and have actually used them?
I wish I tried harder to get into a school like Berkeley but just looking at their applications is depressing. I always had issues with school and they expect my to have the grades, extra curriculars and other shit. I'll build you a robot or make you a website but I'm not doing that nonsense.
And then there's Google and apple and all these big tech companies expecting me to have written full Enterprise software and know every single algorithm and programming language because everyone uses something different. Sure I wish I had experience in all 50 languages that are popular right now but I don't. And I'm not gonna learn it from school that's for damn sure.
Who here actually went to a good school and can say it helped them in the real world? How many employers actually care about school over actual experience?
Who knows how to burn a school down and get away with it? Or at least make teachers with Phds stop reading off slides all lecture. I know how to fucking read for fucks sake. Not too mention they use shitty software made in 2003 that's no longer supported. And I could go on about the teacher last quarter who graded the midterm on final day while he flirted with the 3 girls in class. And I could go on and on and on but I feel like I need to start being productive so I don't waste away.
Just so done.7 -
Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.
To add insult to injury the first displayed "tip" take a look at the attached image.
16 -
Once upon a time, in a proprietary e-commerce framework used by few hundred sites...
I just took over a project where the previous developer stored password in two separate fields.
password & password_visible
First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.
Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂3 -
Just enrolled for uni and…. they email back my password in clear text…
Translation: "... using the secret access keys", yeah secret my ass, and they send you the password even when you change it so what's the point in letting me choose the password, just send me one i can't change.
Luckly it's computer science or else it could have been worse 🤔
13 -
So our teacher just has us sign up for a learning site called Gizmos with a ton of students information. A lot of students forgot their password as always and some didn't register with an email so I expected the teacher to reset them..
Then the teacher had students come up to the front of the f****** class and SHOWED THEM THEIR PASSWORD IN PLAIN TEXT. WHAT THE HELL4 -
Google has a password reset procedure so intense, that even if I can sign into my recovery account and give them the code from there, use 2 factor auth and give them the code from there, tell them my recovery phone(s) number(s), give them my mother's father's mother's late cousin twice removed daughter's maiden name, and whatever other security measures were set in place, I can't get a fucking password reset. Thanks Google, fuck you.3
-
I forgot my password to [SITE]. Of course, I click "forgot password", and enter my email, which I did remember. Fairly routine "ah shit we have a problem" steps.
Now, it takes a second. This is to be expected. So I'm not worried. I then get the email and...
Now, you will notice that I redacted some information, like the company name, email, and my PLAIN TEXT PASSWORD, and my name.
I would like to note that this isn't a small, very local company that's new (even then it'd be unacceptable), but this is a multinational, multimillion dollar company.
How'd someone fuck up THIS badly?
13 -
Ladies and gentleman, I've done it.
Remove your hacker game trophies from your wall.
That nasty bug you fixed a couple of nights ago? Meh.
Your top devRant post? You'll delete it after reading this.
Every awesome accomplishment you can think of: it all means shit now.
>> I have SUCCESSFULLY changed my business Microsoft account password into something I can remember AND Microsoft accepted it in under an hour of trying!!!!! <<
I want to say a big FUCK YOU to MICROSOFT for WASTING MY BLOODY TIME.
FUCK YOU for giving me a max of 16 characters. DASB&(*(&G*HH*& for telling me every time my password is 100% strength and then after every submit tell me I have to change it AGAIN because it should be harder to guess. WUT?! It was 16 characters including a (capital) letter, number and multiple special characters, WHAT ELSE DO YOU WANT FROM ME?! UNICODE EMOJI'S???!!! ALLOW ME TO USE MORE CHARACTERS SO I WILL MAKE IT HARDER TO GUESS IT, IT'S 2018 FFS.
I don't even understand why my new password is accepted compared to the other one, but fuck it I can access my account again.
Now I might have to find a new job before the company password policy kicks in again.
/me drops everything and walks out of the office to get wasted (not sure if celebrating or just really pissed off)9 -
Thanks to mandatory password change, today:
- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.
All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password" -
Just stumbled across this gem last night. You guys know how biggest online games site in my country (also backed up by largest ISP) handles reset password requests?
After clicking "Forgot password", it asks you to login to Gmail (cause everyone is assumed to have and use one, right?) and then opens "New Email" window prefilled with some template data which you're expected to finish (in screenshot below).
And I just wanted to play some Ludo with my friends.. 🙄🙈
2 -
Client: MY PASSWORD DOESN'T WORK
Me: our passwords are case-sensitive
Client: YES I USED CAPS LOCK1 -
Well, my best friend passed away last week, he was 19 years old, a techie and a plane hobbyist, today, his mom called me and asked for help recovering his password on his windows 10 laptop
im going there tomorrow with my full arsenal of equipment required, do you have any suggestions what could be usefull?13 -
Oh noes... My password on localhost:8080 has been leaked :( what to do.. what to doooo..... :(((
Oh FFS google! Get yourself together!
1 -
Creating username / password first time - checked
Storing password in plaintext - checked
Messaging password in plain text after a password change - whaaattt????
7 -
Long story short: University fucked up single sign on.
For every online service I have, I set a different password, randomly generated ~ 20 characters long. At our university we have multiple systems but they offer a single sign on service which is quite nice because it is so non-transparent which service now uses which authorization. I changed my password a while ago and around the same time they also updated our mail client. Since then I am not able to log in which is not a big deal for me because I have mail forwarding.
Yesterday however I needed another service and also got rejected with my password. I knew from a friend that the passwords are fucked up and that some services have different restrictions (only 12 chars max.), so I decided to search how to reset my password. What the fuck was wrong with these people? It takes you five different pages to get the tiniest bit of information how to reset the password. Then on one page you can login with your single sign on and change the password. On that page you can also set the single sign on password, but if you enter an invalid password (in respect of the the other services) guess what? No feedback that you just locked yourself out of half the systems. Nice job. Also the password requirements are not next to the input fields where you change the password. Noo. That would be way to easy, remember the little small one line on the wall of text three pages ago? There you go.
Ok step one done. Now it should work, shouldn't it? Ohh no not so fast. One needs to activate the seperate service. Where you ask? Perfectly fine question. On the top of page four is a fucking one line table which looks like some five year old had some fun in excel. The button which takes you to the activation page is nearly invisible because of the non existing contrast. Also it is not a button but some arrow pointer thingy. Behind set arrow you have a page listing all differnt kinds of services, the description which you find on page two btw. No padding to decipher this shit what so ever. Nearly on the bottom is your needed button. Yes finally.
Finally I want to login, no good. Try again. Still no good. Go back to the fucked up excel table look at my username and think to myself what's the difference here? The table is so small and again no margin or padding. Apparently they cut of the last character of my normal username which i have which is fucking ridiculous.
What is wrong with you people, we are a TECHNICAL UNIVERSITY, is it so hard for you to find someone decend to unify this shit?1 -
Websites that still for w/e reason limit the number of characters a password can have...
Seriously, when a website starts bitching about me entering a 32-character password generated by my password manager "being too long", I seriously start to wonder how they store the password...12 -
half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.
Blaming myself for hours, how could I not save the password somewhere?
#Enter Password:
(I pressed enter, no password).
it works.
I love IT security -
WTF is wrong with these Govt websites...!!!
Trying to login
"Password is incorrect"
Clicked on reset password,
Now guess what happened next...
They said,
.
ENTER YOUR CURRENT PASSWORD!!!1 -
So they want me to remove the system that prevents users from registering with passwords that have been leaked online, because “its too much effort for new user to come up with a new password instead of using a same one everywhere and they might give up registering”
Giving up security for convince doesn’t usually end well, does it,7 -
Damn it gitpush focus when type the damn password!! I locked my self out of my server again 😭
Time to visit the portal and login 😒6 -
So, I just created an account on a premium objective information website. It basically sells access to several articles on laws and general "financial relevant subjects". It is important for my work and they have pretty strict password requirements, with minimum: 18 characters length, 2 HC, 2 LC, 2 special, 2 numbers.
Without thinking twice, openned Keepass and generated a 64 length password, used it, saved it. All's good. They then unlocked my access and... wrong password. I try again... wrong password.
Thinking to myself: "No, it can't be that, maybe I only copied a portion of the password or something, let me check on CopyQ to see what password I actually used."
Nope, the password is indeed correct.
Copy the first 32 characters of the password, try it... it works...
yeah, they limit password length to 32 characters and do not mention it anywhere ... and allow you to use whatever length you want... "Just truncate it, its fine"1 -
Thank you, dear 3rd party vendor replying to my ticket to my work email and sending me my new password IN FUCKING PLAINTEXT!
10 -
Password guidelines...
Just got an online account for an insurance:
Allowed characters for password are a-z, A-Z, 0-9.
Really?
I tried special characters, maybe they just forgot to mention them. Doesn't work, "Password not valid".9 -
I'm tasked with hacking a million dollar production machine and all the PLCs have the same password for the root user, which also happens to be the name of the company producing this shit....5
-
Sharing your password with your coleagues is like sharing your underwear or your GF with them. It's not right and unless you're into some weird fetish you won't really want them back...
I've been asked to help in my previous project and I'm fairly certain my credentials are expired/locked/forgotten there. Guess whose managers will be encouraging sharing current dev's on that project passwords...3 -
Everyone here deserves the worst.
No, really, you all deserve those dark juicy stories. So here's why I hate password systems that don't have the user experience in mind.
Recently my university went under a huge update, most of it good, but this is DevRant, so let me tell you what's just the worst.
They asked me to change my password, they do this every month or two. So I did it, but as I clicked "Ok" a wild error appeared! It told me I had to use a password that was not one of the FIFTEEN that I'd used previously...
I tried everything, and despite everything else being poorly programmed, or what not, I thought it would be easy to spoof. Nope. Unfortunately this seems to be the ONE thing they did right. Looks like I'll have to go back to basics. Just add a number on the end of my previous password, up to fifteen, and reset :]
I think this rant needs to turn into an email headed straight to them :)3 -
What the fuck is wrong with Google?!!
Trying to log into Gmail.
Forgot password.
Gmail: To reset, code from authenticator app is required.
Me: Super. Good thing I set it up.
Enters code.
Gmail: Recovery email.
Me : Uh... Forgot that too.
Gmail: Some email address to communicate.
Me: Super!
Enters some other email address.
Receives mail with a link.
Me: Finally!
Opens link
Gmail: "When did you create your account?"
Me: Uh... If I had that kind of memory, we wouldn't be dancing right now.
.
.
.
Gmail: Sorry we couldn't verify you.
WHAT THE FUCK, GOOGLE?!
What sort of sadist play is this?!
Dropped them a mail to get access back. Got a link in the auto reply that explains how to repeat the above process. WTF?!
What the actual fuck?!11 -
...sincerely?
FUCK YOUR PASSWORDS
FUCK YOUR PASSWORD REQUIREMENTS.
FUCK YOU thinking you are the most important site in the universe so of course everyone will remember their password mangled beyond the original intention/recognition by your idiotic requirements!
I want to have an insecure password? MY PROBLEM.
I want to have the same password everywhere so I don't have to go through the idiotic "forgot my password" dance each time I try to login into your page? MY PROBLEM!
You're not the most important site in the universe.
I'm getting seriously fed up with this idea in general.
WHAT THE FUCK. Why did nobody come up with nothing better yet?
And the password storages and autocompletions don't count, that's a plaster on top of idiotic paradigm, nothing else.
...how is there nothing more sensible, still, after 18+ years?5 -
I don't understand how is possible that programmers today are developing applications that are storing plain password in the database.
I know it's kinda boring topic since everybody here is talking about it this week, but it's really confusing to me.
Every now and then some DB gets hacked, millions of passwords are leaked and then you have developers, who should be smart and logical people, who decide to do that.
Ok, maybe the project deadline was close or something similar, but I think there is no excuse for something like that. No matter how close or behind deadline project is, you should always be able to explain to your boss/client what could happen.3 -
If your site only supports alpha numeric characters in my password. You should tell me that when I reset my password rather than just killing the special characters out of the string and submitting my password like that. I spent 15 minutes trying to log in before I gave up and reset it to something simple.
Also, you should let me use special characters in my password, it's 2017.8 -
Log into tech support community website...
Get prompted to change password because my current one is too old...
Paste in the same password I already am using...
ACCEPTED! -
1. A login window or form appears
2. Enter username
3. Enter p-
4. Another application STEALS THE FUCKING FOCUS
5. Enter half of the (or the whole) password in the app that stealed the focus and press Enter by mere inertia
Or this variant:
4. The username field gets autofocused
5. Enter the password in the username field, out in the clear for everyone to see
DON'T YOU STEAL ME FOCKING FOCUS MATE3 -
Scored another win as the family tech guy! I found out my wife's sister and her husband were storing all their passwords in a Excel spreadsheet. Long story short they are now using a password manager. 😁2
-
So, I was going to make a little startup script to a friends laptop. I opened it up to realize I didn't know the PIN (not sure why it used a PIN instead of a password, but it did).
I looked up at the username, and it was in the format [name][number]. I though, "surely, no...." and tried it.
Yup. His username was basically [username][mypassword].
*sigh* -
Passwords.. how do you guys manage yours? I'm one of those who often used the same semi weak password for nearly everything
I'm more than likely going to get a password manager but I have no idea which, do you use any?31 -
So I get home from work, sit down infront of my computer and start browsing a few sites.
The loading times was not as fast as they should so I checked out my network setup. I had been auto connected to my ISP provided modems WiFi, which happens every now and then, so I reconnect to my faster and better WiFi AP.
Invalid password. What? Ok.. Let me just type in the same password, slowly..
Invalid password. MF..... Same password, looking down at my keyboard.
Invalid password. GDMF...
Browse to my AP config site, type in username and password.
Invalid password. Oh no you fucking did not just deny me entry as well.
Ok. Something is up and I'm going to get to the bottom of this!
Boot up Kali, fires loads of crap at the WiFi and the site. Still no damn luck! WTH!
I go upstairs to my AP, turn it off and on again.
I can now login on both my AP WiFi and config page.
It had frozen.
Thats two hours of troubleshooting for a "have you tried turning it off and on again" solution.
I feel great about my competence after this.2 -
Hang on... If online banks ask you for the n'th, m'th and p'th character of your password, they must be storing it on plaintext! WTF? I don't even understand why they do that in the first place.12
-
Currently working in a virtual Linux machine running on a Windows host. The Linux VM is running i3 and I just locked the host for the umpteenth time because my dumbass pressed Win-L to switch one Window to the right...
Also, while typing out the tags, I got the tag-suggestion 'my password is as weak as my mental state' 😂 -
"You have to change your password, because you've either just registred or your password doesn't comply with our guidelines anymore."
I've not made my account recently.
The question beeing: How can they know if they "should" decently hash it? 👿
9 -
I've been informed that through some level of recognition and certification, today is "Password Day," seemingly in an attempt to encourage people to have strong passwords. I will do my part and say that if you're not using a password manager, you have missed out on years of your life.10
-
What's a good password manager for Linux?
A few (optional) conditions (in order of preference):
1. It's free
2. It supports ssh, gpg, etc.
3. It has a GUI (a nice one with gtk/qt support)
4. It's (properly) secure
5. It has FIDO U2FA support (i.e. supports physical security keys like Yubikey or Solo)
6. It has a browser extension
7. It's compatible/non-conflicting with gnome-keyring17 -
What the heck kinda password rules are these? Getting away from this credit union as soon as possible...
8 -
Don't you just hate *silly* password restrictions? Surely there is a very limited number of possibile passwords
On top of this their "password prompt" says passwords are between 6 and 10 characters...
1 -
Why do most apps have a password reset page that redirects to a mobile site ?
Why not give them a code they can enter into the app which would then show a password reset page within the app or a link which opens the page within the app.
Isn't it good practice to keep the user within the app?
Isn't it better to serve a token than serve an entire html webpage for the server.
I've been thinking about this but 90% people follow the website pattern and Idk why. Am I missing something ?
Please fill me in on it. (Even devrant uses the same pattern)5 -
Rant rant rant!
Le me subscribe to website to buy something.
Le register, email arrives immediately.
*please not my password as clear text, please not my password as clear text *
Dear customer your password is: ***
You dense motherfucker, you special bread of idiotic asshole its frigging 2017 and you send your customer password in an email!???
They frigging even have a nice banner in their website stating that they protect their customer with 128bit cryptography (sigh)
Protect me from your brain the size of a dried pea.
Le me calm down, search for a way to delete his profile. Nope no way.
Search for another shop that sells the good, nope.
Try to change my info: nope you can only change your gender...
Get mad, modify the html and send a tampered form: it submits... And fail because of a calculation on my fiscal code.
I wanna die, raise as a zombie find the developers of that website kill them and then discard their heads because not even an hungry zombie would use that brains for something.1 -
Great news, I just lost my email account's password. The password is in password manager but apparently, when I was changing it, I did something wrong. Now, neither the old one, nor the new one work and I can't login into my email. I didn't even change the password reset phone number to my new one! And I also forgot the recovery mailbox' password. Fucking great.
Here's the lesson: **ALWAYS** re-check your new password in your browser's private window.1 -
Ever since I started with websecurity I've noticed alot of people still use passwords such as 123456 or abcdef and so on. I mean is it really so damn hard to figure out a more complicated password like, "IDigAGrave34+" or "IFuckedBaTmanInTheAssetsi1369" (a very long but yet secure pass). Or just use any word you see around you and mix them like for example if you have a dell pc and a samsung screen, those two names are pretty easy to scramble around like, "desamllsung" and sprinkle some random characters above it. If it is so hard to remember just write it down on notes and hide somewhere or use the countless programs where u can store it. So please for the love of your own privacy, think when you create an account and do not use the same pass on every damn site you are on. Make it hard for the hackers and crackers out there. Sincerily, a concerned internet user.10
-
- i registered at ***.com (pet store) with a super secure password and then they send me a welcome email with the password in plaintext...
- well, it sucks to have pets3 -
So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D2 -
So, I apply for a job and they send me an automated email with my username....and my pasword....in plain text...I should use a different password for my applications....4
-
I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:
- apply for password reset
- get a mail
- confirm the mail
(So far, so good)
- get a mail with a new CLEAR TEXT PASSWORD
Is this the stone age!?
You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.
All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)
If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.
At no point should the password ever be stored or transmitted in any other medium.5 -
I swear I get multiple emails every week from a person who's forgotten their password but instead insists our software is broken. "Account Broken, Can't Login!"
I've started just replying to these emails without even checking their accounts anymore -- or even opening up the system.
I'll say, "I'm sorry to hear that! I've looked into your account and it should work now."
I always get a reply back "THANKS! It works great now!"
Then I facepalm.
1 -
I've just bought 3 months sky ticket...
THEY ONLY ALLOW A 4-DIGIT NUMBERS ONLY "PASSWORD"?!?!
IN WHAT YEAR DO THEY LIVE???
AND THEY EVEN SEND IT TO YOU VIA EMAIL ALONGSIDE YOU USERNAME!
I guess their old windows server which handles their authentication would be overcharged when it'd handle real passwords.4 -
So we had to register for placements.. and the company sent email with plain text password.. and thats the password i registered with! nice!
BTW.. its one of the biggest company in IT industry globally.
2 -
Bought my first VPS, because the shared plan we are using is shit.
Spent just half an hour trying to log in, because upon registration they encouraged a strong password with simbols and everything.
But in reality a root password can only contain letters, numbers, underscore and minus sign... The fuck is wrong with you? Reducing the entropy is one thing, but really fucking up the most essential part of a VPN setup?7 -
2 things
0:considering whats happening with the Linux CoC would it be a good idea to swap back to Manjaro Linux
1:whats a good password manager that's free and can synchronize and perfectible has a desktop program6 -
Intel, wtf kind of drugs is your stupid site on?
Trying to make an account, the password requirement says "at least one special character".
Ok, no problem.
"Password format is invalid"
Wut? Hmm, maybe it doesn't like that one. Let's try one from their suggested ones.
"Password format is invalid"
WTF? The fuck is your problem?!
*reloads the page, tries again*
"Password format is invalid"
ARE YOU FUCKING RETARDED?
*adds the special at the end of the password instead of the beginning*
It works.
https://youtube.com/watch/...
And then we wonder why bugs like Meltdown and Spectre come up. These guys can't even do fucking password validation properly.
And I've just lost 30 minutes because of this shit.
FUCK! -
Just rebooted my work station during a video conference because the VPN was flaking out.
After reboot, launch Teams to get back to the meeting. The VPN credentials dialog then pops up, but IS NOT MODAL, so I end up sending my password to the group chat...
Time to change my password, I guess.3 -
Just managed to send my password in plain text to a colleague when I ment to enter it in the login box.....
Time to change my password again.....4 -
Apparently trackmania united (or trackmania in general) sends out passwords in plaintext to the user if he or she forgets it.... Fuck me. That is precisely why you use different passwords for different online logins...
-
When the login form tells me that my password is too short. The password that I've manually set in the database in my local dev environment.3
-
Just installed Linux again after the installation finished because I somehow got a typo in the password I set in the beginningof the installation.
It was just quicker than to try hacking around this problem.3 -
Interesting password recommendation here...
Translation:
- A form with to fields: Surname and password.
- Below the form is a text: "For signup please enter your name and a password (e.g. your email address). With your name and password you can change your data anytime and may get access to the memberlist."
Bonus: There is a "help"-button (outside of the cutting) which even *recommends* the use of the email-address as the password!
Extra bonus: The password field is a normal text one.
IF THE EMAIL ADDRESS HAS TO BE SUBMITTED, WHY NOT JUST ADD ANOTHER FIELD OR AT LEAST LABEL THE FIELD CORRECTLY!
Update: After this form, you get to another form, to enter you email address...
3 -
I had to create an account on a website. I used LastPass to generate a strong password. I entered it and got the following message:
"Password must be between 8 and 16 characters and must have special characters (? , ! & #) and numbers"
My password was 20 characters, me annoyed to generate a 16 character password. Filled it in and got the same error. That was it for me.
Who dafuq limits a password to 16 characters, that's fucking nothing. It did not accept all special characters, only the ones that were showed (like 5 or so).
And here comes the worst part...
It's a bank website! I had to create the most most most insecure password in history for it to work.8 -
The customer wanted me to create a password for their database. I made it the name of the software and appended b4lls.
Whenever I tell him what the password is I spell out the software with the b at the end, say "the number four", then lls. He has never repeated "oh, softwareballs", I am not sure he has noticed.1 -
Tried to log into my laptop 4 times and got wrong password. Fumed for full 5 mins before realizing that I was using password of workplace laptop.
fml2 -
That feeling when you debug the Users table in sql, which has a Password field encrypted with hash, but most of the demo users use the same Adminadmin password, so you recognize the other users password because you rembered the hash1
-
Hey does anyone know a good open source password manager? Sorry for the interruption. Keep on ranting.8
-
If I made an app where you keep password hints so you can remember the password yourself, is it fair to say the encryption is your memory?1
-
I'm thinking on getting keypass as my password manager, since it's open source, can use csv files and works on a bunch of platforms.
Does anyone has experience with using it or can recommend, in their view, some better solutions?9 -
"We only permit non-restricted, non-offensive alpha-numeric passwords..."
Does ,wnW\M@Bb;v3F(xx offend you?5 -
This kind of BS makes me mad
" - The password must have 6 digits
- It must have at most 2 repeated digits and 3 sequentials"
RIGHT, because 293417 is SO much safer than 999123
Btw, this is a phone company, so with this password you could probably have access to someone's phone number, phone records, address, and much more. WTF
1 -
So I still have my very first email account, a hotmail account as a secondary, kinda spam account.
i signed up around 2000 i guess.
someone tried to get in, i got loads of mails of failed login attempts so i wanned to go and change my pw. But because of that bastard i cant login with just pw anymore, i need my phone. THAT ACCOUNT IS 20 FUCKING YEARS OLD. I never even provided a phone.
spent the last 20 minutes providing personal details to microsoft which are probably not the ones i used for signing up anyway.
you know how careful we were whem signing up for something online back them? I probably signed up as Thomas anderson from zion...
anyway, done now and bow it will take 24h for them to review it..
all of this only to reset my forgotten pw for my epic games account for with i signed up with that mail..,
holy guacamole.. I should start to trust password managers...1 -
The most frustrating part of the "your password must be min. 8 characters long and include a number and a special character" thing is that it does not improve security.
On the contrary.
I wonder how many people in the company have the name of the city they are located in, and the current year in their password...
#newyork18 #beijing20173 -
"When you set up the new app instance, can you set an easier password for our account? No special characters or numbers"
Sure. It's not like having a strong password prevented unauthorized access in the first place. BECAUSE YOU GAVE THE FUCKING LOGIN DETAILS TO AN UNAUTHORIZED 3rd PARTY! Which incidentally is why I now have to set up a new app instance... -
So I had just finished the walkthrough with the inspector in my soon-to-be home. I was told I’d receive an email with instructions on how to download my inspection report.
A few hours passed and I received the email; it required I make an account with the service they were using to view my report... alright, whatever.
After making the account I receive another email thanking me for signing up. Then I see it, plaintext and bold letters:
Username: $myusername
Password: $mypassword
How is this even still a thing???5 -
I still don't get why Chrome won't respect the password *autocomplete="off"* attribute. For fucks sake it's my goddamn website u shit brain! Obey the fucking command!!!4
-
"Ideal" online banking:
1. Force users to change passwords often.
2. Implement possibility to login if forgot password.
3. Make it impossible to chage password if forgot one.6 -
Who actually started the reign of mixed character passwords? because seriously it sucks to have an unnecessarily complex password! Like websites and apps requesting passwords to contain Upper/Lower case letter, numeric characters and symbols without considering the average user with low memory threshold (i.e; Me).
Let's push the complaint aside and return back to the actual reason a complex password is required.
Like we already know; Passwords are made complex so it can't be easily guessed by password crackers used by hackers and the primary reason behind adding symbols and numbers in a password is simply to create a stretch for possible outcome of guesses.
Now let's take a look into the logic behind a password cracker.
To hack a password,
1) The Password Cracker will usually lookup a dictionary of passwords (This point is very necessary for any possible outcome).
2) Attempts to login multiple times with list of passwords found (In most cases successful entries are found for passwords less than 8 chars).
3) If none was successful after the end of the dictionary, the cracker formulates each password on the dictionary to match popular standards of most website (i.e; First letter uppercase, a number at the end followed by a symbol. Thanks to those websites!)
4) If any password was successful, the cracker adds them to a new dictionary called a "pattern builder list" (This gives the cracker an upper edge on that specific platform because most websites forces a specific password pattern anyway)
In comparison:
>> Mygirlfriend98##
would be cracked faster compared to
>> iloveburberryihatepeanuts
Why?
Because the former is short and follows a popular pattern.
In reality, password crackers don't specifically care about Upper-Lowercase-Number-Symbol bullshit! They care more about the length of the password, the pattern of the password and formerly used entries (either from keyloggers or from previously hacked passwords).
So the need for requesting a humanly complex password is totally unnecessary because it's a bot that is being dealt with not another human.
My devrant password is a short story of *how I met first girlfriend* Goodluck to a password cracker!9 -
Hi everyone,
One question is constantly popping in my head and I keep fighting to figure out how to answer.
So here it is:
Are you for or agains a password manager to store all your passwords?
P.S.
I am using a paid password manager, but keep asking myself is it really worth it, and am I compromising all my passwords if someone is willing to spend some time and hack my vaults. On the other hand the convenience and benefit of having all passwords in one place and also using different strong passwords for each of my accounts protects me from a weak security implementation on any third party service I use, because I am not re-using the same password everywhere.12 -
Sites requiring a maximum password length, does it mean they store the passwords in clear text?
Or what would be a plausible explanation for this stupid requirement?5 -
I want to break my win 10 password which I have forgot . I know one method of breaking the passcode by using bootable Device . Is there any other method to other than using bootable device for breaking the passcode? please suggest some technique11
-
To all websites requiring at least one upper case, one lower case, one number, one special character, 25 emoji and 49 unicorns in the password when signing up.
If you say something is required, then your regex BETTER be checking ONLY for those things. You should not have hidden requirements for passwords that users are supposed to dream about and know. Especially if it's a super time-sensitive thing that they should have opened 2 Fridays ago.
I had to pull my hair out for 20 minutes (that felt like an hour) before looking at their code and reading their regex. The regex was different from what the page said the requirements actually were. What were they even thinking? 😑
The rest of everything related to this organization uses an SSO system, why can't they just use it? Isn't the whole point of SSO to avoid a different login for every tiny part of the system?
I wonder what the other less technically inclined people using the system are doing right now. Sadly, I have no way of letting them know.
I sincerely hope the dev that made that website faces the same thing while picking a password for creating an account somewhere else and realizes what he/she did.
I really needed to let it out.
I feel much better now.
Time to take out the stress ball :)1 -
So... Apparently you can do ctrl+backspace in steam's password field and it deletes up to the last space instead of deleting the whole password... Nice.2
-
While you're typing and you remember this is not the correct password for this account but you're too lazy to backspace all that state of the art you just wrote so you just ENTER the shit out of that ¯\_(ツ)_/¯
-
- First logon on the support website
- Input pregenerated password
- Password expired
- Input new password
- Password invalid
- Try different passwords
- I realize that the suggested length of the password (8 char) is also the max length
- Input eight character password
- Password invalid
- Input the pregenerated password
- Password changed1 -
Adding noip.com to the list of services that accept more passwords for signup than for logging in. Damnit how does software even get to that point. Isn't it, like, more effort to get this wrong than to get it right?
-
Cause there's no really safe solution for that right now, finally release my favorite and verifiable secure linux password management tool for the web and as apps for iOS, Android and Windows Phone - including online synchronization, so you can access your passwords anywhere. (Web and Android first, the other platforms later).
At the moment it is still a pure gpg based Linux terminal application.2 -
I really should start using a password manager but I have no idea what one to choose, anyone have any input?
I'm thinking 1Password at the moment13 -
DevRant isnt the right place to use a easy password... Which is why i changed it from 1234 to 123456...13
-
So when it comes to password encryption in php, I've learned to use password_hash($password, PASSWORD_BCRYPT); // Blowfish
Anybody else use this? What do you php lovers like to use?3 -
Im not sure if im a good or bad person by allowing my users to set a weak password.
They get to use almost whatever they want, but it may be bruteforced easily.
I let users decide their own security on that point.5 -
My coworker cannot log in to his company email account. So I contacted the guys in charge of this by email, asking if they could help and asked whats the process now or how does this work. I assume if his email is not working, they cannot send him a password reset link.
their answer: yeah, sure, we reseted the password of the mentioned user, here is his new password5 -
ESSO Password Manager.
Prepare to cry after ESSO inputs your password in the username-field instead of the password-field the third time while your colleagues are watching...2 -
Lately, I've been working in a web security company (mainly as a Support guy).
Going through tickets, I've found one golden gem, which helped me realising how dum customers are.
Since he's our customer, we try to keep stuff up-and-running at all times. If something goes bad, we fix it, and we need their passwords for stuff.
After the customer (somehow) got hacked again, he changed the password in panic.
Note the initial password was really, really good.
He emailed us the new password for "just in case".
The password is "hard-to-guess".
What. The. Actuall. Fuck.
What's next?
Setting the password "12345", activating 2-step-authentication and sending his phone in, along with his finger so we can unlock it with touch id?2 -
$ Login: phoomparin
*types in password*
Incorrect Password.
*rushes to type user and passwd again*
Password shows in cleartext...3 -
A password strength plugin, which really encourage user to improve password strength:
http://jqueryscript.net/demo/...2 -
I changed my twitter password on web on the day they discovered the passwords in plaintext in their logs, and till today, I've not been logged out of the mobile client2
-
Am I blind, stupid or both or does DevRant not give you the possibility to change your password?....3
-
I had to change my password at work on Friday, on vacation until this coming Friday, taking bets on whether or not I lock myself out when I get back.
-
When the recruiting company mails you about new jobs along with your PASSWORD!
Dude, you have a fuckall dev and u will help me find a job... Thanks, but no thanks.
4 -
A fucking space character should never be allowed in a wifi password!!! Just spent 4 hours looking to why the fucker would not connect to find a space on the end!! Trim or show an error!!!4
-
My work network AD password has to be changed every 90 days or so and it is really getting to me now. I'm beginning to run out of passwords to use and may soon have to resort to writing them down on a piece of paper and lock it somewhere.
I get why we need to change it often. What I don't like is the stupid validation rules AD uses to check passwords. It doesn't allow variations and you have to use something completely new.
I have only been in the job for about 8 months and I have had a nightmare experience updating my password recently as the synchronisation failed and I was locked out of my accounts for a day or 2 rendering my useless and having to call support for help.
How the he'll am I supposed to remember my passwords when I have to change them that often!!!18 -
Because of the current debate I'm starting to get more into all the cyber security and privacy stuff.
So now I am searching for a password manager.
Do you have any recommendations for me?
Or maybe some additional tools I really need to use?
(Got PGP for mail, signal as my new messenger, a vpn and tor for now)4 -
Would it be clever to use a password manager with randomized passwords and also store them in chrome's password vault?
I mean it's less secure, yes, but should something bad really happen I can just change the password and this would be a good upgrade in terms of user experience
What do you guys think?16 -
Just wanted to buy a gift for my gf, so I went to birchbox.fr to buy her a 3 months subscription (irrelevant information).
So of course I needed to create an accout in order to buy it.
But what a surprise when I received a confirmation email, with my password in PLAIN TEXT inside. I guess I do really love her for not cancelling the gift and deleting my account immediately. -
It's time to reset all my passwords. Got the second Facebook password reset email this month and now even from Microsoft they doesn't even have the same email-pass pair...
And fucking Facebook doesn't tell anything about the reset attempt. Not even a fucking ip address.1 -
Had to factory reset my phone as I added a pattern password. I used that password all day and right I as am getting ready for bed, I FORGET IT!! Stupid me did not put on USB debugging and I am like... Seriously!!1
-
Is it posible to change your devrant password? If yes where? Cause i cant find it (on phone or desktop)15
-
* Stay without password for 1 month*
CHALLENGE ACCEPTED:
Install Linux, installed i3 wm and changed all mappings to custom ones.
#thuglife -
Fuck you Linux! I thought user password validation would be a piece of cake, like bash one liner. How wrong could I be!
Yeah, it's already ugly to grep hash and salt from /etc/shadow, but I could accept that. But then give me a friggin' tool to generate the hash. And of course the distro I chose has the wrong makepswd, OpenSSL is too old to have the new SHA-512 built in, as it should be a minimal installation I don't want to use perl or python...
And the stupid crypto function that would do me the job is even included in glibc. So it's only one line of C-code to give me all I want, but there is no package that would provide me this dull binary? Instead I will have to compile it myself and then again remove the compiler to keep image small?9 -
When any rants I write, I need to put in my Password managers' "Secure Note" section because I can't post here for them becoming public.
Pfrtt! xD6 -
Not super ranty but what I’m interested in how passwords are managed in your organisation?
I feel dirty receiving passwords through slack and having a spreadsheet on a shared drive seems like madness.
I’ve worked at organisations before that have a single login to a password manager. However theoretically I still have access to that as no one would have changed the password.
Organisational password manager softwares are really expensive!14 -
First run of an import procedure in the production environment.
Spent all morning with an "Unsupported media type" error.
Finds out that the provided password was wrong and that the Webservice always return that message when there's an error.
Any type of error... -
So... there is a bank. And the website for example is using "https". Alright. But the Login consists your login ID (in the most cases your account number) and a Pin number ( only 5 chars) If i remember pentesting, crunch etc a pin or password with 5 chars (included special characters) is fast hackable or not? Or is it super secure cuz of the "https"?4
-
Its been awhile since I opened up my Server VM to play around with. Until when I had to login to my DB VMs, I forgot the password. And forgot to save them into my password manager. Whelp, perfect for me to go back to square 1.1
-
My first #hack is that I once opened my friends account on my computer using the Google recovery question which he kept as his favorite sport . Once in I changed the password and informed him that his account was hacked..lol you should see his face .later I told him he put his recovery question to be hard to be guessed ....lol I think he learnt the lesson the hard way...well after that I got to know about internet ethical rules and there ends the matter
-
Let's play a game.
Theme: Security awareness - grey-hat style.
How to play:
Post the name of the site followed by actual bad-password restrictions of well-known companies in the comments.
If no-one beats me to it, I plan to share some of the more alarming ones(or all) on a twitter and tag the relative companies as well as various security enthusiasts.4 -
Someone earlier today posted a rant about a credit card security conference sending them account details with a plain text password in an email. The password appeared to be 1 use temporary password that the user would change on first login. Assuming one does not actually store plain text passwords, what is the downside to a single use password Vs a single use link to set a new password?1
-
People who delete their entire password from the inputfield when they make a typo suck.
People who mumble their password while typing it, like someone who came to the helpdesk today, are braindead and should not ever use a computer.8 -
How do i change my devrant password?
Not to mention that it's still not possible to change username/email on the desktop version.3 -
!rant && askDevRantDevs()
I can't find a way to change my password. Am I just too blind or too tired ? (ofc I'm tired, stupid question)5 -
Soooo how does one manually change password here on devrant? Is the "forgot password" workaround the only way, or am I missing a hidden "change your password" button?1
-
Whenever a site tells me the password I entered has already been used? I mean how are you supposed to know if you are salting and hashing the password.. Oh wait you probably just save it in plain text!! Please don't!!7
-
Can anyone recommend a good password manager that is 'in the cloud', can be used on my mobile and makes life easy for logging into apps on my phone that aren't logged in via a browser. Ideally something free but I'm willing to pay for something that is worth it10
-
I can't recall what platform it was, but upon trying to change my password it would tell me that the new password was too similar to the previous one... :/1
-
What's harder than trying to name a variable is to think of a memorable but easy to type password to a system that resets expires every 3 months with history checks.2
Top Tags
Weekly Rant
View