Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuck
Buy Now
-
Creating a new account is always fun...
"This Is My Secure Password" <-- Sorry, no spaces allowed.
"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number
"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character
"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed
"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed
"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters
"Fuck" <-- Sorry, passwords must longer than 6 characters
"Fuck_it" <-- Sorry, passwords can't contain bad language
"Password_1" <-- Accepted.25 -
"your password must contain a capital letter, two numbers, a symbol, an inspiring message, CV, a gang sign, a dragon blood"
7 -
This project manager, man....
> Sends email to a client "Dear Ms X, here's your password for the Jira board: [...] Please handle it with care and keep it secret."
> Email goes out to 5 people.
6 -
When you are resetting your password and the website emails you your current password in plaintext. 🤦5
-
My last school used my SSN as the default account password.
Just to test, I used the “forgot password” functionality, and they sent me my SSN over clear text.
As a developer, I see that as 2 mortal sins 😡12 -
Today I discovered by myself that...
...in a shell...
...when entering a password (e.g. ssh)...
...and you make a typo... 🤦♂️
...you don't need to smack that backspace key like a maniac! You can just use the clear line shortcut: control+U (^U). This clears all input to the left of your cursor and this also works for passwords.20 -
Google: Don't use a password from another site, or something too obvious like your pet's name.
Me: 5f4dcc3b5aa765d61d8327deb882cf9918 -
Nothing says, it will be an awesome day when you receive your password, from India's largest and most know financial website, in plain text.
Because fuck you and fuck your security.
Fight me bitches.
57 -
Trying to login...
"Sorry your password is expired. You have to change the password every 60 days".
«Oooh, c'mon...» Inserting a new password...
"The password must contain at least 1 lowercase letter, 1 uppercase letter, 2 numbers and 1 non-alphanumeric character.
«Please, fuck off and die...» Typing again and eventually entering to private area...
My phone vibrate, there is a new SMS: "Your new password is H0lySh1t!"
WTF. Are you serious?14 -
1. Create user on website.
2. Receives mail with username and password.
3. Changes password.
4. Receives mail with new password.
5. Delete account and look for another service.3 -
- Password can't contain less than 3 chars
- Password can't contain more than 12 chars
- Password must contain only alphabetical and numerical chars
- Password must contain at least one uppercase letter
- Password can't contain a sequence of repetitive chars
- You already used this password in the past
- Password can't contain parts of passwords already used in the past
- Password can't contain your name, birthday or any other personal information
- Password can't be an anagram
- This password is too weak
"Remember that you have to update your password every 6 months".
Who the fuck has enough imagination to invent a new password that meets all these requirements every fucking 6 months?
And if so, how the fuck you can also remember it?
Fuck off… I don't really need access to my university account, right? 😡23 -
My boss wrote the password to access the office on his whiteboard, which you could see from outside of the building.3
-
Q: What's your WiFi password?
A: It's fourwordsalluppercase, one word all lowercase.
http://youtu.be/bLE7zsJk4AI2 -
"The password must be 6 to 32 characters long and must contain atleast one uppercase character, one lowercase character, a special character, the md5 hash of your last name, a dried olive branch and the blood of a unicorn."6
-
Guy: I don't trust password managers
Me: so how do you remember passwords?
Guy: oh, I just keep them in a note in the iPhone notes app/iCloud.12 -
Even though I'm a web developer I work in a very small IT department, which includes just me and my colleague.
Yesterday we got a pretty usual request. Someone forgot the password to an excel file. We already started a brute force attack, but we had some fun going through the worst passwords we ever stubbled over in our carrier.
He was like:"Maybe it's just his name?"
Me: "Oooh or maybe it's just the brand and 123?"
We laughed a lot. Not really considering we could crack this "important" file.
But it really worked out. The password was the brand of the business unit and "2017".
I've sent everthing back to the user, telling him exactly how we cracked it... His answer was:"Oh yeah! I knew it was something easy, so me and x could remember it easily!"
...
Why do you forgive easy passwords anyway? If I can crack it within 5 minutes... Everyone can! ...
And if you do it to "remember it easily"? Why the fuck don't you remember it?4 -
You, stupid fucking game, have just sent me my new password in plain text via email?
"the password is encrypted and cannot be sent again"???
So… you send the password in plain text, and only then encrypt it, right?
But it's still in plain text in your email logs, fucking bastards.
11 -
*enters password*
*misspells a letter*
*OMG BACKSPACE! BACKSPACE!*
*retypes whole password again* 😂😂7 -
So according to some reddit user IKEA sends your password as a GET parameter in plain text.
https://reddit.com/r/CrappyDesign/...
Seems to be a network authentication thingy, but still 🤔
35 -
First rant, please take pity on the noob! 😐
Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫
Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...
... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.
So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.
Makes you consider the amount of control these big companies have over your life 😶16 -
This lady was screen sharing during a meeting. At the GUI login for her Linux box, she accidentally typed in her password for the username. In front of 50 people, she showed everyone her password was "Tittays69" 😂4
-
Other guy: Hello! I need your help! I don't have my password for my gmail ! Help!
Me: Okay, ... (proceed to guide him where to recover the passwords), Now enter you email in.
Other guy: Well i don't remember it either, Help me get my email.
Me: ...
Fml7 -
Set up an account at Wells Fargo today and they told me the password requirements... This is a joke right?
12 -
My git password is only muscle memory at this point.
If I accidentally try to think about what I'm typing I end locking myself out for the rest of the day.5 -
My insurance company sending me the payment slip by post with my username and password to the online account for easy access. How sweet of them. 10/10 customer satisfaction.
I see your "Storing passwords in plain text". I raise you to "sending passwords via post in plain text".
17 -
If I were in charge of the company's upcoming-required-password-change notification system, during the month of October users wouldn't get an email.
Instead, the phone would ring.
When they answer, at first there'd just be hissing and crackling.
Then after a few seconds, a kid's voice would whisper,
"Three daysss..."3 -
Created webmoney account with password lenght of 81 character
Tried to login to my account
Password lenght cannot be more than 60 character
Now i have to reset my password to b e able to access it7 -
I am currently at vacation and staying at a campsite.
There is a WLAN called 'Seecamping1'.
Well I had to try cracking their password...
First attempt: The name of the WLAN, didn't work.
Second attempt: 1234567890
...
Guess what.
It worked lol8 -
I now know another person's password without even wanting to.
He was sitting in the row in front of me, logging into our course page and then *brrrrraaaaapppp* - ran his index finger along the top number row and hit enter.
1234567890
I don't even know what to say.13 -
So this just happened with my ISP, i have no words...
The fact you have my password in front of you in plain text is fucking terrifying and i know you do because i used to work for an ISP.
11 -
I imagine those researcher must be like : "Would you give us your password? It's for a research project"
3 -
So my neighbor needed my help with her notebook. She said she has to provide a new password everytime she logs in. I asked her to log in in front of my eyes. She entered her password and clicked "forgot password" instead of "login" 😐
Did you ever hear of "return" ?4 -
That awkward moment when you are focused on talking to a friend, and you realize that you wrote your password in the wrong field9
-
Walking up to my computer, on autopilot i typed my password to unlock it, pressed enter ...aaand realised it was unlocked and I just sent my password in the clients general slack channel.
Quickly changed it to a smiley and pretended it was raining..
Any one else who mistakenly typed a password or other secrets in a slack channel or similar? XD
11 -
My brother singed up for a browser game.... They sent him his log data (including password) via email7
-
Girlfriend: There are so many passwords to remember, man. What's my amazon password, baby?
Me: Just use a password manager?
Girlfriend: That sort of thing exists?13 -
Once I had to do a 'hands on' pair programming session for a position I applied for... Together with the lead dev we would switch coding every 15 minutes It was somewhat of a horror story...
The assignment was to implement an password reset flow, connecting it to the api and then handling the entire password reset flow, in Angular becahs ye know has to be Angular...
After drafting the ui and setting up the click events, I wanted to hookup the api calls, but then it was time to switch around...
The fucktard dev first started to adjust my classmappings to be more in line with his preference, without touching the css classnames... Ok... Micro managing ... Check...
So after breaking the styles, he wrote the fetches to the api endpoints and that was his 15 minutes of shame...
I continued only to find out the endpoints we were using had errors in them and would not return anything workable...
The dev said he'd tested the endpoint before and it worked, but clearly it didn't...
After about an hour of going back and forth trying to get this to work he got a call from a client because server was down (surprise), he excused himself and had to prioritize on this, running out and leaving me there for the remaining morning ...
I just sat there waiting for the HR checkout talk, only to lean towards rejecting the position...
Fucking waste of time, and in the end the feedback was they doubted MY TECHNICAL SKILLS ... And wouldn't make me an offer 😂👍 nice story bro...
K THX BAI!7 -
This was typical for me:
Yesterday evening I was installing a webserver on my Raspberry Pi for experiments with WordPress. I began some days ago, but I had to stop because the downloads took at least to long.
So I started to logi in:
Username: Raspberry
Password: Pi
-> False Password
Wondering why it is not working a tried again. Same result. After some time I remembered that I changed my password.
Username: Raspberry
Password: Ih4G2tgY*
-> false password
*example
Tried again. Still false password. Then I remembered, that I used my another standard password.
Username: Raspberry
Password: U2gra94hY*
-> false password
After that I felt a mix of angry and helplessness. After some other failed attempts I gave up.
I formatted the SD-Card and installed Raspian again.I started my Pi
Username: Raspberry
Password: Pi
-> false password
My thought: WTF, why does this not work!!
This was the moment when I got the brainwave that the Username wasn't Raspberry, it's Pi.
Username: Pi
Password: Raspberry
-> access
Then I hated myself.9 -
Customer: «We want all the users belonging to this organization share the same username and password»
[Editor's note: we are talking about 500 users, more or less half of the total in the system]
Customer, after some minutes: «It's very important for us having the web interface using HTTPS, because we care security a lot».
So, please, go fuck yourself. And die.6 -
My dad got a job at TD (bank)
We where talking about their computers and stuff. Then we started talking about passwords.
Keeping in mind that this is a bank....
Here is their password rule:
6-12 char long
All lower case
Only letters and numbers
(Passwords are stored on a legacy system)
Why?
Why should I trust that bank??
And also.. how do they expect to be extremely secure??10 -
Aww SwiftKey, after two letters youre suggesting the right password, that's so nice of you...
Wait a minute... WHY DO YOU EVEN KNOW THAT?
You're not a password manager and you don't do that with other passwords, what's wrong with you?4 -
Really!? WTF would you even write a confirmation message reminding me to contact the admin if I didn't request my password change on this screen!?!? Of course I wanted my password changed, I just entered my new password. That type of crap is what you should e-mail me AFTER my password changes.
2 -
"please use a secure password*"
* But don't make it too secure, 20 Charakters is enough.
Why would you fucking do this? The only reason I can think about is a scenario like this:
"How do we store the passwords in the database?"
"Just like anything else?"
"So I create a VARCHAR(20)?"
"Yeah why not? It's good enough for a name, and you shouldn't use your or anyone else's name as a password, so it should be perfect"10 -
Registered for a job application website and on profile page I see my password in clear type! ...
Time to change password to an easy one and remove profile as fast as possible...
Story goes on: changed password which included a special char successfully.
Tried to remove the account but was told password has invalid chars.
Logged off to see if the password still works. Can't login anymore...
Instant rant mail to admit.9 -
The last startup I worked at didn't give us the WiFi password because they "didn't want people to get distracted by unnecessarily using internet on their phones". Little did they know that making a hotspot from a laptop is totally a thing...5
-
Translation: “The Password is to long. Please choose a Password that is not longer than 12 Characters.”
Oh, and the Password can only contain Letters and numbers 🙃
15 -
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7 -
So I thought I will set up a PIN to make logging into the corporate PC easier. Hm... based on these requirements I can probably stick with password.
12 -
Switched banks, got new e-banking, unable to set up a new password.
It contains invalid characters.
IT'S A FUCKING BANK ACCOUNT I SHOULD BE ABLE TO USE HASHTAGS OR EVEN HAVE FUCKING SPACES IN IT IF I FEEL LIKE IT.7 -
public String getDbPasswd(){
try{
String dbPasswd = SomeInhouseEncryptionLib.getPasswd("/hard/coded/path/to/key");
return dbPasswd;
} catch(Exception e){
LOGGER.log(Level.SEVERE,e)
return "the-actual-password";
}
return null;
}
And this is now in production
FML4 -
This alert popped up today while I was registering for a library ID at a local university (Bielefeld, Germany). This is what it reads:
“Your current password does not meet our guidelines. It has to be exactly 8 characters long; at least one character of the first six characters has to be a letter. The use of special characters is explicitly recommended (the following special characters are forbidden: [some characters]).
For more info, please read our guidelines for basic IT security.”
Wtf? The password has to be EXACTLY 8 CHARS LONG? WHAT STINKING MOTHERFUCKING COCKNUGGET CAME UP WITH THAT BULLSHIT?!
16 -
Client: why do I have to use such a hard password for this website?
Me: For security reasons to protect your content and identity of your clients.
Client: Can't you just use the password that I'm used to? I use it on my banking software, and I've never been hacked so it should be good enough for you!
Me: what's the password that you want me to set up for you?
Client: you ready to take it down?
Me: go ahead.
Client: T ... U ... R ... D. You got that?
Me: ... Yes ...
*sigh*5 -
...when users create a ticket or call support because they forgot their password. Even though there is a big 'forgot your password?'-button right below the login form.
I always wonder if they also call Google or Facebook when they forget their password on those accounts...2 -
My mobile provider doesn't allow me to set a password that contains any other symbol than letters and numbers for the website where you can look at how much data you consumed (and can order new data, change plans, etc.). Are you kidding me. This is making shit insecure, you fucks!17
-
What. The. Actual. Fuck.
My co-workers just tried to convince me that the following is a secure password:
"ThisIsASecurePassword2018"
Just... I mean... Why? *sigh*
Their argumentation is based on the new NIST guidelines.
If they've read these guidelines CAREFULLY though... (not only the appendix) it actually states "Don't use words from the dictionary". Passwords like these should even be rejected right away.15 -
I bought flowers for my date. Online.
When I registered, the website send me via email my 30 character long password.
😥
So I try "forgot password". The genius website sent me, guess what, my 30 character long password...
For fuck sakes!!!! You had one job.... Hash the fucking password!!!!
I'm afraid these people will probably get hacked soon (murphy law).
Sha256.. Guys please...12 -
Taking IT classes in college. The school bought us all lynda and office365 accounts but we can't use them because the classroom's network has been severed from the Active Directory server that holds our credentials. Because "hackers." (The non-IT classrooms don't have this problem, but they also don't need lynda accounts. What gives?)
So, I got bored, and irritated, so I decided to see just how secure the classroom really was.
It wasn't.
So I created a text file with the following rant and put it on the desktop of the "locked" admin account. Cheers. :)
1. don't make a show of "beefing up security" because that only makes people curious.
I'm referring of course to isolating the network. This wouldn't be a problem except:
2. don't restrict the good guys. only the bad guys.
I can't access resources for THIS CLASS that I use in THIS CLASS. That's a hassle.
It also gives me legitimate motivation to try to break your security.
3. don't secure it if you don't care. that is ALSO a hassle.
I know you don't care because you left secure boot off, no BIOS password, and nothing
stopping someone from using a different OS with fewer restrictions, or USB tethering,
or some sort malware, probably, in addition to security practices that are
wildly inconsistent, which leads me to the final and largest grievance:
4. don't give admin priveledges to an account without a password.
seriously. why would you do this? I don't understand.
you at least bothered to secure the accounts that don't even matter,
albeit with weak and publicly known passwords (that are the same on all machines),
but then you went and left the LEAST secure account with the MOST priveledges?
I could understand if it were just a single-user machine. Auto login as admin.
Lots of people do that and have a reason for it. But... no. I just... why?
anyway, don't worry, all I did was install python so I could play with scripting
during class. if that bothers you, trust me, you have much bigger problems.
I mean you no malice. just trying to help.
For real. Don't kick me out of school for being helpful. That would be unproductive.
Plus, maybe I'd be a good candidate for your cybersec track. haven't decided yet.
-- a guy who isn't very good at this and didn't have to be
have a nice day <3
oh, and I fixed the clock. you're welcome.2 -
Was looking through the most used passwords list (the one that had 'removed my password from lists...'). 'password' is like one of the top one, and then 'PASSWORD' is 810th !?!?!?! At least it's before hentai...
8 -
Currently making a brute force password cracker for work to demonstrate why we should have longer passwords because apparently few people do.
There are going to be some scared people.18 -
A colleague asked the boss to add a password to the company password manager so we could access it securely. She replied to the message with the password. We're doomed.1
-
When I see two fields, one for username and one for password, I expect I can fill them out immediately subsequently with only a tab in between. While typing my password I DON'T want to get sent to a page where I can enter my password only: I was entering it already! Sometimes I even make it until I pressed the enter key that was supposed to log me in, but then I'm kindly requested to reenter my password. At that moment I not-so-kindly think: FUCK YOU Microsoft, you should know better. Even when logging into Visual Studio for fack sake3
-
When you're at a friend's house and they say they just changed their Wi-Fi password to 192837465. She was confused why I was laughing.11
-
TIL how to enable "insults" on the terminal. So every time I type my password wrong it insults me :D5
-
I know i know, its an old story.
but.
FUCK YOU AND YOUR STUPID PASSWORD REQUIREMENTS
NO SPECIAL CHARACTERS WONT MAKE IT SAFER
FFS. JUST SAY IT HAS TO BE 20 CHARACTERS AND BE DONE WITH IT
15 -
Tldr; make sure what you study is relevant to the field and you enjoy it otherwise don't waste your time.
BTW: devrant is awesome it gets me through the day.
So I am almost 3/4ths through a master's in cs and I am contemplating why I went to school in the first place/dropping out.
My program is basically an extension of the bs I got from the same school meaning we learn very general cs topics. There is only one ai class for example.
I had a junior developer position before I even got my bs so now that I am this far along and looking at job openings I'm wondering what why and how my school is able to get away with teaching us this shit.
After all my schooling I learnt more on my own and through Google. I have little to show for my school work other than a degree that says I did a bunch of busy work. And the specific things that I did learn I will never ever remember. Seriously. Who here knows what a MIB and OID are and have actually used them?
I wish I tried harder to get into a school like Berkeley but just looking at their applications is depressing. I always had issues with school and they expect my to have the grades, extra curriculars and other shit. I'll build you a robot or make you a website but I'm not doing that nonsense.
And then there's Google and apple and all these big tech companies expecting me to have written full Enterprise software and know every single algorithm and programming language because everyone uses something different. Sure I wish I had experience in all 50 languages that are popular right now but I don't. And I'm not gonna learn it from school that's for damn sure.
Who here actually went to a good school and can say it helped them in the real world? How many employers actually care about school over actual experience?
Who knows how to burn a school down and get away with it? Or at least make teachers with Phds stop reading off slides all lecture. I know how to fucking read for fucks sake. Not too mention they use shitty software made in 2003 that's no longer supported. And I could go on about the teacher last quarter who graded the midterm on final day while he flirted with the 3 girls in class. And I could go on and on and on but I feel like I need to start being productive so I don't waste away.
Just so done.4 -
This is just priceless. I submitted my thesis to an academic congress, which sent me this confirmation email. They are so 'concerned about security' that they assured me the email is legitimate by including MY PASSWORD.
3 -
Got a new eval board. It came in with a stock firmware, had its own IP and naturally its own webGUI. I wanted to check what was under the hood. So I SSH'd in to the device, and was prompted to enter the username. There weren't any specs or documentation.
*Hmm, let's try root*
User: root
Password: *Eh? Well, what the heck* admin
.
.
.
root@evalboard#
Muhahaha!!! Meet your hacker, eval board!4 -
Ladies and gentleman, I've done it.
Remove your hacker game trophies from your wall.
That nasty bug you fixed a couple of nights ago? Meh.
Your top devRant post? You'll delete it after reading this.
Every awesome accomplishment you can think of: it all means shit now.
>> I have SUCCESSFULLY changed my business Microsoft account password into something I can remember AND Microsoft accepted it in under an hour of trying!!!!! <<
I want to say a big FUCK YOU to MICROSOFT for WASTING MY BLOODY TIME.
FUCK YOU for giving me a max of 16 characters. DASB&(*(&G*HH*& for telling me every time my password is 100% strength and then after every submit tell me I have to change it AGAIN because it should be harder to guess. WUT?! It was 16 characters including a (capital) letter, number and multiple special characters, WHAT ELSE DO YOU WANT FROM ME?! UNICODE EMOJI'S???!!! ALLOW ME TO USE MORE CHARACTERS SO I WILL MAKE IT HARDER TO GUESS IT, IT'S 2018 FFS.
I don't even understand why my new password is accepted compared to the other one, but fuck it I can access my account again.
Now I might have to find a new job before the company password policy kicks in again.
/me drops everything and walks out of the office to get wasted (not sure if celebrating or just really pissed off)9 -
Once upon a time, in a proprietary e-commerce framework used by few hundred sites...
I just took over a project where the previous developer stored password in two separate fields.
password & password_visible
First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.
Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂3 -
So, among the ridiculously long list of password requirements, password is not case sensitive BUT it has to contain uppercase and lowercase letters?
15 -
Just enrolled for uni and…. they email back my password in clear text…
Translation: "... using the secret access keys", yeah secret my ass, and they send you the password even when you change it so what's the point in letting me choose the password, just send me one i can't change.
Luckly it's computer science or else it could have been worse 🤔
13 -
So our teacher just has us sign up for a learning site called Gizmos with a ton of students information. A lot of students forgot their password as always and some didn't register with an email so I expected the teacher to reset them..
Then the teacher had students come up to the front of the f****** class and SHOWED THEM THEIR PASSWORD IN PLAIN TEXT. WHAT THE HELL4 -
A well known, big company in my country just sent me my password in plain text upon registering.
These devs actually got paid to do this...6 -
Hacked the admin password of our high school network back in the day. Spent all our subsequent IT classes dicking around and then rebooting all PCs in the room with a maintenance message, and said "aww man, we hadn't saved our work!"
We also kept rebooting our friend's computer and at one point he put it down to the admin not liking him, so the next time we did it with the message "I don't like you very much. Love, the admin".
Childish as hell but hey, we were kids and it was hilarious at the time.
We still use the password for stuff to this day! k33pm3saf3 - and no, it isn't my devRant password.
We also had full access to the school's security cameras as the password was still "password".2 -
I forgot my password to [SITE]. Of course, I click "forgot password", and enter my email, which I did remember. Fairly routine "ah shit we have a problem" steps.
Now, it takes a second. This is to be expected. So I'm not worried. I then get the email and...
Now, you will notice that I redacted some information, like the company name, email, and my PLAIN TEXT PASSWORD, and my name.
I would like to note that this isn't a small, very local company that's new (even then it'd be unacceptable), but this is a multinational, multimillion dollar company.
How'd someone fuck up THIS badly?
13 -
Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.
To add insult to injury the first displayed "tip" take a look at the attached image.
16 -
Thanks to mandatory password change, today:
- My windows account got locked because my phone kept logging into wifi using
old password.
- Google Hangouts were silently running in background with old session until I re-opened it. Work of others delayed by 4 hours due to missing message notifications.
- Docker for Windows lost credentials needed to use SMB mounts - 1h of debugging why my containers mount empty folders ( now I will know)
- Google G-Sync for Outlook asked for new password on outlook restart - few mails delayed.
All of that for sake of security that could be easily solved with 2FA instead, not faking that "I do not change number at the end of my password" -
Google has a password reset procedure so intense, that even if I can sign into my recovery account and give them the code from there, use 2 factor auth and give them the code from there, tell them my recovery phone(s) number(s), give them my mother's father's mother's late cousin twice removed daughter's maiden name, and whatever other security measures were set in place, I can't get a fucking password reset. Thanks Google, fuck you.3
-
Just stumbled across this gem last night. You guys know how biggest online games site in my country (also backed up by largest ISP) handles reset password requests?
After clicking "Forgot password", it asks you to login to Gmail (cause everyone is assumed to have and use one, right?) and then opens "New Email" window prefilled with some template data which you're expected to finish (in screenshot below).
And I just wanted to play some Ludo with my friends.. 🙄🙈
2 -
So they want me to remove the system that prevents users from registering with passwords that have been leaked online, because “its too much effort for new user to come up with a new password instead of using a same one everywhere and they might give up registering”
Giving up security for convince doesn’t usually end well, does it,10 -
Long story short: University fucked up single sign on.
For every online service I have, I set a different password, randomly generated ~ 20 characters long. At our university we have multiple systems but they offer a single sign on service which is quite nice because it is so non-transparent which service now uses which authorization. I changed my password a while ago and around the same time they also updated our mail client. Since then I am not able to log in which is not a big deal for me because I have mail forwarding.
Yesterday however I needed another service and also got rejected with my password. I knew from a friend that the passwords are fucked up and that some services have different restrictions (only 12 chars max.), so I decided to search how to reset my password. What the fuck was wrong with these people? It takes you five different pages to get the tiniest bit of information how to reset the password. Then on one page you can login with your single sign on and change the password. On that page you can also set the single sign on password, but if you enter an invalid password (in respect of the the other services) guess what? No feedback that you just locked yourself out of half the systems. Nice job. Also the password requirements are not next to the input fields where you change the password. Noo. That would be way to easy, remember the little small one line on the wall of text three pages ago? There you go.
Ok step one done. Now it should work, shouldn't it? Ohh no not so fast. One needs to activate the seperate service. Where you ask? Perfectly fine question. On the top of page four is a fucking one line table which looks like some five year old had some fun in excel. The button which takes you to the activation page is nearly invisible because of the non existing contrast. Also it is not a button but some arrow pointer thingy. Behind set arrow you have a page listing all differnt kinds of services, the description which you find on page two btw. No padding to decipher this shit what so ever. Nearly on the bottom is your needed button. Yes finally.
Finally I want to login, no good. Try again. Still no good. Go back to the fucked up excel table look at my username and think to myself what's the difference here? The table is so small and again no margin or padding. Apparently they cut of the last character of my normal username which i have which is fucking ridiculous.
What is wrong with you people, we are a TECHNICAL UNIVERSITY, is it so hard for you to find someone decend to unify this shit?2 -
half day gone try to find or remember the password of some SSL/key/encrypt/crt/shit/whatever.
Blaming myself for hours, how could I not save the password somewhere?
#Enter Password:
(I pressed enter, no password).
it works.
I love IT security1 -
Creating username / password first time - checked
Storing password in plaintext - checked
Messaging password in plain text after a password change - whaaattt????
7 -
Thank you, dear 3rd party vendor replying to my ticket to my work email and sending me my new password IN FUCKING PLAINTEXT!
12 -
Well, my best friend passed away last week, he was 19 years old, a techie and a plane hobbyist, today, his mom called me and asked for help recovering his password on his windows 10 laptop
im going there tomorrow with my full arsenal of equipment required, do you have any suggestions what could be usefull?13 -
WTF is wrong with these Govt websites...!!!
Trying to login
"Password is incorrect"
Clicked on reset password,
Now guess what happened next...
They said,
.
ENTER YOUR CURRENT PASSWORD!!!1 -
Everyone here deserves the worst.
No, really, you all deserve those dark juicy stories. So here's why I hate password systems that don't have the user experience in mind.
Recently my university went under a huge update, most of it good, but this is DevRant, so let me tell you what's just the worst.
They asked me to change my password, they do this every month or two. So I did it, but as I clicked "Ok" a wild error appeared! It told me I had to use a password that was not one of the FIFTEEN that I'd used previously...
I tried everything, and despite everything else being poorly programmed, or what not, I thought it would be easy to spoof. Nope. Unfortunately this seems to be the ONE thing they did right. Looks like I'll have to go back to basics. Just add a number on the end of my previous password, up to fifteen, and reset :]
I think this rant needs to turn into an email headed straight to them :)4 -
...sincerely?
FUCK YOUR PASSWORDS
FUCK YOUR PASSWORD REQUIREMENTS.
FUCK YOU thinking you are the most important site in the universe so of course everyone will remember their password mangled beyond the original intention/recognition by your idiotic requirements!
I want to have an insecure password? MY PROBLEM.
I want to have the same password everywhere so I don't have to go through the idiotic "forgot my password" dance each time I try to login into your page? MY PROBLEM!
You're not the most important site in the universe.
I'm getting seriously fed up with this idea in general.
WHAT THE FUCK. Why did nobody come up with nothing better yet?
And the password storages and autocompletions don't count, that's a plaster on top of idiotic paradigm, nothing else.
...how is there nothing more sensible, still, after 18+ years?5 -
So, I just created an account on a premium objective information website. It basically sells access to several articles on laws and general "financial relevant subjects". It is important for my work and they have pretty strict password requirements, with minimum: 18 characters length, 2 HC, 2 LC, 2 special, 2 numbers.
Without thinking twice, openned Keepass and generated a 64 length password, used it, saved it. All's good. They then unlocked my access and... wrong password. I try again... wrong password.
Thinking to myself: "No, it can't be that, maybe I only copied a portion of the password or something, let me check on CopyQ to see what password I actually used."
Nope, the password is indeed correct.
Copy the first 32 characters of the password, try it... it works...
yeah, they limit password length to 32 characters and do not mention it anywhere ... and allow you to use whatever length you want... "Just truncate it, its fine"1 -
1. A login window or form appears
2. Enter username
3. Enter p-
4. Another application STEALS THE FUCKING FOCUS
5. Enter half of the (or the whole) password in the app that stealed the focus and press Enter by mere inertia
Or this variant:
4. The username field gets autofocused
5. Enter the password in the username field, out in the clear for everyone to see
DON'T YOU STEAL ME FOCKING FOCUS MATE3 -
If your site only supports alpha numeric characters in my password. You should tell me that when I reset my password rather than just killing the special characters out of the string and submitting my password like that. I spent 15 minutes trying to log in before I gave up and reset it to something simple.
Also, you should let me use special characters in my password, it's 2017.8 -
Damn it gitpush focus when type the damn password!! I locked my self out of my server again 😭
Time to visit the portal and login 😒6 -
I'm tasked with hacking a million dollar production machine and all the PLCs have the same password for the root user, which also happens to be the name of the company producing this shit....5
-
I don't understand how is possible that programmers today are developing applications that are storing plain password in the database.
I know it's kinda boring topic since everybody here is talking about it this week, but it's really confusing to me.
Every now and then some DB gets hacked, millions of passwords are leaked and then you have developers, who should be smart and logical people, who decide to do that.
Ok, maybe the project deadline was close or something similar, but I think there is no excuse for something like that. No matter how close or behind deadline project is, you should always be able to explain to your boss/client what could happen.3 -
Hang on... If online banks ask you for the n'th, m'th and p'th character of your password, they must be storing it on plaintext! WTF? I don't even understand why they do that in the first place.17
-
What the fuck is wrong with Google?!!
Trying to log into Gmail.
Forgot password.
Gmail: To reset, code from authenticator app is required.
Me: Super. Good thing I set it up.
Enters code.
Gmail: Recovery email.
Me : Uh... Forgot that too.
Gmail: Some email address to communicate.
Me: Super!
Enters some other email address.
Receives mail with a link.
Me: Finally!
Opens link
Gmail: "When did you create your account?"
Me: Uh... If I had that kind of memory, we wouldn't be dancing right now.
.
.
.
Gmail: Sorry we couldn't verify you.
WHAT THE FUCK, GOOGLE?!
What sort of sadist play is this?!
Dropped them a mail to get access back. Got a link in the auto reply that explains how to repeat the above process. WTF?!
What the actual fuck?!14 -
So I get home from work, sit down infront of my computer and start browsing a few sites.
The loading times was not as fast as they should so I checked out my network setup. I had been auto connected to my ISP provided modems WiFi, which happens every now and then, so I reconnect to my faster and better WiFi AP.
Invalid password. What? Ok.. Let me just type in the same password, slowly..
Invalid password. MF..... Same password, looking down at my keyboard.
Invalid password. GDMF...
Browse to my AP config site, type in username and password.
Invalid password. Oh no you fucking did not just deny me entry as well.
Ok. Something is up and I'm going to get to the bottom of this!
Boot up Kali, fires loads of crap at the WiFi and the site. Still no damn luck! WTH!
I go upstairs to my AP, turn it off and on again.
I can now login on both my AP WiFi and config page.
It had frozen.
Thats two hours of troubleshooting for a "have you tried turning it off and on again" solution.
I feel great about my competence after this.2 -
Scored another win as the family tech guy! I found out my wife's sister and her husband were storing all their passwords in a Excel spreadsheet. Long story short they are now using a password manager. 😁2
-
Passwords.. how do you guys manage yours? I'm one of those who often used the same semi weak password for nearly everything
I'm more than likely going to get a password manager but I have no idea which, do you use any?31 -
So, I was going to make a little startup script to a friends laptop. I opened it up to realize I didn't know the PIN (not sure why it used a PIN instead of a password, but it did).
I looked up at the username, and it was in the format [name][number]. I though, "surely, no...." and tried it.
Yup. His username was basically [username][mypassword].
*sigh* -
Ever since I started with websecurity I've noticed alot of people still use passwords such as 123456 or abcdef and so on. I mean is it really so damn hard to figure out a more complicated password like, "IDigAGrave34+" or "IFuckedBaTmanInTheAssetsi1369" (a very long but yet secure pass). Or just use any word you see around you and mix them like for example if you have a dell pc and a samsung screen, those two names are pretty easy to scramble around like, "desamllsung" and sprinkle some random characters above it. If it is so hard to remember just write it down on notes and hide somewhere or use the countless programs where u can store it. So please for the love of your own privacy, think when you create an account and do not use the same pass on every damn site you are on. Make it hard for the hackers and crackers out there. Sincerily, a concerned internet user.11
-
Don't you just hate *silly* password restrictions? Surely there is a very limited number of possibile passwords
On top of this their "password prompt" says passwords are between 6 and 10 characters...
1 -
What the heck kinda password rules are these? Getting away from this credit union as soon as possible...
13 -
Great news, I just lost my email account's password. The password is in password manager but apparently, when I was changing it, I did something wrong. Now, neither the old one, nor the new one work and I can't login into my email. I didn't even change the password reset phone number to my new one! And I also forgot the recovery mailbox' password. Fucking great.
Here's the lesson: **ALWAYS** re-check your new password in your browser's private window.1 -
"You have to change your password, because you've either just registred or your password doesn't comply with our guidelines anymore."
I've not made my account recently.
The question beeing: How can they know if they "should" decently hash it? 👿
9 -
Rant rant rant!
Le me subscribe to website to buy something.
Le register, email arrives immediately.
*please not my password as clear text, please not my password as clear text *
Dear customer your password is: ***
You dense motherfucker, you special bread of idiotic asshole its frigging 2017 and you send your customer password in an email!???
They frigging even have a nice banner in their website stating that they protect their customer with 128bit cryptography (sigh)
Protect me from your brain the size of a dried pea.
Le me calm down, search for a way to delete his profile. Nope no way.
Search for another shop that sells the good, nope.
Try to change my info: nope you can only change your gender...
Get mad, modify the html and send a tampered form: it submits... And fail because of a calculation on my fiscal code.
I wanna die, raise as a zombie find the developers of that website kill them and then discard their heads because not even an hungry zombie would use that brains for something.1 -
I've been informed that through some level of recognition and certification, today is "Password Day," seemingly in an attempt to encourage people to have strong passwords. I will do my part and say that if you're not using a password manager, you have missed out on years of your life.11
-
- i registered at ***.com (pet store) with a super secure password and then they send me a welcome email with the password in plaintext...
- well, it sucks to have pets3 -
So we had to register for placements.. and the company sent email with plain text password.. and thats the password i registered with! nice!
BTW.. its one of the biggest company in IT industry globally.
2 -
Why would anybody do this?
Especially the last point
aaaaaab is already a lot more secure then 1234 but who cares, right?
8 -
I've just bought 3 months sky ticket...
THEY ONLY ALLOW A 4-DIGIT NUMBERS ONLY "PASSWORD"?!?!
IN WHAT YEAR DO THEY LIVE???
AND THEY EVEN SEND IT TO YOU VIA EMAIL ALONGSIDE YOU USERNAME!
I guess their old windows server which handles their authentication would be overcharged when it'd handle real passwords.4 -
I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:
- apply for password reset
- get a mail
- confirm the mail
(So far, so good)
- get a mail with a new CLEAR TEXT PASSWORD
Is this the stone age!?
You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.
All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)
If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.
At no point should the password ever be stored or transmitted in any other medium.5 -
Tried to log into my laptop 4 times and got wrong password. Fumed for full 5 mins before realizing that I was using password of workplace laptop.
fml4 -
So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D2 -
Interesting password recommendation here...
Translation:
- A form with to fields: Surname and password.
- Below the form is a text: "For signup please enter your name and a password (e.g. your email address). With your name and password you can change your data anytime and may get access to the memberlist."
Bonus: There is a "help"-button (outside of the cutting) which even *recommends* the use of the email-address as the password!
Extra bonus: The password field is a normal text one.
IF THE EMAIL ADDRESS HAS TO BE SUBMITTED, WHY NOT JUST ADD ANOTHER FIELD OR AT LEAST LABEL THE FIELD CORRECTLY!
Update: After this form, you get to another form, to enter you email address...
3 -
Thank you microsoft. You clearly got that right. If someone knows how to make passwords secure, it's you.
... Is this what you wanted to hear? Because it looks like you have no idea what you're doing.
1 -
There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.
Blank password ? Seriously what the hell is happened to apple ?
Source : https://twitter.com/lemiorhan/...2 -
Why do most apps have a password reset page that redirects to a mobile site ?
Why not give them a code they can enter into the app which would then show a password reset page within the app or a link which opens the page within the app.
Isn't it good practice to keep the user within the app?
Isn't it better to serve a token than serve an entire html webpage for the server.
I've been thinking about this but 90% people follow the website pattern and Idk why. Am I missing something ?
Please fill me in on it. (Even devrant uses the same pattern)5 -
This one happened to me two years ago:
Off on holiday overseas, just arrived and decide to check my Emails. Easy peasy..."Hey, we noticed you're logging in from a different country. We sent a security code to your backup account."
Welp, fine, login to my backup account: "Hey, we..." Can anybody guess the problem here? Yep, my primary account was the backup account for my backup. Lovely circular dependency.
Microsofts solution: Play the guessing game, where you name us Emails, Contacts and Folders to prove it's yours and we might unlock your account... or not (managed to get it back on the 2nd try)
Thank you Microsoft for ensuring my workfree, email-free holiday.2 -
It's gotten to the point where I am legitimately impressed when I can tell a service is hashing their passwords.
All of these unnecessary complications of "must not have more than 2 of the same character in a row" but "can't be more than 12 characters" requirements make me think that the passwords are being saved in plain text.
Amazon and Dropbox do it right - present the user with an input box and no requirements printed anywhere.9 -
Apparently trackmania united (or trackmania in general) sends out passwords in plaintext to the user if he or she forgets it.... Fuck me. That is precisely why you use different passwords for different online logins...
-
Just installed Linux again after the installation finished because I somehow got a typo in the password I set in the beginningof the installation.
It was just quicker than to try hacking around this problem.3 -
So, I apply for a job and they send me an automated email with my username....and my pasword....in plain text...I should use a different password for my applications....4
-
2 things
0:considering whats happening with the Linux CoC would it be a good idea to swap back to Manjaro Linux
1:whats a good password manager that's free and can synchronize and perfectible has a desktop program6 -
Bought my first VPS, because the shared plan we are using is shit.
Spent just half an hour trying to log in, because upon registration they encouraged a strong password with simbols and everything.
But in reality a root password can only contain letters, numbers, underscore and minus sign... The fuck is wrong with you? Reducing the entropy is one thing, but really fucking up the most essential part of a VPN setup?7 -
"When you set up the new app instance, can you set an easier password for our account? No special characters or numbers"
Sure. It's not like having a strong password prevented unauthorized access in the first place. BECAUSE YOU GAVE THE FUCKING LOGIN DETAILS TO AN UNAUTHORIZED 3rd PARTY! Which incidentally is why I now have to set up a new app instance... -
I swear I get multiple emails every week from a person who's forgotten their password but instead insists our software is broken. "Account Broken, Can't Login!"
I've started just replying to these emails without even checking their accounts anymore -- or even opening up the system.
I'll say, "I'm sorry to hear that! I've looked into your account and it should work now."
I always get a reply back "THANKS! It works great now!"
Then I facepalm.
1 -
Intel, wtf kind of drugs is your stupid site on?
Trying to make an account, the password requirement says "at least one special character".
Ok, no problem.
"Password format is invalid"
Wut? Hmm, maybe it doesn't like that one. Let's try one from their suggested ones.
"Password format is invalid"
WTF? The fuck is your problem?!
*reloads the page, tries again*
"Password format is invalid"
ARE YOU FUCKING RETARDED?
*adds the special at the end of the password instead of the beginning*
It works.
https://youtube.com/watch/...
And then we wonder why bugs like Meltdown and Spectre come up. These guys can't even do fucking password validation properly.
And I've just lost 30 minutes because of this shit.
FUCK! -
Just managed to send my password in plain text to a colleague when I ment to enter it in the login box.....
Time to change my password again.....3 -
I had to create an account on a website. I used LastPass to generate a strong password. I entered it and got the following message:
"Password must be between 8 and 16 characters and must have special characters (? , ! & #) and numbers"
My password was 20 characters, me annoyed to generate a 16 character password. Filled it in and got the same error. That was it for me.
Who dafuq limits a password to 16 characters, that's fucking nothing. It did not accept all special characters, only the ones that were showed (like 5 or so).
And here comes the worst part...
It's a bank website! I had to create the most most most insecure password in history for it to work.8 -
So I had just finished the walkthrough with the inspector in my soon-to-be home. I was told I’d receive an email with instructions on how to download my inspection report.
A few hours passed and I received the email; it required I make an account with the service they were using to view my report... alright, whatever.
After making the account I receive another email thanking me for signing up. Then I see it, plaintext and bold letters:
Username: $myusername
Password: $mypassword
How is this even still a thing???5 -
When the login form tells me that my password is too short. The password that I've manually set in the database in my local dev environment.3
-
I'm thinking on getting keypass as my password manager, since it's open source, can use csv files and works on a bunch of platforms.
Does anyone has experience with using it or can recommend, in their view, some better solutions?9 -
The customer wanted me to create a password for their database. I made it the name of the software and appended b4lls.
Whenever I tell him what the password is I spell out the software with the b at the end, say "the number four", then lls. He has never repeated "oh, softwareballs", I am not sure he has noticed.1 -
Adding noip.com to the list of services that accept more passwords for signup than for logging in. Damnit how does software even get to that point. Isn't it, like, more effort to get this wrong than to get it right?
-
While you're typing and you remember this is not the correct password for this account but you're too lazy to backspace all that state of the art you just wrote so you just ENTER the shit out of that ¯\_(ツ)_/¯
-
That feeling when you debug the Users table in sql, which has a Password field encrypted with hash, but most of the demo users use the same Adminadmin password, so you recognize the other users password because you rembered the hash1
-
"We only permit non-restricted, non-offensive alpha-numeric passwords..."
Does ,wnW\M@Bb;v3F(xx offend you?5 -
If I made an app where you keep password hints so you can remember the password yourself, is it fair to say the encryption is your memory?1
-
The most frustrating part of the "your password must be min. 8 characters long and include a number and a special character" thing is that it does not improve security.
On the contrary.
I wonder how many people in the company have the name of the city they are located in, and the current year in their password...
#newyork18 #beijing20173 -
Hey does anyone know a good open source password manager? Sorry for the interruption. Keep on ranting.8
-
This kind of BS makes me mad
" - The password must have 6 digits
- It must have at most 2 repeated digits and 3 sequentials"
RIGHT, because 293417 is SO much safer than 999123
Btw, this is a phone company, so with this password you could probably have access to someone's phone number, phone records, address, and much more. WTF
2 -
airBaltic: hey, mister hacker, so these are characters our users can use for their password, we made everything to ensure the best hacking experience for you.
What’s the other fucking reason for doing it? Are they storing passwords in plain text, so it’s some weird kind of escaping technique?
Forbidding characters in passwords means only single thing for me, I can’t trust company’s competence of keeping my personal data.8 -
Im not sure if im a good or bad person by allowing my users to set a weak password.
They get to use almost whatever they want, but it may be bruteforced easily.
I let users decide their own security on that point.5 -
So... Apparently you can do ctrl+backspace in steam's password field and it deletes up to the last space instead of deleting the whole password... Nice.2
-
"Ideal" online banking:
1. Force users to change passwords often.
2. Implement possibility to login if forgot password.
3. Make it impossible to chage password if forgot one.9 -
My coworker cannot log in to his company email account. So I contacted the guys in charge of this by email, asking if they could help and asked whats the process now or how does this work. I assume if his email is not working, they cannot send him a password reset link.
their answer: yeah, sure, we reseted the password of the mentioned user, here is his new password5 -
Hi everyone,
One question is constantly popping in my head and I keep fighting to figure out how to answer.
So here it is:
Are you for or agains a password manager to store all your passwords?
P.S.
I am using a paid password manager, but keep asking myself is it really worth it, and am I compromising all my passwords if someone is willing to spend some time and hack my vaults. On the other hand the convenience and benefit of having all passwords in one place and also using different strong passwords for each of my accounts protects me from a weak security implementation on any third party service I use, because I am not re-using the same password everywhere.12 -
- First logon on the support website
- Input pregenerated password
- Password expired
- Input new password
- Password invalid
- Try different passwords
- I realize that the suggested length of the password (8 char) is also the max length
- Input eight character password
- Password invalid
- Input the pregenerated password
- Password changed1 -
To all websites requiring at least one upper case, one lower case, one number, one special character, 25 emoji and 49 unicorns in the password when signing up.
If you say something is required, then your regex BETTER be checking ONLY for those things. You should not have hidden requirements for passwords that users are supposed to dream about and know. Especially if it's a super time-sensitive thing that they should have opened 2 Fridays ago.
I had to pull my hair out for 20 minutes (that felt like an hour) before looking at their code and reading their regex. The regex was different from what the page said the requirements actually were. What were they even thinking? 😑
The rest of everything related to this organization uses an SSO system, why can't they just use it? Isn't the whole point of SSO to avoid a different login for every tiny part of the system?
I wonder what the other less technically inclined people using the system are doing right now. Sadly, I have no way of letting them know.
I sincerely hope the dev that made that website faces the same thing while picking a password for creating an account somewhere else and realizes what he/she did.
I really needed to let it out.
I feel much better now.
Time to take out the stress ball :)1 -
Mandatory change of password sucks.
Especially if you are using Windows.
Changing your password regularly can be good for security reasons. But I hate it that Windows keeps a log of all my previously used passwords and prevents me from using a former one. I mean, log the last three and then allow resuse. In our case, we need to change it every 180 days. So if I want to use a favorite "old" one, that it more than 1,5 years old ...16 -
Lately, I've been working in a web security company (mainly as a Support guy).
Going through tickets, I've found one golden gem, which helped me realising how dum customers are.
Since he's our customer, we try to keep stuff up-and-running at all times. If something goes bad, we fix it, and we need their passwords for stuff.
After the customer (somehow) got hacked again, he changed the password in panic.
Note the initial password was really, really good.
He emailed us the new password for "just in case".
The password is "hard-to-guess".
What. The. Actuall. Fuck.
What's next?
Setting the password "12345", activating 2-step-authentication and sending his phone in, along with his finger so we can unlock it with touch id?2 -
ESSO Password Manager.
Prepare to cry after ESSO inputs your password in the username-field instead of the password-field the third time while your colleagues are watching...2 -
When I am asked, I say create a password that is a phrase and enter it as you might see it in a book.
Passowrd: Hey you, stay away from my computer!
According to https://howsecureismypassword.net/:
3 SEXDECILLION YEARS
And it's pretty easy to actually remember.3 -
DevRant isnt the right place to use a easy password... Which is why i changed it from 1234 to 123456...14
-
Cause there's no really safe solution for that right now, finally release my favorite and verifiable secure linux password management tool for the web and as apps for iOS, Android and Windows Phone - including online synchronization, so you can access your passwords anywhere. (Web and Android first, the other platforms later).
At the moment it is still a pure gpg based Linux terminal application.2 -
So when it comes to password encryption in php, I've learned to use password_hash($password, PASSWORD_BCRYPT); // Blowfish
Anybody else use this? What do you php lovers like to use?4 -
I really should start using a password manager but I have no idea what one to choose, anyone have any input?
I'm thinking 1Password at the moment13 -
Sites requiring a maximum password length, does it mean they store the passwords in clear text?
Or what would be a plausible explanation for this stupid requirement?5 -
When any rants I write, I need to put in my Password managers' "Secure Note" section because I can't post here for them becoming public.
Pfrtt! xD12 -
Am I blind, stupid or both or does DevRant not give you the possibility to change your password?....3
-
>finally gets around to installing vsftpd on home server RPi
>doesn't work
hmm.mp2
>configurating
>confusing as fuck template documentation
>man page isn't much better
>gets it working
>goes to log in
User: pi
Password: a
(What? It's a home file/command server isolated from the Internet. Sue me.)
nope.avi
>why
>tries again
nope.svg
>FUCK
>sees small raw-command log in bottom-right of phone FTP client
hmm.flac
>tries again, watches log
PASS *****
>the fuck
>goes to change user pass over SSH
# passwd
"Current password?"
about half a second later
"passwd: auth token manipulation denied"
>the delay tho
>WAIT A SECOND
one time i got past some parental software bullshit on a tablet by abusing the delay between opening a banned app and the redirect to the normal software at like age 7. (Doing so let me enable remote wipe through Google. bye bye software!)
>*inner 7 year old has autistic screech*
# nano temp
a
abcdefghi
abcdefghi
^O Y ^X
# passwd < temp
>fucking works
>logs in to FTP server successfully
>does the one file download that was needed
why and how did that fucking work -
I had to change my password at work on Friday, on vacation until this coming Friday, taking bets on whether or not I lock myself out when I get back.
-
A password strength plugin, which really encourage user to improve password strength:
http://jqueryscript.net/demo/...2 -
I changed my twitter password on web on the day they discovered the passwords in plaintext in their logs, and till today, I've not been logged out of the mobile client2
-
Me: Trying to change my work password to something more complex, chooses multiple random words that are easy to remember.
Software: password does not satisfy complexity requirements due to missing number and uppercase letter.
FUCK. OFF. WITH. THIS. NONSENSE.
When will they learn to accept a long series of actual words? We all know it's more secure and easier to remember. Just fucking why?!4 -
When the recruiting company mails you about new jobs along with your PASSWORD!
Dude, you have a fuckall dev and u will help me find a job... Thanks, but no thanks.
4 -
Had to factory reset my phone as I added a pattern password. I used that password all day and right I as am getting ready for bed, I FORGET IT!! Stupid me did not put on USB debugging and I am like... Seriously!!1
-
Just wanted to buy a gift for my gf, so I went to birchbox.fr to buy her a 3 months subscription (irrelevant information).
So of course I needed to create an accout in order to buy it.
But what a surprise when I received a confirmation email, with my password in PLAIN TEXT inside. I guess I do really love her for not cancelling the gift and deleting my account immediately. -
A fucking space character should never be allowed in a wifi password!!! Just spent 4 hours looking to why the fucker would not connect to find a space on the end!! Trim or show an error!!!4
-
It's time to reset all my passwords. Got the second Facebook password reset email this month and now even from Microsoft they doesn't even have the same email-pass pair...
And fucking Facebook doesn't tell anything about the reset attempt. Not even a fucking ip address.1 -
Because of the current debate I'm starting to get more into all the cyber security and privacy stuff.
So now I am searching for a password manager.
Do you have any recommendations for me?
Or maybe some additional tools I really need to use?
(Got PGP for mail, signal as my new messenger, a vpn and tor for now)4 -
* Stay without password for 1 month*
CHALLENGE ACCEPTED:
Install Linux, installed i3 wm and changed all mappings to custom ones.
#thuglife -
Fuck you Linux! I thought user password validation would be a piece of cake, like bash one liner. How wrong could I be!
Yeah, it's already ugly to grep hash and salt from /etc/shadow, but I could accept that. But then give me a friggin' tool to generate the hash. And of course the distro I chose has the wrong makepswd, OpenSSL is too old to have the new SHA-512 built in, as it should be a minimal installation I don't want to use perl or python...
And the stupid crypto function that would do me the job is even included in glibc. So it's only one line of C-code to give me all I want, but there is no package that would provide me this dull binary? Instead I will have to compile it myself and then again remove the compiler to keep image small?9 -
My first #hack is that I once opened my friends account on my computer using the Google recovery question which he kept as his favorite sport . Once in I changed the password and informed him that his account was hacked..lol you should see his face .later I told him he put his recovery question to be hard to be guessed ....lol I think he learnt the lesson the hard way...well after that I got to know about internet ethical rules and there ends the matter
-
Its been awhile since I opened up my Server VM to play around with. Until when I had to login to my DB VMs, I forgot the password. And forgot to save them into my password manager. Whelp, perfect for me to go back to square 1.1
-
Whenever a site tells me the password I entered has already been used? I mean how are you supposed to know if you are salting and hashing the password.. Oh wait you probably just save it in plain text!! Please don't!!7
-
Let's play a game.
Theme: Security awareness - grey-hat style.
How to play:
Post the name of the site followed by actual bad-password restrictions of well-known companies in the comments.
If no-one beats me to it, I plan to share some of the more alarming ones(or all) on a twitter and tag the relative companies as well as various security enthusiasts.4 -
So... there is a bank. And the website for example is using "https". Alright. But the Login consists your login ID (in the most cases your account number) and a Pin number ( only 5 chars) If i remember pentesting, crunch etc a pin or password with 5 chars (included special characters) is fast hackable or not? Or is it super secure cuz of the "https"?4
-
First run of an import procedure in the production environment.
Spent all morning with an "Unsupported media type" error.
Finds out that the provided password was wrong and that the Webservice always return that message when there's an error.
Any type of error... -
Can anyone recommend a good password manager that is 'in the cloud', can be used on my mobile and makes life easy for logging into apps on my phone that aren't logged in via a browser. Ideally something free but I'm willing to pay for something that is worth it10
-
Someone earlier today posted a rant about a credit card security conference sending them account details with a plain text password in an email. The password appeared to be 1 use temporary password that the user would change on first login. Assuming one does not actually store plain text passwords, what is the downside to a single use password Vs a single use link to set a new password?1
-
I can't recall what platform it was, but upon trying to change my password it would tell me that the new password was too similar to the previous one... :/1
-
!rant && askDevRantDevs()
I can't find a way to change my password. Am I just too blind or too tired ? (ofc I'm tired, stupid question)5 -
Soooo how does one manually change password here on devrant? Is the "forgot password" workaround the only way, or am I missing a hidden "change your password" button?1
-
What's harder than trying to name a variable is to think of a memorable but easy to type password to a system that resets expires every 3 months with history checks.2
Top Tags
Weekly Rant
View