Interviewer - so what's your email ID?

Candidate- sir, abc@xyz.com

Interviewer - and password?

Candidate- 12345678

Interviewer - you shared such a confidential information so easily for the job. How can we trust that you will not share any confidential information of the company for some better offers?

Candidate - Sir, I might have shared my password with you but I don't think you can still login to my email account. Let's look for the possibilities. My password can be

12345678

Or

Onetwothreefourfivesixseveneight

Or

1twothreefourfivesixseveneight

1twothreefourfivesixseven8….. so on

Or

2444666668888888 (one 2, three 4….)

13355557777778 (1, two 3, four 5……, 8)….. so on

Or

Combination of all of these…

By the way, did I mention use of capitals? 😂

Finally that candidate was offered with the position as
" HR Manager"

Close relative: Hey, what is my gmail password?
Me: I have no idea.
Him: but you created the gmail account for me a couple years ago.
Me: Yeah, I helped you to create it and I warned you to remember your password.
Him: didn’t you write it down somewhere?
Me: no, I didn’t, you fucking useless piece of shit. I am not your fucking password manager.

> installs devRant app on my iPhone
> too lazy to type my 18-char random password on mobile
> password manager app not on App Store yet
> dig up my old Macbook
> install XCode & homebrew package manager
> install 2 other package managers using homebrew
> install App deps from the 2 package managers
> query stackoverflow for why my deps fail to install
> open App in XCode
> setup Apple provisioning profile
> trust my certificate on my iPhone
> dig up an old router & setup a local WiFi network
> start a server on my laptop to serve my PGP keys
> download my PGP keys to my iPhone
> app crashes
> open an issue on github with steps to reproduce & stacktrace
...
> type my 18-char random password
> rant on how I wasted an entire afternoon

Manager: Hurry up and login, I don’t have all day

Dev: One sec I have to lookup my password for the system

Manager: How can you not remember your password? Everything requires it these days

Dev: I use a different password for each service.

Manager: Wow you really like to overcomplicate things. Just use the same one for everything like I do, it’s way more efficient!

Dev: …

This project manager, man....

> Sends email to a client "Dear Ms X, here's your password for the Jira board: [...] Please handle it with care and keep it secret."
> Email goes out to 5 people.

Why the Fuck would someone disable pasting on a password field!!!! How the fuck am I supposed to enter my shit from my password manager now?

Manager: "The password must be encrypted to store it inside the database."
Me: "Great! No problem."
Manager: "Then it must have a copy of the unencrypted password to send it by email."
😐

Project Manager: You used a hash/salt to encrypt the password in our customer database?

Me: Yes.

Project Manager: That's mean we will not be able to see the password?

Me: That's the whole point. Why would you want to see what password customer is choosing?

Project Manager: Change it. Use random encryption method.

Client comes to me after a year to publish an update to his app.

I accept, start looking for my release key.... Found it.

Fuuuuuuucccck what's the password? I can't remember

Googled what to do if forgot password of keystore: Nope can't do shit other than brute Force. You've to forget your app and publish as a new app. Nice.

I must have written it somewhere... I'm sure. Check my password manager: Nope.

Start brute forcing:
Default pass: android. Nope
Name of app? Nope

After 10 mins of brute forcing:
Why would I not store the password in my password manager? The only reason I can think is the password is too stupid to be stored.

Try "password". App signed successfully.

I'm ashamed of 1 year older me xD

Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”

Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”

Disabling pasting into a password field in 2020 with password managers, is retarded. That's it that's the rant. Doesn't matter if you think password managers are good or not. Its still retarded that there's a 40 something year old dumbfuck manager who told a web designer at EA to disable pasting into a fucking password field because he was dumb enough to think it stopped hackers or some shit like that.

The following just happened in the bus:

A woman took a beautiful Enpora flip phone from 2008 out of her pocket. While she did that a small yellow paper fell on the ground. My eyes pointed at the paper and I saw multiple usernames, passwords and codes on it.

I didn't even hesitate and tapped on her shoulder and gave it back.

She was frightened! Couldn't thank me enough and told me how important it was to have that with her. She said she couldn't remember all her passwords and that if she would've lost it, she didn't know how to log in and unlock her phone anymore.

I gladly told her that it wasn't very safe but ofcourse I understoot that it can be hard to remember everything.

Also I almost told her that she could start using a password manager but with a flipphone you can't use that of course ;)

TL;DR: Fuck you Apple.

10:30 PM, parent needs iPhone update to update Messenger. How hard can this be?
Need to update iPhone from 9.x to latest, which is so outdated it still required iTunes. Fk.

Boot iTunes on Windows 10 pc that is at least 10 years old.
Completely unresponsive
Crash in task manager
Launch and is completely unresponsive. (Also starts playing unrequested music.. Oh joy..)
Fuck this, go to apple.com to download iTunes exe
Gives me some Microsoft store link. Fuck that shit, just give me the executable
Google “iTunes download”. click around on shitty Apple website. Success.
Control panel. Uninstall iTunes. (Takes forever, but it works)
Restart required (of fucking course).
2 eternities later. Run iTunes exe. Restart required. Fk.
Only 1 eternity later. Run iTunes, connect iPhone.
Actually detects the device. (holy shit, a miracle)
Starts syncing an empty library to the phone. Ya, fuck that.
Google. Disable option. Connect phone. Find option to update.
Update started. Going nowhere fast. Time for a walk at 1:00 AM punching the air.
Come back. Generic error message: Update failed (-1). Phone is stuck installing update. (O shit)
1x hard reset
2x hard reset
Google. Find Apple forum with exact question. Absolutely useless replies. (I expected no less)
Google recovery mode. Get into recovery mode.
Receive message: “You can update, but if it fails, you will have to reset to factory settings”. Fuck it, here we go.
Update runs (faster this time). Fails again. Same bullshit error message. (Goddammit, fuck. This might actually be bad.)
Disconnect phone.
… It boots latest iOS version. (holy shit, there is a god)
Immediately kill iTunes. Fuck that shit.
Parents share Apple account
Sign in, 2FA required.
Fat finger the code.
Restart “welcome” process.
Will not send code. What. The. Fuck.
Requests access code on other parent’s iPhone.
No code present. What???
Try restarting welcome process again. No dice. (Of course)
Set code on other parent’s iPhone.
Get message “Code is easy to guess”. Ya. IDGAF
Use code on newly updated iPhone. Some success.
Requires reset of password.
Password cannot be the same as old password (Goddammit)
Change password.
Welcome process done.
Sign in again on same phone after welcome process done in settings. (Nice.)
Sign in again on other phone with updated password
Update Messenger.
Update hangs. Needs more space.
Delete shit.
Update frozen in App Store (Really??)
Restart iPhone.
Update Messenger.
Update complete past 2. Well that was easy.

Apple, fuck you.
Some call Android unintuitive, but I look at the settings app on iPhone and realize you aren’t any better.
This company hasn’t been innovative since 2007. Over 1000 USD for a phone? Are you fucking kidding me?
Updating an iPhone from iOS 9.x is probably uncommon anymore. But this is a fucking joke. Fix your shit.
Shit like this is why I’ll never again own an Apple product. I have HAD IT with the joke of a business.

Thanks for reading.

Girlfriend: There are so many passwords to remember, man. What's my amazon password, baby?

Me: Just use a password manager?

Girlfriend: That sort of thing exists?

A couple of weeks ago, I asked the "brand manager" if he knew how to reset printers to their defaults before reconfiguring them, knowing full well that he did not. He assured me that he did. I smiled and let him leave.

He called me yesterday, frantic, because he didn't know how to reconfigure a printer that already had a password. After reminding him of the above, I told him how to put the printer in diagnostic mode and how to navigate the menus. Literally: "Turn the printer off, then hold down the feed paper button while turning the printer on. It will print out a bunch of diagnostics, and a menu at the bottom. Just follow the instructions at the bottom to use the menu"

Apparently following simple instructions is well outside of his abilities. After he spent five minutes fighting with it and complaining, I called him and walked him through powering the printer on while holding down the feed paper button. Terribly difficult.

The next step amounts to "hold down the feed paper button for more than 1 second." He spent ten minutes (ten!) on this unimaginably challenging step, and, frustrated at his inability to outsmart a simple button, he gave up completely.

He literally couldn't follow the instructions on the printout. I've attached a picture to show how ridiculous this is, and it saddens me terribly to report that I'm quite serious. he was literally unable to figure this out.

HE SPENT TEN MINUTES TRYING TO PUSH A BUTTON FOR >1 SECOND! TEN MINUTES!
That's what was too difficult for him! A button! With written instructions!

I can't even.

But the kicker?
Now he and the bossman want me to drive half an hour so I can push a button for ~1.2 seconds because they're utterly incapable.

I'm soo done.
So. done.

Bank forces me to change my password. Figured I'd use Safari's strong password generation. Submit. Password changed.

Go to log in with new password. Password not saved because I had previously told Safari not to save this site's password.

Okay… so the strong password you JUST generated and submitted without showing me is now my banking password but neither of us knows what it is?

Fucking brilliant. I mean at least let me fucking copy it so I can store it in my password manager. The most hilarious thing is the message that appeared on the generated password saying my password would be available from Safari preferences. Yup, nope. Nothing there except a note saying no passwords will be stored for this site.

This is the state of Apple in 2018, folks. Fucking sad.

The tech stack at my current gig is the worst shit I’ve ever dealt with...

I can’t fucking stand programs, especially browser based programs, to open new windows. New tab, okay sure, ideally I just want the current tab I’m on to update when I click on a link.

Ticketing system: Autotask
Fucking opens up with a crappy piss poor sorting method and no proper filtering for ticket views. Nope you have to go create a fucking dashboard to parse/filter the shit you want to see. So I either have to go create a metric-arse tonne of custom ticket views and switch between them or just use the default turdburger view. Add to that that when I click on a ticket, it opens another fucking window with the ticket information. If I want to do time entry, it just feels some primal need to open another fucking window!!! Then even if I mark the ticket complete it just minimizes the goddamn second ticket window. So my jankbox-supreme PC that my company provided gets to strugglepuff along trying to keep 10 million chrome windows open. Yeah, sure 6GB of ram is great for IT work, especially when using hot steaming piles of trashjuice software!

I have to manually close these windows regularly throughout the day or the system just shits the bed and halts.

RMM tool: Continuum
This fucker takes the goddamn soggy waffle award for being utterly fucking useless. Same problem with the windows as autotask except this special snowflake likes to open a login prompt as a full-fuck-mothering-new window when we need to open a LMI rescue session!!! I need to enter a username and a password. That’s it! I don’t need a full screen window to enter credentials! FUCK!!! Btw the LMI tools only work like 70% of the time and drag ass compared to literally every other remote support tool I’ve ever used. I’ve found that it’s sometimes just faster to walk someone through enabling RDP on their system then remoting in from another system where LMI didn’t decide to be fully suicidal and just kill itself.

Our fucking chief asshat and sergeant fucknuts mcdoogal can’t fucking setup anything so the antivirus software is pushed to all client systems but everything is just set to the default site settings. Absolutely zero care or thought or effort was put forth and these gorilla spunk drinking, rimjob jockey motherfuckers sell this as a managed AntiVirus.

We use a shitty password manager than no one besides I use because there is a fully unencrypted oneNote notebook that everyone uses because fuck security right? “Sometimes it’s just faster to have the passwords at the ready without having to log into the password manager.” Chief Asshat in my first week on the job.

Not to mention that windows server is unlicensed in almost every client environment, the domain admin password is same across multiple client sites, is the same password to log into firewalls, and office 365 environments!!!

I’ve brought up tons of ways to fix these problems, but they have their heads so far up their own asses getting high on undeserved smugness since “they have been in business for almost ten years”. Like, Whoop Dee MotherFucking Doo! You have only been lucky to skate by with this dumpster fire you call a software stack, you could probably fill 10 olympic sized swimming pools to the brim with the logarrhea that flows from your gullets not only to us but also to your customers, and you won’t implement anything that is good for you, your company, or your poor clients because you take ten minutes to try and understand something new.

I’m fucking livid because I’m stuck in a position where I can’t just quit and work on my business full time. I’m married and have a 6m old baby. Between both my wife and I working we barely make ends meet and there’s absolutely zero reason that I couldn’t be providing better service to customers without having to lie through my teeth to them and I could easily support my family and be about 264826290461% happier!

But because we make so little, I can’t scrap together enough money to get Terranimbus (my startup) bootstrapped. We have zero expendable/savable income each month and it’s killing my soul. It’s so fucking frustrating knowing that a little time and some capital is all that stands between a better life for my family and I and being able to provide a better overall service out there over these kinds of shady as fuck knob gobblers.

Aww SwiftKey, after two letters youre suggesting the right password, that's so nice of you...

Wait a minute... WHY DO YOU EVEN KNOW THAT?

You're not a password manager and you don't do that with other passwords, what's wrong with you?

The best password manager available in the market...

One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.

On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).

Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.

I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".

Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.

There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.

Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).

OK I can't deal with this user anymore.

This morning I get a text. "My laptop isn't getting emails anymore I'm not sure if this is why?" And attached is a screenshot of an email purporting to be from "The <company name> Team". Which isn't even close to the sort of language our small business uses in emails. This email says that his O365 password will soon be expiring and he needs to download the attached (.htm) file so he can keep his password. Never mind the fact that the grammar is awful, the "from" address is cheesy and our O365 passwords don't expire. He went ahead and, in his words, "Tried several of his passwords but none of them worked." This is the second time in less than a year that he's done this and I thought we were very clear that these emails are never real, but I'll deal with that later.

I quickly log into the O365 admin portal and reset his password to a randomly-generated one. I set this to be permanent since this isn't actually a password he should ever be needing to type. I call him up and explain to him that it was a phishing email and he essentially just gave some random people his credentials so I needed to reset them. I then help him log into Outlook on his PC with the new password. Once he's in, he says "so how do I reset this temporary password?" I tell him that no, this is his permanent password now and he doesn't need to remember it because he shouldn't ever need to be typing it anyway. He says "No no no that won't work I can't remember this." (I smile and nod to myself at this point -- THAT'S THE IDEA). But I tell him when he is in the office we will store the password in a password manager in case he ever needs to get to it. Long pause follows. "Can't I just set it back to what it was so I can remember it?"

Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.

Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.

Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.

My trusty password manager, so I dont have to remember those shitty passwords. (its however being rebuilt after a failed firmware upgrade who bricked it).

WHAT THE ACTUAL FUCKING FUCK MICROSOFT?!!
I go to log into my laptop:
me: *enter the pin*
Windows: Error
me: Ok let's try the password...
Win: WRONG PASSWORD!
me: *checking my password manager* Nope, pretty sure that's correct... Ok, whatever let's try to reset it.
me: *generates new password and resets the password for the account*
Windows: You can now log in
me: *enters the new password*
Windows: WRONG PASSWORD!
me: that's weird... let's try that again
Windows: WRONG PASSWORD!
me: Ok... reset once more *I enter the same password I generated before*
Windows: ThAt Is An OlD pAsSwOrD
me: *getting really pissed* FINE, GODDAMIT, HERE, NEW PASSWORD
Windows: You can now log in
me: *enters the new new password*
Windows: wRoNg PaSsWoRd!

jdjsjcjj+3+@!o(€;#@!(&(1!!#((#(€_"jsjeucjcjfdjosdifhshabxnfnxjsosoguwqlqqlall#7@+1(
aaaaaáaaaaaaaaaaaaaaaaaaaaaaaaaa

FUCK FUCK FUCK FUCK FUCK FUCK FUCK
YOU FUCKING INCOMPETENT CUNTS AT MICROSOFT!!!!!1!!!!!!!

I'M GONNA FUCKING TEAR YOU INTO THOUSAND PIECES AND THEN RUN YOU THROUGH A SHREDDER!!

YOU MOTHERFUCKING IDIOTIC CUNTS
FREAKING DEGENERATES

Attempting to access my colleague's NFS directory on his VM, don't know the VM's IP address, hostname or password:

- 2 minutes with nmap to narrow the possible IPs down to ~30

- Ping each and look for the one with a Dell MAC prefix as the rest of us have been upgraded to Lenovo. Find 2 of these, one for the host and one for the virtual machine.

- Try to SSH to each, the one accepting a connection is the Linux VM

- Attempt login as root with the default password, no dice. Decide it's a lost cause.

- Go to get a cup of tea, walk past his desk.

- PostIt note with his root password 😶

FYI this was all allowed by my manager as he had unpushed critical changes that we needed for the release that day.

I've been training a client for a few months now to not use Slack for sharing passwords and other secure materials.

I really thought I had made great progress. I even had him using a password manager. Then out of nowhere he sends the wildcard SSL key pair to me and a handful of other devs in a Slack thread.

At least we aren't storing important information like medical records. Oh wait, that's exactly what we're doing.

A colleague asked the boss to add a password to the company password manager so we could access it securely. She replied to the message with the password. We're doomed.

I was never really fond of 2FA, mostly due to the pain in the ass it creates if you lose or can’t access the 2nd device or jumping between GAuth to access Password Manager to access a password to use a login 😱.

But when your phone prompts up with a “allow some Asian, access to you’re iCloud account” you feel a world of relief that you have:

1) a notification you’re account is no longer secure,

And,

2) an immediate ability to change passwords before any access is granted.

Now it’s 1 more password I no longer know due to it being a scrambled mess of characters.

PS: Fuck you, you low life shithead!

Finally did the switch to Firefox and migrated my passwords to a proper password manager. Bye chrome!

**Me, while working on sql based project**

Manager: Does anyone knows java! Want a sample login screen written in java.

**I'm the only one in my team to know java, thus raised my hand**

Me: It's done. Mailed you the .java file.

Manager: I can see my password

Me: I fuckn hate myself. ***Forgot to set password field as password type***

Manager: you are no different than others.

Me: Yeah..😶 **f@#& you**

So... I’m sitting here doing pretty much nothing, just reading through some rants when all of a sudden I get a wave of emails.

Pinterest!
We noticed a login from a new device or location and want to make sure it’s you.
Device: Firefox, Windows 8
Where: New Jersey, United States (Approximate)

OhhhhhKay then... so there’s a couple of problems with this, 1 I didn’t even know I had a Pinterest account, 2 I don’t have Pinterest in my password manager either.

So I follow the link and fair enough it’s actually pintest, so I attempt to login, to no avail, oh maybe it’s a social login..., ok let’s try google, nope that wasn’t it, deletes account, logins with Facebook, oh here we go, checks logins, 1 random jersey player, deletes account, swaps to Facebook, changes password (this fucker was already 100+ characters) and adds 2FA and contains no new logins 🤔

Ok... so what the fuck, either someone managed to get through a long ass password or something phishy is going on, the email for FB logins is seldomly used (maybe a handful of services at best) as I have another for all the junk and spam bullshit I expect from today’s “marketing”

This is how beautiful corporate is -

I talked to my cousin recently who works in an MNC. He told me about a team member who was assigned a Google Login integration task on the website. They already had a username/password combo working.

That team member took 2 months for it. Every week on the team wide meeting he took an off day and kept saying he was 'stuck' on the task and he's figuring it out.

2 months later, he completed the task and got compliments from the manager that he 'worked day and night' and overcame his struggles. Then he got a week off for his 'efforts'.

Just kill me at this point.

Fucking hell with the password fields.
Why in the fucking hell you can't tell me what's the max characters count? Why I have to deal with auto-truncated passwords after the fact?
Go eat exquisite shit, peasant punks, pussy cutters.

Just submitted my first app to the Microsoft Store 🎉🎉

It's a simple offline password manager that also accepts other formats of data such as credit card and personal info.

Made it using WinUI 3. To prevent you from forgetting your master password, each "locker" accepts an unlimited number of passwords. If you forgot one, you can just use a different one. This is my idea to make offline password managers a little less of a hassle.

Can't wait for approval from the store!

Open source password manager.

Just another big rant story full of WTFs and completely true.

The company I work for atm is like the landlord for a big german city. We build houses and flats and rent them to normal people, just that we want to be very cheap and most nearly all our tenants are jobless.
So the company hired a lot of software-dev-companies to manage everything.

The company I want to talk about is "ABI...", a 40-man big software company. ABI sold us different software, e.g. a datawarehouse for our ERP System they "invented" for 300K or the software we talk about today: a document management system. It has workflows, a 100 year-save archive system, a history feature etc.
The software itself, called ELO (you can google it if you want) is a component based software in which every company that is a "partner" can develop things into, like ABI did for our company.

Since 2013 we pay ABI 150€ / hour (most of the time it feels like 300€ / hour, because if you want something done from a dev from ABI you first have to talk to the project manager of him and of course pay him too). They did thousand of hours in all that years for my company.

In 2017 they started to talk about a module in ELO called Invoice-Module. With that you can manage all your paper invoices digital, like scan that piece of paper, then OCR it, then fill formular data, add data and at the end you can send it to the ERP system automatically and we can pay the invoice automatically. "Digitization" is the key word.

After 1.5 years of project planning and a 3 month test phase, we talked to them and decided to go live at 01.01.2019. We are talking about already ~ 200 hours planning and work just from ABI for this (do the math. No. Please dont...).

I joined my actual company in October 2018 and I should "just overview" the project a bit, I mean, hey, they planned it since 1.5 years - how bad can it be, right?

In the first week of 2019 we found 25 bugs and users reporting around 50 feature requests, around 30 of them of such high need that they can't do their daily work with the invoices like they did before without ELO.
In the first three weeks of 2019 we where around 70 bugs deep, 20 of them fixed, with nearly 70 feature requests, 5 done. Around 10 bugs where so high, that the complete system would not work any more if they dont get fixed.

Want examples?
- Delete a Invoice (right click -> delete, no super deep hiding menu), and the server crashed until someone restarts it.
- missing dropdown of tax rate, everything was 19% (in germany 99,9% of all invoices are 19%, 7% or 0%).

But the biggest thing was, that the complete webservice send to ERP wasn't even finished in the code.
So that means we had around 600 invoices to pay with nearly 300.000€ of cash in the first 3 weeks and we couldn't even pay 1 cent - as a urban company!

Shortly after receiving and starting to discussing this high prio request with ABI the project manager of my assigned dev told me he will be gone the next day. He is getting married. And honeymoon. 1 Week. So: Wish him luck, when will his replacement here?

Deep breath.
Deep breath.

There was no replacement. They just had 1 developer. As a 40-people-software-house they had exactly one developer which knows ELO, which they sold to A LOT of companies.

He came back, 1 week gone, we asked for a meeting, they told us "oh, he is now in other ELO projects planned, we can offer you time from him in 4 weeks earliest".

To cut a long story short (it's to late for that, right?) we fought around 3 month with ABI to even rescue this project in any thinkable way. The solution mid February was, that I (software dev) would visit crash courses in ELO to be the second developer ABI didnt had, even without working for ABI....

Now its may and we decided to cut strings with ABI in ELO and switch to a new company who knows ELO. There where around 10 meetings on CEO-level to make this a "good" cut and not a bad cut, because we can't afford to scare them (think about the 300K tool they sold us...).

01.06.2019 we should start with the new company. 2 days before I found out, by accident, that there was a password on the project file on the server for one of the ELO services. I called my boss and my CEO. No one knows anything about it. I found out, that ABI sneaked into this folder, while working on another thing a week ago, and set this password to lock us out. OF OUR OWN FCKING FILE.
Without this password we are not able to fix any bug, develop any feature or even change an image within ELO, regardless, that we paid thausend of hours for that.

When we asked ABI about this, his CEO told us, it is "their property" and they will not remove it.
When I asked my CEO about it, they told me to do nothing, we can't scare them, we need them for the 300K tool.

No punt.
No finish.

Just the project file with a password still there today

A Password form, not allowing copy and paste.. so not possible to use a proper Password manager.

Hey Citrix:

FUCK YOU.

Learn to make an accessible log in page you fucks.

Maybe instead of vague fucking "you're user name and password is wrong" say things like "your account is locked because we somehow decided we don't like your password anymore. . . . without telling you"

Fucking 2 hours of my day wasted trying to log into my company's VM because first it wouldn't take my password (that I've had for over a month and doesn't expire for another month) over and over again. I changed it, logged in. Got up to do something that'd take less than 5 minutes. And OF COURSE the people who set up the VM made them log you out if you're gone for more than 3 minutes (fuck that guy too). Come back to a log in screen and it won't accept my new password.

Change it again. Except this time it won't accept my new password because it's "like my old password." It is in that it uses the alphabet and numbers, but it's also different in that those alphanumeric characters are LITERALLY DIFFERENT IN EVERY PLACE. I finally get it to accept a new password.

I'm also loving the whole "answer these security questions that literally anyone who does minimal research on you can answer" before I get to change my password. Yeah. Because finding my mother's maiden name or the city I was born in is so fucking hard. Literally impossible to find out what my Dad's dad's name is. Shit like that isn't publically available. Nope. Why the fuck are we still using "security" questions?

I log into Citrix again. And it takes me to . . . the log in for Citrix.

There is no word in elvish, entish or the tongues of men for this stupidity.

Fuck Citrix. Fuck the people behind the password manager (Aviator or something like that), and fuck whatever administrator setting turns my computer off due to inactivity in such a stupid short amount of time. 10 minutes, 15 minutes, that'd be fine. But it's more like 3 or 5, like wtf.

Our new COO has decided to migrate our passwords from to a new password manager (due to security concerns).

But now, nearly 75% of our passwords are just 'missing' and we don't have access anymore to our first password manager and it's been emptied out.

AFAIK, the COO still has all the passwords but not shared. He is not responding to my mails / team message from the past day.

I think I want to quit.

I know it’s a bit of an inconvenient time with there being corona around but everything was okay up till January. I’m a junior even though I shouldn’t be. Since my manager told me and my team leader senior in my review “maybe you two should switch jobs” things have been going downhill. I think the team lead had it out for me and didn’t put me on a new project, I’ve been left with doing stupid basic shit like updating text on websites in a cms and doing fuck all and then there’s also another guy that was basically harassing me trying to put me in my place any time I was doing better than him and literally both of them been like that ... and now that I’m working from home it’s even worse. I don’t have any kind of assurance that everything okay and actually I think I’m being framed as welll since I found keyloggers on my work laptop and deleted cleaned shit up the past two weeks and changed my WiFi security as there were like 5 unknown devices on our network so yeah .. I’ve been framed and they made it out like I put a powershell script on one of the servers and it crashed a Porsche website for 8 h and all kinds of bullshit - this was yday. On Tuesday they logged me out of everything like changed the password for work vpn and kicked me out of slack and Microsoft teams for over 2 hours till the end of shift and two managers weren’t answering their phone and then next day my manager called and apologised that saying that he “accidentally” did that to me along with 15 people they let go from the company....

I’m seriously thinking of quitting being removed from team group for a moment , not being on a project and people literally trying to put me down after I know I’m genuinely smarter than them and if I had over 10 years experience like those on my team (I have 1) I’d be far higher up and better

They can genuinely just go fuck themseves !!!! And here I was going to work over weekend on something! No fucking way I just wanna quit or give in my notice but because of corona I’m divided

Once we got an urgent requirement to add double hashing the password in a web application. It had to go to the production ASAP. The developer which was working on it, added 2 alerts in Javascript to display entered password and encrypted password. Finally change was ready to deploy but in hurry she forgot to remove the alerts. In rush and excitement, that change was shipped to the production. The alert says 'your password is 123', 'your password is xyz'.

After some time got phone calls from users and manager. Manager said, 'how the hell our application got HACKED? If anything happens to..........'. To cut it short, he was furious. We knew exact reason and solution. Didn't take couple of minutes to resolve this issue.

But it was funny mistake and that released that days pressure off.

Websites that still for w/e reason limit the number of characters a password can have...

Seriously, when a website starts bitching about me entering a 32-character password generated by my password manager "being too long", I seriously start to wonder how they store the password...

TL;DR: Google asked me to PROVIDE a phone number to verify connection from a new device, on the said device.

Yesterdayto log into my work Google account from my personal laptop to check emails, calendars update and so on. I opened up a private navigation window, went to Google sign-in page, entered my credentials, all is well.

Google then decided to "verify it's me" and prompted me to PROVIDE a phone number (work account without work phone means no phone number set up) so that they can send a verification code to the number I just provided to make sure the connection is legit.

Didn't want to do that, clicked "use another method" and got asked to fill the last password I remember, which would be my current password thanks to my trusty password manager. After submitting, I'm prompted with an error saying I have to contact my admin to reset my password because they can't log me in with my CURRENT password.

I ain't gonna do that, so went back to login page, provided my phone number, got the code, filled in the code, next thing I know I'm browsing through my emails.

What the duck? Could have been anybody giving any phone number. So much for extra security.

Also don't care that they have my phone number, the issue is more about the way used to obtain it: locking me out of my account and having no other way of logging in.

Installs Nessus. Creates Admin account. Forgets to save the 32-char random password to a password manager and locks himself out. Installs Nessus...

Have been using redis for my new system and wanted to try some gui, so I stumbled on "redis desktop manager", it supports ssh tunnels, privatekeys and more, great isn't it?

BUT IT SAVES YOUR FUCKING PLAINTEXT PASSWORD AND PATH TO YOUR PRIVATE KEY IN %USER%\.rdm\connections.json

WHAT THE FUCK, fucking ask that password during connection, don't fucking save it in plaintext and give an attacker literally the path to my key, wanted to PR it, but fuck c++, probably thats why he doesnt have it, because hes just using some library, so he doesn't have to fuck with the actual implementation of it.

Best password manager?
I usually use the post-it-jutsu art to save my passwords.

But I think that when you have too much passwords, there should be a better way to store your info.

Scored another win as the family tech guy! I found out my wife's sister and her husband were storing all their passwords in a Excel spreadsheet. Long story short they are now using a password manager. 😁

What is your favorite password manager and why?

Passwords.. how do you guys manage yours? I'm one of those who often used the same semi weak password for nearly everything

I'm more than likely going to get a password manager but I have no idea which, do you use any?

My password manager!!
I use passwords I can never remember, stay logged in, next time I need to log_in I use the passqord forgotten button, reset it with my e-mail or better phone

Some Project Manager outsourced a redundant RADIUS setup with MySQL backend. We got 2 copies of a daloradius appliance running on Ubuntu 10.04. Once I saw this, I started to get a bit suspicious and requested to audit the system and database redundancy. With the system in production, and without getting back any documentation, I got into the VMs using the default root password. This was not even the worst part, as I found. One server was using a local MySQL instance, while the other was also using the first one's MySQL instance. When I reported this, I was told to comment clearly any changes to the configuration files, which resulted in commenting the word SHAME above each change.

What the actual f. I just changed my password on uplay to a 30 character password which works fine on the web account manager. Apparantly some moron decided to limit password field in the uplay client where your actual games are stored to 17 or 18 characters.

And that while they want to "improve" security. Please ubisoft, fix your shit

Me: Yay everything is tested and everything works!

Manager: Changes password of the e-mail server

Me: :(

A creative way to get yourself locked out from your server: having your new password manager hit an old entry port for a favicon - which gets you banned, took me a second to understand why I can't suddenly access things anymore lol

What's a good password manager for Linux?

A few (optional) conditions (in order of preference):
1. It's free
2. It supports ssh, gpg, etc.
3. It has a GUI (a nice one with gtk/qt support)
4. It's (properly) secure
5. It has FIDO U2FA support (i.e. supports physical security keys like Yubikey or Solo)
6. It has a browser extension
7. It's compatible/non-conflicting with gnome-keyring

Great news, I just lost my email account's password. The password is in password manager but apparently, when I was changing it, I did something wrong. Now, neither the old one, nor the new one work and I can't login into my email. I didn't even change the password reset phone number to my new one! And I also forgot the recovery mailbox' password. Fucking great.

Here's the lesson: **ALWAYS** re-check your new password in your browser's private window.

I've been informed that through some level of recognition and certification, today is "Password Day," seemingly in an attempt to encourage people to have strong passwords. I will do my part and say that if you're not using a password manager, you have missed out on years of your life.

Is it me or is password security is a giant mess right now?

Everyone has a gazillion ways to sign in.

Everything needs an account so eventually you get a password manager to keep track.

After reauthenticating passwordword manager, then you get to the next screen that requires you to enter a code from 2FA. Internet isn't fun to use any more.

you know you are in some deep shit when project manager asks for username and password on dev environment

... and as bonus: IE is his default browser

*leaning back in the story chair*

One night, a long time ago, I was playing computer games with my closest friends through the night. We would meet for a whole weekend extended through some holiday to excessively celebrate our collaborative and competitive gaming skills. In other words we would definitely kick our asses all the time. Laughing at each other for every kill we made and game we won. Crying for every kill received and game lost. A great fun that was.

Sleep level through the first 48 hours was around 0 hours. After some fresh air I thought it would be a very good idea to sit down, taking the time to eventually change all my accounts passwords including the password safe master password. Of course I also had to generate a new key file. You can't be too serious about security these days.

One additional 48 hours, including 13 hours of sleep, some good rounds Call of Duty, Counter Strike and Crashday plus an insane Star Wars Marathon in between later...

I woke up. A tiereing but fun weekend was over again. After I got the usual cereals for breakfast I set down to work on one of my theory magic decks. I opened the browser, navigated to the Web page and opened my password manager. I type in the password as usual.

Error: incorrect password.

I retry about 20 times. Each time getting more and more terrified.

WTF? Did I change my password or what?...

Fuck.

Ffuck fuck fuck FUCKK.

I've reset and now forgotten my master password. I completely lost memory of that moment. I'm screwed.

---

Disclaimer: sure it's in my brain, but it's still data right?

I remembered the situation but until today I can't remember which password I set.

Fun fact. I also could not remember the contents of episode 6 by the time we started the movie although I'd seen the movie about 10 - 15 times up to that point. Just brain afk.

Am I the only developer in existence who's ever dealt with Git on Windows? What a colossal train wreck.

1. Authentication. Since there is no ssh key/git url support on Windows, you have to retype your git credentials Every Stinking Time you push. I thought Git Credential Manager was supposed to save your credentials? And this was impossible over SSH (see below). The previous developer had used an http git URL with his username and password baked in for authentication. I thought that was a horrific idea so I eventually figured out how to use a Bitbucket App password.

2. Permissions errors
In order to commit and push updates, I have to run Git for Windows as Administrator.

3. No SSH for easy git access
Here's where I confess that this is a Windows Server machine running as some form of production. Please don't slaughter me! I am not the server admin.
So, I convinced the server guy to find and install some sort of ssh service for Windows just for the off times we have to make a hot fix in production. (Don't ask, but more common than it should be.)
Sadly, this ssh access is totally useless as the git colors are all messed up, the line wrap length and window size are just weird (seems about 60 characters wide by 25 lines tall) and worse of all I can't commit/push in git via ssh because Permissions. Extremely aggravating.

4. Git on Windows hangs open and locks the index file
Finally, we manage to have Git for Windows hang quite frequently and lock the git index file, meaning that we can't do anything in git (commit, push, pull) without manually quitting these processes from task manager, then browsing to the directory and deleting the .git/index.lock file.

Putting this all together, here's the process for a pull on this production server:
Launch a VNC session to the server. Close multiple popups from different services. Ask Windows to please not "restart to install updates". Launch git for Windows. Run a git pull. If the commits to be pulled involve deleting files, the pull will fail with a permissions error. Realize you forgot to launch as Administrator. Depending on how many files were deleted in the last update, you may need to quit the application and force close the process rather than answer "n" for every "would you like to try again?" file. Relaunch Git as Administrator. Run Git pull. Finally everything works.

At this point, I'd be grateful for any tips, appreciate any sympathy, and understand any hatred. Windows Server is bad. Git on Windows is bad.

TLDR; Default admin login on WEP encrypted WLAN router for getting free stuff at my hair stylist studio.

Free WLAN in my hair stylist studio: They had their WEP key laying around in the waiting area. Well, I am not very happy with WEP, thought that they never heard of security. Found the default GW address, typed it into my browser and pressed Enter, logged in with admin/1234 and voila, I was root on their ADSL router 😌 Even more annoyed now from such stupidity I decided to tell the manager. All I told him was: You use a default login on your router, you give the WiFi password for free, WEP is very very insecure and can be hacked in seconds, and do you know what criminals will do with your internet access? He really was shocked about that last question, blank horror, got very pale in just one sec. I felt a little bit sorry for my harsh statement, but I think he got the point 😉 Next problem was: he had no clue how to do a proper configuration (he even didn't knew the used ISP username or such things). Telled me that 'his brother' has installed it, and that he will call him as soon as possible. Told him about everything he should reconfigure now, and saw him writing down the stuff on a little post-it.

Well, he then asked me what he can pay me? Told him that I don't want anything, because I would be happy when he changes the security settings and that is pay enough. He still insisted for giving me something, so I agreed on one of a very good and expensive hairwax. Didn't used it once 😁

Some weeks later when I was coming back for another hair cut: Free WLAN, logged in with admin/1234, got access and repeated all I did the last time once more 😎

HOW CAN YOU NOT LEARN FROM FAILS??

Question:

What password manager do you use and why?

What's a good free or cheap password manager that works on Windows and Android?

ChaseBank is getting up my nose. Twice in four business days my account was flagged and I had to change my password for 'security' purposes. I spent the better part of 90 minutes in a futile attempt to find out why, when there's been no suspicious activity on my account, I'm being flagged. My father contacted a branch manager near him who told him to dial the priolrity customer service number and key in the letters (I shit you not) HO HO. I called the number. It's the same damn number I'd been calling. I called the branch. They told me I'd definitely receive a call back last Friday by 1800. No call. So, yesterday I called the manager of that branch, verified its location, told the manager he was supposed to call me by 1800 last Friday, and Chase Corporate would be in touch with him soon to explain that when you tell a customer you'll call them, you'll fucking call them.

Started using a password manager. Never thought life would be so easier.

Btw, I'm using Lastpass (on free trail now). Any better recommendations, friends?

Can we stop that trend of only showing the username field and then show the password field after filling the username clicking next? It messes with my Keepass browser addon.
Apart from that, it messes with human workflow as well. Enter Username -> TAB -> Enter Password -> ENTER. With that stupid UI you have to either focus the next button with Tab and hope hitting Enter does not already submit the login form or switch to mouse and click the Next button.

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

- having enough experience to be called a medior / senior
- finishing my open source password manager api

I deployed one of our staging websites to a free plan because the site is rarely used. Project Manager sends the stakeholders the new url. There will be a lot of 🤦‍♀️🤦‍♂️🤦 all around. Some of it’s my fault. A lot of it is just WTF.

Stakeholder: We still need the staging site because we don’t want to test in the live site…

PM: Okay. We didn’t say we were deleting the site. We are just moving it to a new and better hosting platform, so we’re letting you know the url has changed.

Stakeholder: This url is for the front facing page. How do I access the backend? [they mean the admin interface]

Me: The only thing that’s changed is the url for the staging website. So domain-A/account is now domain-B/account.

I thought that was a pretty straightforward way of explaining things, that even a non technical person would get it. They took the /account example as the literal login url.

Stakeholder: I forgot the password for our admin login and I submitted a password reset, but I realize I don’t know if I have access to the admin email. Or if it’s even a real email account.

WTF

I look back at the email chain and I realize that I gave the PM the wrong url.

Also, WTF x 2. How did this stakeholder not realize they were looking at the wrong website?? There are definitely noticeable style and content differences. And why would you have an admin login that uses a fake email??

Me: My apologies. I sent over the incorrect url. My instructions are mostly the same. All that’s changed is the domain.

Stakeholder’s assistant: [DMs me] How do we access the backend?

WTF…are they seriously playing this game and demanding I type out the url for them?! 🤬 I’m not playing this game and I just copy and paste the example that I already sent over.

They figure it out eventually. Apparently, they never used /account to login before They used /admin/index… but that would still bring them to /account, but with ?redirect=/admin/index appended to the url if they weren’t logged in. Again, WTF.

I know I made mistakes in this whole thing, but damn. I can’t even. I’m pretty sure this whole incident is fueling my boss’s push to stop supporting this particular website anymore so I can focus on sites that actually bring in revenue…and have stakeholders that aren’t looney and condescending like this.

Originally wanted to get a head start on work since gonna be out Monday... And don't want to be distracted while working on it... But UAT db was down.

So spent all morning working on side projects like a password manager because we're not allowed to use keepass...

What password manager do you guys use? Lastpass, 1Password, Dashlane, else? Any suggestions?

Recommendations for a password manager??
Please explain a little bit about why you like it, I wanna make an informed choice before I possibly spend some money on one..

When you your computers graphics card keeps crashing the computer.

I get 7 seconds before it crashes. About 5 are used up from typing in password and loading...
The next 2 seconds involve me trying to type in device into start menu... Next I will type in manager.

I am at the anger level where I am saying audibly "I will destroy you" "Arch is next" "Screw you Intel" "You have failed this city"
Real anger rising! 😠😡👈✂🗡🔪🔪🔫🔫🏹⛏🛢🛠🍺🍸🍹☠☡☢📵❌

My phone suddenly is stuck in a reboot loop.
all solutions did not work (Safemode, Recoverymode etc)

It was time for a new phone.

well... most of my logins have now 2 factor authentication. That got me thinking:

imagine that you lost all your trusted devices in a house fire.
you cannot get in your email because of you need to verify.
you cannot buy stuff online because your phone gets a message.
and in certain cases you cannot even get in your password manager of the same reason.

I know that there are recovery codes and other solutions to this.. oh boy you are F*cked when you don't have your phone.

Everything turned out okay, Sim Card in different phone for messages. And new phone works like a charm :)

I'm trying to upgrade my account passwords etc. keepass (password manager) doesn't generate resizable windows, so when I want to generate a new password or do anything that creates a new window, THE NEW WINDOW IS TOO TALL FOR ME TO SEE WHAT'S AT THE BOTTOM AND THERE'S NOT EVEN THE OPTION TO SCROLL OR ZOOM OUT. YOU'RE OPEN SOURCE AND GIVING ME THIS BULLSHIT? If you were a living creature you'd be a giraffe with short stubby legs. Your missing features mean you don't get the best leaves and leave you dining with the rest of the peasants. At least I can interact with what I CAN see and closing the window prompts me to save changes, and passwords are generated by the rules I can actually see to manipulate.

Maybe I should look into the source or look at others' screenshots to see what I can't and tab into it to make blind changes, but I'm sufficiently happy with the passwords it gives already. I'm just pissed something so well rated has a flaw like that. Like a game where some levels are locked and you can't unlock them through play -_-

2 things
0:considering whats happening with the Linux CoC would it be a good idea to swap back to Manjaro Linux
1:whats a good password manager that's free and can synchronize and perfectible has a desktop program

When to log into an encrypted vm that I set up for finances, and realized I had forgotten my password, to decrypt it. Well after a few min I gave up and wrote a short program with all my sees, and rules for altering the seeds and combinations there of.

Got back a few thousand and plugged it into a macro script and went to do chores for my wife. Came back and was in.

To be honest I check on it somewhere in the middle and thought oh crap did I use my dogs name? I didn't but now I am switching to a password manager.

Heyyy DevRant Fam! It’s definitely been quite awhile since i have posted in this amazing community and I apologise, i’ve been extremely busy with my uni work and just life caught up to me 😅, also as always I really hope everyone is doing very well wherever you may be as always :-).

I’d love to ask you guys a question that has been on my mind for a while now 😊, I’ve been thinking of making my own password manager for a side/fun project. What I’ve been doing is I’ve found a open source project on github and downloaded it , loaded it up and read through some code, from memory the project is called ‘keepass’ and its written in c++!.

I’d love to get some advice from you guys, how do i go about learning and understanding open source code :-)? What is some advice you can give to me? Anyways I’d be very grateful for any piece of advice :D once again as always hope everyone has an amazing Sunday night and long weekend, wherever you may be!.

Thank you for reading my very long post sorry for rambling on 😅.

Kind regards,
Milo ☺️

Manager X: (logs a support ticket) "Agent is unable to access system using the password provided."

Me: "You're going to have to narrow it down a little, we have over 1000 active agents."

I hate the support side of my job...

What password manager/ generators do you suggest?

Also would anyone please clear my possibly misconceptions on the password manager/generators?

I’m that type of guy that only uses few password combinations at different websites.

tl;dr: my account out leaked, I didn’t want to use any password manager because I don’t want to give password to the company. Some do generate complex password for me but if they become defunct I’ll be locked out from those accounts.

A while ago, aptoide got attacked and my password(same as google account) was leaked. I’ll have to thank google for this, google blocking a stranger accessing account using a “less secure app” So now I’ll doing a emergency password changing process to all of my accounts with the password.

I like the whole aspect of the password manager, but I always thought that I shouldn’t give my password to other companies. And I got to use some website long term, if the password management company ever just become defunct, I might lose access to my account forever.

What if...
Someone made a self hosted password manager, where you can put all your secure random passwords in?

Dashlane is the worst password manager to use. I was trying to set up categories and since it does not have a simple selection box change feature I had to grab almost 100 at a time to change. Unfortunately after changing them I realized I had a duplicate and I clicked on that one to delete it. The system was still selecting all 100 (it uses a slightly gray color to show what is selected rather than a clear check box type feature) and it deleted all 100 passwords. It never asked me a question or gave me an undo feature. The interface is very difficult to handle.

Further, to set up a second user and grant them access to a large number of passwords (in this case my wife I wanted to give her access to 128 passwords), you must click them one at a time and then when you set it up they cannot get their own master password. Very cumbersome.

So just now I had to focus on a VM running in virt-manager.. common stuff, yeah. It uses a click of le mouse button to focus in, and Ctrl-Alt-L to release focus. Once focused, the VM is all there is. So focus, unfocus, important!

Except Mate also uses Ctrl-L to lock the screen. Now I actually don't know the password to my laptop. Autologin in lightdm and my management host can access both my account and the root account (while my other laptop uses fingerprint authentication to log in, but this one doesn't have it). Conveniently my laptop can also access the management host, provided a key from my password manager.. it makes more sense when you have a lot of laptops, servers and other such nuggets around. The workstations enter a centralized environment and have access to everything else on the network from there.

Point is, I don't know my password and currently this laptop is the only nugget that can actually get this password out of the password store.. but it was locked. You motherfucker for a lock screen! I ain't gonna restart lightdm, make it autologin again and lose all my work! No no no, we can do better. So I took my phone which can also access the management host, logged in as root on my laptop and just killed mate-screensaver instead. I knew that it was just an overlay after all, providing little "real" security. And I got back in!

Now this shows an important security problem. Lock screens obviously have it.. crash the lock screen somehow, you're in. Because behind that (quite literally) is your account, still logged in. Display managers have it too to some extent, since they run as root and can do autologin because root can switch user to anyone else on the system without authentication. You're not elevating privileges by logging in, you're actually dropping them. Just something to think about.. where are we just adding cosmetic layers and where are we actually solving security problems? But hey, at least it helped this time. Just kill the overlay and bingo bango, we're in!

My Ubuntu VM just work fine for consecutive 217 days without restarting.

Need to change some config
And... I forgot the application access key... Damnit!!!

Lucky, I kept the access key in the password manager. Whew.

I managed to remember some old Bitwarden (password manager service, I remember that linuxxx recommended me this one a looong time ago) credentials, so I logged in. I found an old devRant account - not my first though (I deleted it).

I've been a random lurker all this time (this is the first dev community I've been and I'm not planning to leave it until it dies), and it's good to login just to give my 2 cents.

I love you all. Seriously. I love you all with every single bit of my heart (get it?), impartially. Thanks for existing.

Here's an interrupted "caramelCase posted a new rant!"; it's actually longer but a wild guy ++'d my comment.

p.s: seeing my avatar, I don't use c++ anymore. I've just grew with Python haha

I'm thinking on getting keypass as my password manager, since it's open source, can use csv files and works on a bunch of platforms.
Does anyone has experience with using it or can recommend, in their view, some better solutions?

I recently went to an office to open up a demat account

Manager: so your login and password will be sent to you and then once you login you'll be prompted to change the password

Me: *that's a good idea except that you're sending me the password which could be intercepted* ok

Manager: you'll also be asked to set a security question...

Me: *good step*

Manager: ...which you'll need to answer every time you want to login

Me: *lol what? Maybe that's good but kinda seems unnecessary. Instead you guys could have added two factor authentication* cool

Manager: after every month you'll have to change your password

Me : *nice* that's good

Manager: so what you can do change the password to something and then change it back to what it was. Also to remember it keep it something on your number or some date

Me: what? But why? If you suggest users to change it back to what it was then what is the point of making them change the password in the first place?

Manager: it's so that you don't have to remember so many different passwords

Me: but you don't even need to remember passwords, you can just use softwares like Kaspersky key manager where you can generate a password and use it. Also it's a bad practice if you suggest people who come here to open an account with such methods.

Manager: nothing happens, I'm myself doing that since past several years.

Me: *what a fucking buffoon* no, sir. Trust me that way it gets much easier to get access to your system/account. Also you shouldn't keep your passwords written down like that (there were some password written down on their whiteboard)

Manager: ....ok...so yeah you need sign on these papers and you'll be done

Me:(looking at his face...) Umm..ok

Actually I have two stories

The first one, that one project I talked about with a big company when I was at school. It wasn't that much coding since it was mostly researching, but it was a big project that seems really interesting, with Image Analysis and Machine Learning.
The projects at school this year got drawn randomly for each group, so when I've been announced that I've been chosen for the biggest project, thinking about every side of the project, I was hyped. And even a year after we finished it, I'm still happy and excited about it.

The second is something a little more funny :
So we got some projects to do during December for school including cryptography. Again, those were randomly drawn (but some can really fuck you up) and I got to do a Password Manager, like KeyPass. We were 4, and we thought we had the time to do it.
But we misread the date. At the end of Christmas break, I got a call of a friend saying that the project is due in two days.
Thing is, one of my three co-workers weren't contactable. And we got nothing.
So I kinda took the lead : I said to one to do the UI, another to do the cryptograph helper, and I'll do the linking and all the behaviour of it.

In two days, I literally spent all the time available on it.
Then first meeting with the teacher for saying what is wrong, where bugs are if they exist, ect. so we can fix the issues and deliver a clean code. They were like only 4 big problems. More is, I fixed them all in like two hours while thinking fixing only one. And we got something like the 2nd or the 3rd best mark of the prom. And everyone congratulated me for that. I got so excited I was able to do that in few time.

But never that again lmao

*Email chain forwarded by support team to our dev team*
Hi,
Please assist our customer. He is unable to reset his password!

*Went through the emails turned out that customer is asking for password reset request for legacy website for which we don't work at all*

Scrum master sending another reply to look into the matter on High priority.

We again double checked for the customer but he is not registered on the new website.

Apparently, both scrum master and support team and entire company is aware that our team is not working for legacy website.
But No one reads the email properly and keep forwarding to dev team disturbing the entire team.

Some times things like this are done by product manager and her associate, but they keep replying to each other on unnecessary things till they come to conclusion and scrum master try hard to keep up with them with his own agile disciplines.

Hey does anyone know a good open source password manager? Sorry for the interruption. Keep on ranting.

Hi everyone,

One question is constantly popping in my head and I keep fighting to figure out how to answer.

So here it is:
Are you for or agains a password manager to store all your passwords?

P.S.
I am using a paid password manager, but keep asking myself is it really worth it, and am I compromising all my passwords if someone is willing to spend some time and hack my vaults. On the other hand the convenience and benefit of having all passwords in one place and also using different strong passwords for each of my accounts protects me from a weak security implementation on any third party service I use, because I am not re-using the same password everywhere.

!rant
Anyone interested in testing a password manager?

I want to rewrite one of my projects (a password manager) from Go to Kotlin or Python.
Which one of the 2 should I choose?
I know nearly nothing about both.

ESSO Password Manager.
Prepare to cry after ESSO inputs your password in the username-field instead of the password-field the third time while your colleagues are watching...

I really should start using a password manager but I have no idea what one to choose, anyone have any input?

I'm thinking 1Password at the moment

I forgot my last pass password.
Me to my brain : You had one job!

After falling down the Manjaro hole for months I yesterday decided to leave Manjaro for Pop!_OS. I lose a bit of performance and battery life, I gain a ton of UI polish, I gain a lot of package support, and I lose some hard earned nerd points.

My NAS has an easy to install Debian tool for file sync. I can use Etcher for making bootable USB/SD for my raspberry pi. Firefox is the default browser and I can use all my plugins and password manager out of the box. Apt is easier to use than pacman. Easier Python development setup. Docs are more often written for Debian. (For some reason I spent hours trying to get powerline and oh-my-zsh working right in manjaro’s xfce terminal before giving up.)

You know what's worse than having to come up with a new password every time you create an account? Forgetting your password every time you try to log in!

I swear, it's like my brain has a selective memory when it comes to passwords. I can remember every lyric to a song from 10 years ago, but I can't remember the password I created yesterday.

And don't even get me started on password manager software. You would think that having all of your passwords stored in one place would make things easier, but nope. I've forgotten my password for my password manager so many times that I'm starting to think I need a password manager for my password manager.

But seriously, why do we even need passwords in the first place? Why isn’t there an easier one stone kills all solution to all these password authentication nonsense?

I could remember when it was all letters, then forced to use letters + numbers…

then later forced to include symbols…

and then forced to make it lengthier…

and then solve puzzles after getting it right…

and after all the stress now we are forced to find nemo from a set of images.

I thought the misery would end there but nope. Now some platform forces 2FA like dude seriously?

For God’s sake we built self driving cars already! Why can’t one just exist without a password? Why do we always end up in a password cycle?

And please don’t say shit about oauth because if your password master (i.e: google) fucks you in the ass then all your oauth accounts are gone for good!

I'm currently having an existential crisis about the meaning of passwords in our modern society. Shit is crazy when I ponder about it I get worried.

Adding noip.com to the list of services that accept more passwords for signup than for logging in. Damnit how does software even get to that point. Isn't it, like, more effort to get this wrong than to get it right?

The name of today is Murphy.

So, the LAN at location A can't reach the one at location B. Turns out that something yet unknown is blowing fuses at location A, but after disconnecting a ton of unknowns, the router and a radio link station are up again. Yay Internet, but still no VPN connection to location B.

Needing the passwords for the OpenVPN servers, I notice that encfs4win refuses to mount the drive where the password manager files reside. Of course, any problem must have the company of other problems. Eventually, the encfs drive mounts on another computer.

So, I can access the OpenVPN computer running the client side and check the logs, which tell me that network B is unreachable.

Both networks and an encfs setup all die at the same time? Right, Murphy, what are you going to come up with next? No, don't tell me because I just got read errors from a hard drive.

So I just got the cyber security pack on humblebundle... $15 for a year of PIA, a year of spider oak one cloud backups and a year of Dashlane are the notable ones (I’ll give away the antivirus ones for free since I don’t have windows).

But that wasn’t the awesomest part...

I installed Dashlane and after transferring all my stuff over from LastPass, I went to delete my LastPass

Dashlane autofilled the username...

It’s like so subtly aggressive in an unintentional way. Honestly this password manager Battle Royale is totally worth the $15 regardless.

TLDR: I wanted to change email to new one, but I could not remember which one I have
currently. I found out an API in DevRant JS files for email verification and used
it to find it out.

So, I am moving from Gmail to Protonmail Pro, absolutely love their service.
I wanted to do same on Devrant but I could not figure out my current mail for
"I lost my password" form. My Password Manager have only login saved, and profile does
not show email address.

I thought that this user information is stored on server so it have to be some way to retrieve it. I dug
in source code and I've found:

`<div class="signup-title">Verify Your Email</div>`

Which has event assigned to function which uses jQuery.ajax (love it btw :D) to call:

`url: "/api/users/me/resend-confirm",`

This seems like worth a shot. Few copy-pastes and one ajax call later:

*Ding*

From: support@devrant.io
To: dawid@dawidgoslawski.pl
"Welcome to Devrant"

Got it :) So I have already changed in march when DevRant on previous layout.

This is what I love in this profession - problem solving. AI will not replace human
in any way, we will just stop coding array iterations and data manipulation - we will focus
on real problem solving and human touch (like design, convincing management for changes).

After two years of being in (metaphorical) jail, I once again was given the a privilege of unlocking and rooting my phone. Damn. Frick Huawei, never coming back to that experience.

I gotta say, rooting... Feels a tad less accessible nowadays than when I last practiced it. All this boot image backup, patch, copy, reflash is crying to be automised, only reason I can think of why that changed and magisk can no longer patch itself into the phone's initrd is that it's somehow locked? Was it a security concern? Or can sideloaded twrp no longer do that?

Oh, and the war... The war never changes, only exploits do - fruck safety net... Good for Google that they now have an *almost* unfoolable solution (almost). The new hardware-based check is annoying af, but luckily, can still be forced to downgrade back to the old basic check that can be fooled... Still, am I the only one who feels Google is kinda weird? On one hand, they support unlocking of their own brand of phones, but then they continuously try to come up with frameworks to make life with a rooted or unlocked phone more annoying...

On the other hand, I do like having my data encrypted in a way that even sideloading twrp doesn't give full access to all my stuff, including password manager cache...

Any recommendations what to install? I do love the basic tools like adaway (rip ads), greenify (yay battery life!), viper4android (More music out of my music!) and quite honestly even lucky patcher for apps where the dev studio practices disgust me and don't make me want to support them...

Best password manager?

Why do companies wrap up everything simple fucking operation with "Machine Learning."

What is the fucking purpose of ML to a Password Manager? What's the mystery of suggesting password based on TLD match?

"Congratulation, you now have ML to auto-fill your password" WTF, how was it working before the update?

Sick.

So my friends laptop had a long crack on his screen from mid left of the screen, squiggle around to bottom left. Every time he boots to the login screen, he struggles to enter his password. Because the crack affected the laptop's touchscreen, it's not emitting a touch event at the bottom left of the screen every time. He did finally managed to get the password in afterwards, and struggled to get to device manager and disabled the touchscreen driver, then later uninstalled it.

TLDR; had a hard time using his laptop because it was touching itself.

What password manager do you use?

I need a password manager lol

Any suggestions? Paid is ok, as long as it's nothing ridiculously expensive

Is it legal that the day you're out for license, the project manager change your password and enter your email?

"Oh, don't use Google Password Manager. It's not safe. Use something else. [Paid]"

* proceeds in using it anyway. I don't care. I trust Google.

Ever forgot the root password of your remote server, my manager did. Now we can't run our applications because they need root/administrative privilege. 😂

How is it possible my netflix password got hacked when I never used it anywhere else and it's randomly generated? I saw some weird logins with random subtitles. Google password manager told me it's in some data breach, how do I find out from where? Haveibeenpwned didn't find anything. 😐

I have 2FA enabled on NPM so it would shut up about it, the recovery codes are in my password manager, right next to my secure randomly generated password.

Password authentication is fucking stupid.

Would it be clever to use a password manager with randomized passwords and also store them in chrome's password vault?

I mean it's less secure, yes, but should something bad really happen I can just change the password and this would be a good upgrade in terms of user experience

What do you guys think?

So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.

We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.

So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.

“I don’t think this will be very secure”

Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.

We go back and fourth and I said I’ll get it checked with security just to keep him happy.

The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.

Updated the tickets. All dandy.

Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.

Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.

Jesus Christ I wonder why I bother sometimes.

Best password manager?

Cross-platform open-source & free password manager.

Description:

Cross-platform mobile/desktop password manager application. No backend needed, private data will be encrypted and stored in Google Drive/One Drive/Dropbox etc...

I've used multiple applications over the years but they pricey (especially if you switch platforms) and most of them don't have full cross-platform support.

Also, I've made a POC app with Ionic a while ago, but I didn't like the hybrid app feel.

Tech stack:
Js/React Native

We should find a way to replace passwords: any password manager which I tried is inaccurate in identifying login forms and is too hard to use for non technical people older than 40 and convince people to not use some stupid name + birth year combination as their passwords is a frustrating uphill battle.

Currently it's hard to tell in some financial apps if log it means finish my current session or completely remove me from the app.

So at my school, the first 10 minutes of school is like when we can do whatever we want. Earlier in the morning i had been making a nodejs password manager thing just so i could try some things out. It also used bash so i could make it like a cli. I was debugging because my database viewer said that the table was empty but for whatever reason it still worked when i put things in it. So i had the db viewer open and terminal open and the teacher comes along."Woah are you like hacking a server" he said. Everybody around me started staring at me. I told him no im not. A couple minutes later he comes around again. The db viewer was closed and i was just in terminal trying to see if some changes worked. He said "Is this like the matrix or something???". I remembered i had a cmatrix package thing installed. I ran it. W O A H everybody around we was like. Luckily most people knew that
1. It wasnt hacking
2. I dont do hacking
3. I was doing it as a joke.
Although he must of been thinking that i was like a hardcore hacker in his class. Was weird and funny.

I'm doing a thing that I *think* will save time, but it's weighing the time saved in having to maintain the secure password against having to convince my manager that using a random string in an ansible deployment for a database is fine because everything that connects to it is in the same stack... What could go wrong?

What password manager do you use? and for what purpose?

Not super ranty but what I’m interested in how passwords are managed in your organisation?

I feel dirty receiving passwords through slack and having a spreadsheet on a shared drive seems like madness.

I’ve worked at organisations before that have a single login to a password manager. However theoretically I still have access to that as no one would have changed the password.

Organisational password manager softwares are really expensive!

Guys, I'm looking for password manager (for android and desktop), any suggestions?

I’m working on a new app I’m pretty excited about.

I’m taking a slightly novel (maybe 🥲) approach to an offline password manager. I’m not saying that online password managers are unreliable, I’m just saying the idea of giving a corporation all of my passwords gives me goosebumps.

Originally, I was going to make a simple “file encrypted via password” sort of thing just to get the job done. But I’ve decided to put some elbow grease into it, actually.

The elephant in the room is what happens if you forget your password? If you use the password as the encryption key, you’re boned. Nothing you can do except set up a brute-forcer and hope your CPU is stronger than your password was.

Not to mention, if you want to change your password, the entire data file will need to be re-encrypted. Not a bad thing in reality, but definitely kinda annoying.

So actually, I came up with a design that allows you to use security questions in addition to a password.

But as I was trying to come up with “good” security questions, I realized there is virtually no such thing. 99% of security question answers are one or two words long and come from data sets that have relatively small pools of answers. The name of your first crush? That’s easy, just try every common name in your country. Same thing with pet names. Ice cream flavors. Favorite fruits. Childhood cartoons. These all have data sets in the thousands at most. An old XP machine could run through all the permutations over lunch.

So instead I’ve come up with these ideas. In order from least good to most good:

1) [thinking to remove this] You can remove the question from the security question. It’s your responsibility to remember it and it displays only as “Question #1”. Maybe you can write it down or something.

2) there are 5 questions and you need to get 4 of them right. This does increase the possible permutations, but still does little against questions with simple answers. Plus, it could almost be easier to remember your password at this point.

All this made me think “why try to fix a broken system when you can improve a working system”

So instead,

3) I’ve branded my passwords as “passphrases” instead. This is because instead of a single, short, complex word, my program encourages entire sentences. Since the ability to brute force a password decreases exponentially as length increases, and it is easier to remember a phrase rather than a complicated amalgamation or letters number and symbols, a passphrase should be preferred. Sprinkling in the occasional symbol to prevent dictionary attacks will make them totally uncrackable.

In addition? You can have an unlimited number of passphrases. Forgot one? No biggie. Use your backup passphrases, then remind yourself what your original passphrase was after you log in.

All this accomplished on a system that runs entirely locally is, in my opinion, interesting. Probably it has been done before, and almost certainly it has been done better than what I will be able to make, but I’m happy I was able to think up a design I am proud of.

is it possible to find a password/note manager that is also:
has a user and permission manager;
free/open source;
local (lan only, no cloud);
web based (local web server);
encrypted;
secure;
????

Dashlane password manager is my workflow nemesis. I have dozens of sites to manage and my only way into them is through this buggy and unreliable crap software. So much time is lost having to delete an entry that inexplicably stopped working, then waiting for someone with share permissions to reshare it, only to find that it still isn’t working, another reshare and then it suddenly does work. But then the Chrome extension won’t sync unless I log out and log back in. And then I have multiple entries for the same site with no clear indicator of why nor which one is the real one that actually works.

Can’t get rid of it because the company has standardized on it. Not my decision to make.

Dashlane sucks. It’s the absolute worst password manager ever. Not a day goes by when it tries to log me into a site incorrectly, forgets a password, freezes up, etc. Yesterday I attempted to very carefully change the master password and it locked me out with the new password. Had to reset using the revoke process and it sent me back 6 months in time. Now I have to reconstruct all my logins a day before I go on vacation. I’m stuck with it because my employer reviewed LastPass and decided Dashlane had a few features LastPass didn’t that they really need. Seriously, SCREW DASHLANE!!

"USE A PASSWORD MANAGER"

Actually I do use a password manager, but still passwords for 90% of accounts are same. I don't like going to password manager and looking for a password everytime I want to use a website.

But I gotta change this habit.

I understand the desire to self host repos. I get it. I really do. But this is the 14th self hosted gitlab account I've had to set up. =/ My password manager will start complaining to me soon.

When any rants I write, I need to put in my Password managers' "Secure Note" section because I can't post here for them becoming public.

Pfrtt! xD

Its been awhile since I opened up my Server VM to play around with. Until when I had to login to my DB VMs, I forgot the password. And forgot to save them into my password manager. Whelp, perfect for me to go back to square 1.

Is it really good OpSec to log me out of outlook every hour when the password manager lets me automatically log back in?

Can anyone recommend a good password manager that is 'in the cloud', can be used on my mobile and makes life easy for logging into apps on my phone that aren't logged in via a browser. Ideally something free but I'm willing to pay for something that is worth it

We have a prgram at the office that requires me to turn off everyone's antivirus for it to work properly. This has been the case for 2 months while tye software company fixes it. When our computers restart for any reason, the antivirus turns back so I have to turn it off again. I can't give peple the password though because that is the password for a few systems. I get 4 emails today from 4 people that know damn well what the problem is that all say the same thing "I cant figure out why this program wont work. We need to get this fixed or I cant do my job" all with the branch manager CC'd.

Idiots. All of them are damn idiots. 😐🔫

Hi guys, what do you think about Bitwarden as a cloud password manager? do you use it?

Why is the 1password login process so shitty? You need 4 different inputs, and every time you login it forces you to download the same PDF you have saved 10 times. there's no skip option, and it doesn't memorize that you have already freaking downloaded it.
on top of that, my company has restricted the accounts to not reset their password on their own. How the hell this helps a company? Why this option even exist?
I mean I have to DM my manager: Sorry dude, I'm so clumsy that I have accidentally deleted my password, can you initiate a reset password process so I can have access to 1password?

I've been working here for a little under a month keep hearing about them not remembering passwords, or not being able to access something due to a rarely used forgotten password, so I decided to Set up a shared password manager for the team using keepass and a generic intranet setup, pulled a password csv from one random on the floor person's chrome to start with. Turns out they ALL sync data from the owners account, and the owners saved passwords include HER payroll login info, and the accounts for ebay, amazon, etsy, basically anywhere you can buy anything....
yeah I think this is gonna need to be a conversation with her soon.

I have Avira Password Manager and for 3 days now I can't access it because they send a verification code to the phone but that code was never received... FUCK YOU AVIRA

Do you trust Avira Password Manager for saving passwords ?

I'd appreciate some viewpoints on this one. I've been wanting to use a password manager. LastPass or 1Password?