> installs devRant app on my iPhone
> too lazy to type my 18-char random password on mobile
> password manager app not on App Store yet
> dig up my old Macbook
> install XCode & homebrew package manager
> install 2 other package managers using homebrew
> install App deps from the 2 package managers
> query stackoverflow for why my deps fail to install
> open App in XCode
> setup Apple provisioning profile
> trust my certificate on my iPhone
> dig up an old router & setup a local WiFi network
> start a server on my laptop to serve my PGP keys
> download my PGP keys to my iPhone
> app crashes
> open an issue on github with steps to reproduce & stacktrace
...
> type my 18-char random password
> rant on how I wasted an entire afternoon

Guy: I don't trust password managers
Me: so how do you remember passwords?
Guy: oh, I just keep them in a note in the iPhone notes app/iCloud.

Disabling pasting into a password field in 2020 with password managers, is retarded. That's it that's the rant. Doesn't matter if you think password managers are good or not. Its still retarded that there's a 40 something year old dumbfuck manager who told a web designer at EA to disable pasting into a fucking password field because he was dumb enough to think it stopped hackers or some shit like that.

Part of the new hire process was all salaried employees had to work all hourly position jobs for a day (over a several week period, not all in one day) to really understand what we do.

I once hazed a new network admin who was working in the call center and I sent his station a pop-up message:
“Ha! Fire me will you!! I planted this virus and if you don’t enter the password in 60 seconds I will erase the database.” The pop-up had a counter counting down from 60.

This was over the lunch hour, so all the supervisors and managers were away and ‘Mark’ in a panic ran into our office (I was hiding under my desk)

Mark: GUYS!!...GUYS!!!....OMG!….Where the frack is everybody?!!!”

He runs out.

I peek out the door window and about a second later he’s running down the hall with one of the vice presidents. Mark shows the VP the message, VP looks over at our office, sees me…laughs and walks back to his office (not saying much to Mark).

Mark not knowing what’s going on watches the counter…3...2…1….
”Just kidding. Welcome to the company!”

Ahhh…the repeated sounds of “You son of a -bleep-!!” never sounded so sweet.

Insecure... My laptop disk is encrypted, but I'm using a fairly weak password. 🤔

Oh, you mean psychological.

Working at a startup in crisis time. Might lose my job if the company goes under.

I'm a Tech lead, Senior Backender, DB admin, Debugger, Solutions Architect, PR reviewer.

In practice, that means zero portfolio. Truth be told, I can sniff out issues with your code, but can't code features for shit. I really just don't have the patience to actually BUILD things.

I'm pretty much the town fool who angrily yells at managers for being dumb, rolls his eyes when he finds hacky code, then disappears into his cave to repair and refactor the mess other people made.

I totally suck at interviews, unless the interviewer really loves comparing Haskell's & Rust's type systems, or something equally useless.

I'm grumpy, hedonistic and brutally straight forward. Some coworkers call me "refreshing" and "direct but reasonable", others "barely tolerable" or even "fundamentally unlikable".

I'm not sure if they actually mean it, or are just messing with me, but by noon I'm either too deep into code, or too much under influence of cognac & LSD, wearing too little clothing, having interesting conversations WITH instead of AT the coffee machine, to still care about what other humans think.

There have been moments where I coded for 72 hours straight to fix a severe issue, and I would take a bullet to save this company from going under... But there have also been days where I called my boss a "A malicious tumor, slowly infecting all departments and draining the life out of the company with his cancerous ideas" — to his face.

I count myself lucky to still have a very well paying job, where many others are struggling to pay bills or have lost their income completely.

But I realize I'm really not that easy to work with... Over time, I've recruited a team of compatible psychopaths and misfits, from a Ukranian ex-military explosives expert & brilliant DB admin to a Nigerian crossfitting gay autist devops weeb, to a tiny alcoholic French machine learning fanatic, to the paranoid "how much keef is there in my beard" architecture lead who is convinced covid-19 is linked to the disappearance of MH370 and looks like he bathes in pig manure.

So... I would really hate to ever have to look for a new employer.

I would really hate to ever lose my protective human meat shield... I mean, my "team".

I feel like, despite having worked to get my Karma deep into the red by calling people all kinds of rude things, things are really quite sweet for me.

I'm fucking terrified that this peak could be temporary, that there's a giant ravine waiting for me, to remind me that life is a ruthless bitch and that all the good things were totally undeserved.

Ah well, might as well stay in character...

*taunts fate with a raised middlefinger*

Dev gets hold of me, says my service is down in QA. Works if he hits it locally, works via Postman, but via the QA app server it gives a 401.

I’m like, look, if it works everywhere else, there’s something wrong on your side in QA.

He insists, no, I must help him, and begins CCing all the managers telling them this system has been down for days.

So I eventually climb into his system, check the credentials they’re using in the QA environment, and sure enough, the password is wrong.

Girlfriend: There are so many passwords to remember, man. What's my amazon password, baby?

Me: Just use a password manager?

Girlfriend: That sort of thing exists?

Tesco.com, you deep pool of creamy baby shit. I've tried to reset my password three times already. My new password has way more entropy than your mathematically impaired rules command, but apparently using password managers is bad practice. It should be about having at least one special character, not EXACTLY one. I've got lots of uppercase characters, not PRECISELY one.

Wow, I'm going to have a hard time remembering this one.

IT have changed after so many years the password criteria for our machines, to the point it's a bit ridiculous.

Like I'm all for securing your accounts and using random passwords but, this is rough.

Minimum of 14 chars
Not the past 6 passwords
Must contain several %}*]=[^{
Must contains numbers
Must contain upper case letters
Must contain Lower case letters
Must not end in a number
Must sacrifice a virgin on every login
Must be changed every 30 days

One day, I spoke to my team which yubi or nitro key to get.

Senior (s) : but what do you need it for?
Me (m) : for encryption. And securing our password managers. Stuff, I guess.
S : encryption is not gonna be a thing. It hasn't and it won't.
M : *leaves*

I've been so baffled I couldn't cope with the situation.
A few weeks later I left the company. There were too many of such people and those products.

Just submitted my first app to the Microsoft Store 🎉🎉

It's a simple offline password manager that also accepts other formats of data such as credit card and personal info.

Made it using WinUI 3. To prevent you from forgetting your master password, each "locker" accepts an unlimited number of passwords. If you forgot one, you can just use a different one. This is my idea to make offline password managers a little less of a hassle.

Can't wait for approval from the store!

Security lifehacks 101

Why pay for password managers? Just use one secure password for every service you use! Password managers are really designed for fools who don’t know that you can just use one password for every service and who are ready to pay for that shit.

The best practice is to use your name starting with a capital letter + your main credit card number + CVC code from the back of that card as your go-to password. It’s long and hard to bruteforce and you can remember everything that way! You just need to remember that one password and you’ll always remember your payment info! No need for apple’s bad Apple Pay which is not so secure after all like everything else that Apple offers.

I think I want to quit.

I know it’s a bit of an inconvenient time with there being corona around but everything was okay up till January. I’m a junior even though I shouldn’t be. Since my manager told me and my team leader senior in my review “maybe you two should switch jobs” things have been going downhill. I think the team lead had it out for me and didn’t put me on a new project, I’ve been left with doing stupid basic shit like updating text on websites in a cms and doing fuck all and then there’s also another guy that was basically harassing me trying to put me in my place any time I was doing better than him and literally both of them been like that ... and now that I’m working from home it’s even worse. I don’t have any kind of assurance that everything okay and actually I think I’m being framed as welll since I found keyloggers on my work laptop and deleted cleaned shit up the past two weeks and changed my WiFi security as there were like 5 unknown devices on our network so yeah .. I’ve been framed and they made it out like I put a powershell script on one of the servers and it crashed a Porsche website for 8 h and all kinds of bullshit - this was yday. On Tuesday they logged me out of everything like changed the password for work vpn and kicked me out of slack and Microsoft teams for over 2 hours till the end of shift and two managers weren’t answering their phone and then next day my manager called and apologised that saying that he “accidentally” did that to me along with 15 people they let go from the company....

I’m seriously thinking of quitting being removed from team group for a moment , not being on a project and people literally trying to put me down after I know I’m genuinely smarter than them and if I had over 10 years experience like those on my team (I have 1) I’d be far higher up and better

They can genuinely just go fuck themseves !!!! And here I was going to work over weekend on something! No fucking way I just wanna quit or give in my notice but because of corona I’m divided

In a world of password managers that can generate complex passwords of any length, please for the love of God include why my chosen password was rejected.

Don't decide to truncate the password without informing the user because, and this is key, they won't be able to use your service.
Looking at you GoDaddy.

I think I'm having a "return to monkey" phase.
What the fuck are we doing?

Free VPN's, free cloud storage, smartphones and stupid telemetry/uSaGE aNaLYtiCs, password managers, social media, content farms, cheap wifi enabled smart home and 'intelligent' cars.

I'm starting to hate it all.

Look at how many people (including myself, sadly) is glued to their fucking datahoarding multimedia shitdevices (known as 'smartphones'). While sitting in a room filled with every fucking small appliance that needs an app, wifi and phones home to who the fuck knows.
Even my fucking dishwasher has an app and wifi enabled so I can start the dishwasher outside the wifi network.

How the fuck did we get here?

Sharing your password with your coleagues is like sharing your underwear or your GF with them. It's not right and unless you're into some weird fetish you won't really want them back...

I've been asked to help in my previous project and I'm fairly certain my credentials are expired/locked/forgotten there. Guess whose managers will be encouraging sharing current dev's on that project passwords...

I've been informed that through some level of recognition and certification, today is "Password Day," seemingly in an attempt to encourage people to have strong passwords. I will do my part and say that if you're not using a password manager, you have missed out on years of your life.

People, even on devrant, are complaining about having to change their Twitter passwords. A major security event is not the only occasion to change your password (for anything).

You should change your passwords for everything regularly. Like, once every month or two.

This is why password managers are brilliant.

Very eventful day, please see enclosed several smaller rants.

===================

My college's systems are shit and not only do they use HTTP for everything, even the stores and financial aid purchase system, they have homebrew JS shit for PGP site encryption (nifty...), but they exchange the PRIVATE KEYS instead of the public keys. Over HTTP. Not even HTTPS. Also if you log in more than 10 times in 24 hours it's supposed to lock you out of your account until you call... except it locks EVERYONE out. Found this out when on campus, trying to get my textbooks, when suddenly everyone had login lockouts because i'm a "paranoid bastard" and "afraid of idiot college students" for not telling a PUBLIC PC to remember the one password (enforced by password auto-sync across all their shit, not ideal, no) guarding my SUPER-SENSITIVE FINANCIAL AND ACADEMIC DATA... among the other hundreds of issues this college has. I now see why this college is the only one I can afford...

===================

Can't pass-through raw DVD drive access to VMs as VM managers crash when I try (yes, even QEMU...) so i've gotta install Windows on a shitty 80GB laptop HDD for literally one quick project. On the bright side, if my theory proves correct, you'll no longer need modchips for PS2s.

===================

Found a couple odd lines in my xscreensaver config:

GetViewPortIsFullOfLies:False
nice: 10
pointerHysteresis: 10

the first 2 I can't seem to figure out what do, and the last taught me a new word. Fun!

===================

that's it, it's over, why are you still here

More emarassing than frustrating..But I was applying to a couple internal positions recently and decided to bring in a sample package to demonstrate some of what I had been working on in my current team. They seemed to like the example and the interview seemed to go well...A couple hours later one of the managers came by my cubicle and asked "is that the real password?" and pointed to a line in the code. Sure enough, I had left a plain text password in the script I had just handed out to 10 panelists at 2 interviews..proceeded to collect the packets back. In the future I'll be paying closer attention to what I include lol.

Still frustrated we keep the passwords in the script though >.> any suggestions for better storage of passwords and the like in Perl scripts?

When I was a high school, I did an internship at IT department for a local "center for student guidance".

The IT department consisted of one guy that started to automate everything the first year he worked there. He ended up being low on work and got flak from people above him for not working enough. He threw all his scripts away and the bosses/managers were happy he worked more... But his work was of course slower with more mistakes.

Also, he had an excel sheet of everyone username + password. The excel file was secured with a password. When he went to the coffee machine, he never locked his computer nor the spreadsheet.

Oh for crying out loud, people, stop making apps that clear your clipboard when you close them!

So just now I had to focus on a VM running in virt-manager.. common stuff, yeah. It uses a click of le mouse button to focus in, and Ctrl-Alt-L to release focus. Once focused, the VM is all there is. So focus, unfocus, important!

Except Mate also uses Ctrl-L to lock the screen. Now I actually don't know the password to my laptop. Autologin in lightdm and my management host can access both my account and the root account (while my other laptop uses fingerprint authentication to log in, but this one doesn't have it). Conveniently my laptop can also access the management host, provided a key from my password manager.. it makes more sense when you have a lot of laptops, servers and other such nuggets around. The workstations enter a centralized environment and have access to everything else on the network from there.

Point is, I don't know my password and currently this laptop is the only nugget that can actually get this password out of the password store.. but it was locked. You motherfucker for a lock screen! I ain't gonna restart lightdm, make it autologin again and lose all my work! No no no, we can do better. So I took my phone which can also access the management host, logged in as root on my laptop and just killed mate-screensaver instead. I knew that it was just an overlay after all, providing little "real" security. And I got back in!

Now this shows an important security problem. Lock screens obviously have it.. crash the lock screen somehow, you're in. Because behind that (quite literally) is your account, still logged in. Display managers have it too to some extent, since they run as root and can do autologin because root can switch user to anyone else on the system without authentication. You're not elevating privileges by logging in, you're actually dropping them. Just something to think about.. where are we just adding cosmetic layers and where are we actually solving security problems? But hey, at least it helped this time. Just kill the overlay and bingo bango, we're in!

So I still have my very first email account, a hotmail account as a secondary, kinda spam account.

i signed up around 2000 i guess.

someone tried to get in, i got loads of mails of failed login attempts so i wanned to go and change my pw. But because of that bastard i cant login with just pw anymore, i need my phone. THAT ACCOUNT IS 20 FUCKING YEARS OLD. I never even provided a phone.
spent the last 20 minutes providing personal details to microsoft which are probably not the ones i used for signing up anyway.

you know how careful we were whem signing up for something online back them? I probably signed up as Thomas anderson from zion...

anyway, done now and bow it will take 24h for them to review it..

all of this only to reset my forgotten pw for my epic games account for with i signed up with that mail..,

holy guacamole.. I should start to trust password managers...

I really should start using a password manager but I have no idea what one to choose, anyone have any input?

I'm thinking 1Password at the moment

“httpOnly cookies prevent XSS attacks”… wow.
As if not being able to get your cookies is going to stop me from doing bad things.

When I'm in via XSS, it's over. I'm changing the page content to your sign-in form with “please sign in again” notice, but it sends email/password straight to me. What percentage of users is going to enter their data? What do you think? With password managers prefilling data, and the annoyance being one “enter” hit away, I think a lot of users will fall for that. No one, including you, will be able to tell the difference without devTools.
You can rotate the session token, but good luck rotating the user's password.

Oh, did I tell you I could register a service worker using XSS that will be running in background FOREVER?

But don't listen to me. Don't think. Just use httpOnly and hope for the best. After all, your favorite dev youtuber said they could protect you from XSS.

Our crm forces a password reset once a month.

One of our managers logs into the crm once a month.

Even though there's a very visible link and simple password reset method, he still manages to lock himself out every time. I have to log in and reset it for him.

This guy grew up with the Internet. How is this possible?

What password manager do you use?

Okay I got a genius/exceptionally stupid idea.
Some of you may know Xi. If not, it's an, in development, text editor backend, written in Rust.
It does all the heavy lifting and communicates changes with the Frontend over an rpc-api, typically on stdin/stdout.

Now, why don't we do this, but for other kinds of applications, that have been reinvented a million times, because a feature is missing or the ui has been shit.
Cross-Platform backends for file-managers, web browsers, password managers, media players,...

When any rants I write, I need to put in my Password managers' "Secure Note" section because I can't post here for them becoming public.

Pfrtt! xD

I’m working on a new app I’m pretty excited about.

I’m taking a slightly novel (maybe 🥲) approach to an offline password manager. I’m not saying that online password managers are unreliable, I’m just saying the idea of giving a corporation all of my passwords gives me goosebumps.

Originally, I was going to make a simple “file encrypted via password” sort of thing just to get the job done. But I’ve decided to put some elbow grease into it, actually.

The elephant in the room is what happens if you forget your password? If you use the password as the encryption key, you’re boned. Nothing you can do except set up a brute-forcer and hope your CPU is stronger than your password was.

Not to mention, if you want to change your password, the entire data file will need to be re-encrypted. Not a bad thing in reality, but definitely kinda annoying.

So actually, I came up with a design that allows you to use security questions in addition to a password.

But as I was trying to come up with “good” security questions, I realized there is virtually no such thing. 99% of security question answers are one or two words long and come from data sets that have relatively small pools of answers. The name of your first crush? That’s easy, just try every common name in your country. Same thing with pet names. Ice cream flavors. Favorite fruits. Childhood cartoons. These all have data sets in the thousands at most. An old XP machine could run through all the permutations over lunch.

So instead I’ve come up with these ideas. In order from least good to most good:

1) [thinking to remove this] You can remove the question from the security question. It’s your responsibility to remember it and it displays only as “Question #1”. Maybe you can write it down or something.

2) there are 5 questions and you need to get 4 of them right. This does increase the possible permutations, but still does little against questions with simple answers. Plus, it could almost be easier to remember your password at this point.

All this made me think “why try to fix a broken system when you can improve a working system”

So instead,

3) I’ve branded my passwords as “passphrases” instead. This is because instead of a single, short, complex word, my program encourages entire sentences. Since the ability to brute force a password decreases exponentially as length increases, and it is easier to remember a phrase rather than a complicated amalgamation or letters number and symbols, a passphrase should be preferred. Sprinkling in the occasional symbol to prevent dictionary attacks will make them totally uncrackable.

In addition? You can have an unlimited number of passphrases. Forgot one? No biggie. Use your backup passphrases, then remind yourself what your original passphrase was after you log in.

All this accomplished on a system that runs entirely locally is, in my opinion, interesting. Probably it has been done before, and almost certainly it has been done better than what I will be able to make, but I’m happy I was able to think up a design I am proud of.

You know what really grinds my gears? Products that have no right of linking your data to an online platform.

Case and point: Password Managers. Nearly all of them work only with an account on a given service, have the passwords stored on their servers and so on and so forth. There is 0 transparency and for that matter 0 security. I found my choice, though it infuriates me terribly.

Another thing are budget managers. The switch for YNAB from local to on servers really annoys me. They should have no business in storing my very private data on their server. I don't understand people using it either.