Friend: "No need to hash the passwords. It's a waste of time."

Later that day...
Me: "I always suspected you had a thing for Rose."

Friend: "What, where did you hear that ?"

Me: "I hacked into your MySQL database. Your password is 'il0verose'."

Friend: "How do I hash passwords again ?"

When a website uses https but stores passwords in plain text...

The power of passwords!!!1

Me Visiting a new location...

*Device found a new wi-fi signal:
worldsMostSecureRouter

*Enter password:
worldsMostSecureRouter123

*Authorizing...
*Obtaining IP address
*Connected

My LastPass master password..

Using Base64 "encryption" to store credit card numbers and passwords

1. Forgot my password.
2. Clicked "Forgot" password button.
3. Received my forgotten password as plain text in my email

Everybody complains about SHA-1.
I'm so glad that I store passwords in plain text.

;-)

Creating a new account is always fun...

"This Is My Secure Password" <-- Sorry, no spaces allowed.

"ThisIsMySecurePassword" <-- Sorry, Passwords must include a number

"ThisIsMySecurePassword1" <-- Sorry, Passwords must include a special character

"ThisIsMySecurePassword 1" <-- Sorry, no spaces allowed

"ThisIsMySecurePassword%1" <-- Sorry, the % character is not allowed

"ThisIsMySecurePassword_1" <-- Sorry, passwords must be shorter than 16 characters

"Fuck" <-- Sorry, passwords must longer than 6 characters

"Fuck_it" <-- Sorry, passwords can't contain bad language

"Password_1" <-- Accepted.

I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...

He said no we can't get a password from MD5 hashed string. It's one way hashing...

So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.

I have not got any call from him since.

Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security

Hope it's not a repost but this is brilliant... although putting it up in my office wouldnt change anything. Password123 was there before me and it'll be there after me.

"I really love the new $3k Fortigate firewall switch you bought for the office after our chat about security but it doesn't change the fact that you can access any computer in the company using Password123" - me

I typed "WordPress_&_Wix" in the password field.

The page said "Password is too weak".

Do you salt passwords? Yes...
Ladys and Gentlemen my father

What the actual fuck? Person (or people!) who devised this password policy, you are an idiot (or idiots - all of you). You are stupid and insane and have no idea about security or user experience.

"We should just store the passwords in plain text"

I encrypt passwords with Base64

What Could Possibly Go Wrong? 😂😂

Me: *enters password on phone (long PIN)*
Person next to me is looking at my phone WHILE I enter my password, and as I look at him, he doesn't even turn away and even has the nerve to say:
"Wow, why do you have such a long password!"
Μy answer: "Because of security reasons."
What I actually wanted to say:
"Because of pieces of SHIT like you who can't keep their eyes to themselves, even when PASSWORDS are involved, you FUCK! Guess why everytime I enter a password in public, I have to dim my screen and turn my screen sideways? Because of fuckheads like you, not knowing shit about privacy and security! Fuck you!"

PM: We need security on signup, the password entry should contain "A capital letter, 2 numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin."
ME:

Mistyping one character wrong in a password and hitting backspace until I am sure I’ve deleted the entire Wikipedia.

Then starting all over again.

I like my fries how I like my passwords... salted :)

Way to many...

- Passwords stored in plain text on the year 2014
- Not supporting HTTPS because to expensive
- Hidden admin URLS
- Databases available all over the internet
- Client Side validation
- IoT

weak passwords...

Navy story continued.
And continuing from the arp poisoning and boredom, I started scanning the network...
So I found plenty of WinXP computers, even some Win2k servers (I shit you not, the year was 201X) I decided to play around with merasploit a bit. I mean, this had to be a secure net, right?
Like hell it was.
Among the select douchebags I arp poisoned was a senior officer that had a VERY high idea for himself, and also believed he was tech-savvy. Now that, is a combination that is the red cloth for assholes like me. But I had to be more careful, as news of the network outage leaked, and rumours of "that guy" went amok, but because the whole sysadmin thing was on the shoulders of one guy, none could track it to me in explicit way. Not that i cared, actually, when I am pissed I act with all the subtleness of an atom bomb on steroids.
So, after some scanning and arp poisoning (changing the source MAC address this time) I said...
"Let's try this common exploit, it supposedly shouldn't work, there have been notifications about it, I've read them." Oh boy, was I in for a treat. 12 meterpreter sessions. FUCKING 12. The academy's online printer had no authentication, so I took the liberty of printing a few pages of ASCII jolly rogers (cute stuff, I know, but I was still in ITSec puberty) and decided to fuck around with the other PCs. One thing I found out is that some professors' PCs had the extreme password of 1234. Serious security, that was. Had I known earlier, I could have skipped a TON of pointless memorising...
Anyway, I was running amok the entire network, the sysad never had a chance on that, and he seemed preoccupied with EVERYTHING ELSE besides monitoring the net, like fixing (replacing) the keyboard for the commander's secretary, so...
BTW, most PCs had antivirus, but SO out of date that I didn't even need to encode the payload or do any other trick. An LDAP server was open, and the hashed admin password was the name of his wife. Go figure.
I looked at a WinXP laptop with a weird name, and fired my trusty ms08_067 on it. Passowrd: "aaw". I seriously thought that Ophcrack was broken, but I confirmed it. WTF? I started looking into the files... nothing too suspicious... wait a min, this guy is supposed to work, why his browser is showing porn?
Looking at the ""Deleted"" files (hah!) I fount a TON of documents with "SECRET" in them. Curious...
Decided to download everything, like the asshole I am, and restart his PC, AND to leave him with another desktop wallpaper and a text message. Thinking that he took the hint, I told the sysadmin about the vulnerable PCs and went to class...
In the middle of the class (I think it was anti-air warfare or anti-submarine warfare) the sysad burst through the door shouting "Stop it, that's the second-in-command's PC!".
Stunned silence. Even the professor (who was an officer). God, that was awkward. So, to make things MORE awkward (like the asshole I am) I burned every document to a DVD and the next day I took the sysad and went to the second-in-command of the academy.
Surprisingly he took the whole thing in quite the easygoing fashion. I half-expected court martial or at least a good yelling, but no. Anyway, after our conversation I cornered the sysad and barraged him with some tons of security holes, needed upgrades and settings etc. I still don't know if he managed to patch everything (I left him a detailed report) because, as I've written before, budget constraints in the military are the stuff of nightmares. Still, after that, oddly, most people wouldn't even talk to me.
God, that was a nice period of my life, not having to pretend to be interested about sports and TV shows. It would be almost like a story from highschool (if our highschool had such things as a network back then - yes, I am old).
Your stories?

Guy: I don't trust password managers
Me: so how do you remember passwords?
Guy: oh, I just keep them in a note in the iPhone notes app/iCloud.

Maastricht knows how to manage their pan-erm-passwords :3

Writing customer passwords fulltext into the prod database because "it's easier to associate them with the user"

My dad believes in hiding his passwords in plain sight

He puts them all in a
readme.txt sitting next to the Canon printer exe file. 😂

!rant

IDE or text editors ?
I tbh use notepad++ to work on text files and encrypted files for passwords lol

A ecom website which sales premium gold product from 50k to 170k INR.

database : mysql
all passwords and user ID's are saved in plain text.

'Incorrect password.'

"I must've forgotten the password. Let me change it".

'Old and new passwords cannot be same'

o_O

Fuck me, big fucking security flaw with a UK internet service provider, my head has gone through my desk and hit the floor it’s that bad.

Unique & Secure Passwords...
Source: Hacking FB Page

My insurance company sending me the payment slip by post with my username and password to the online account for easy access. How sweet of them. 10/10 customer satisfaction.

I see your "Storing passwords in plain text". I raise you to "sending passwords via post in plain text".

This cuts deep

Today FileZilla saved my life by storing all site connection passwords in base64
Without it we'd have lost access to an old production server 👌

Buckle up kids, this one gets saucy.

At work, we have a stress test machine that trests tensile, puncture and breaking strength for different materials used (wood construction). It had a controller software update that was supposed to be installed. I was called into the office because the folks there were unable to install it, they told me the executable just crashed, and wanted me to take a look as I am the most tech-savvy person there.

I go to the computer and open up the firmware download folder. I see a couple folders, some random VBScript file, and Installation.txt. I open the TXT, and find the first round of bullshit.

"Do not run the installer executable directly as it will not work. Run install.vbs instead."

Now, excuse me for a moment, but what kind of dick-cheese-sniffing cockmonger has end users run VBScript files to install something in 2018?! Shame I didn't think of opening it up and examining it for myself to find out what that piece of boiled dogshit did.

I suspend my cringe and run it, and lo and behold, it installs. I open the program and am faced with entering a license key. I'm given the key by the folks at the office, but quickly conclude no ways of entering it work. I reboot the program and there is an autofilled key I didn't notice previously. Whatever, I think, and hit OK.

The program starts fine, and I try with the login they had previously used. Now it doesn't work for some reason. I try it several times to no avail. Then I check the network inspector and notice that when I hit login, no network activity happens in the program, so I conclude the check must be local against some database.

I browse to the program installation directory for clues. Then I see a folder called "Databases".

"This can't be this easy", I think to myself, expecting to find some kind of JSON or something inside that I can crawl for clues. I open the folder and find something much worse. Oh, so much worse.

I find <SOFTWARE NAME>.accdb in the folder. At this point cold sweat is already running down my back at the sheer thought of using Microsoft Access for any program, but curiosity takes over and I open it anyway.

I find the database for the entire program inside. I also notice at this point that I have read/write access to the database, another thing that sent my alarm bells ringing like St. Pauls cathedral. Then I notice a table called "tUser" in the left panel.

Fearing the worst, I click over and find... And you knew it was coming...

Usernames and passwords in plain text.

Not only that, they're all in the format "admin - admin", "user - user", "tester - tester".

I suspend my will to die, login to the program and re-add the account they used previously. I leave the office and inform the peeps that the program works as intended again.

I wish I was making this shit up, but I really am not. What is the fucking point of having a login system at all when your users can just open the database with a program that nowadays comes bundled with every Windows install and easily read the logins? It's not even like the data structure is confusing like minified JSON or something, it's literally a spreadsheet in a program that a trained monkey could read.

God bless them and Satan condemn the developers of this fuckawful program.

PLAIN FUCKING TEXT PASSWORD! How can this still be a thing in 2018?

!!pointless story

Bug report comes in from a coworker. "Cloudinary uploads aren't working. I can't sign up new customers."

"I'll look into it" I say.

I go to one of our sites, and lo! No Cloudinary image loads. Well that can't be good.

I check out mobile app -- our only customer-facing platform. None of the images load! Multiple "Oops!" snackbars from 500 errors on every screen / after every action.

"None of our Cloudinary images load, even in the mobile app," I report.

Nobody seems to notice, but they're probably busy.

I go to log into the Cloudinary site, and realize I don't have the credentials.

"What are the Cloudinary credentials, @ceo?" I ask.

I'm met with more silence. I use this opportunity to look through the logs, try different URLs/transforms directly. Oddly, everything seems fine except on our site.

I check Slack again, and see nothing's changed, so I set about trying to guess the credentials.

Let's see... the ceo is basically illiterate when it come to tech, so it's probably not his email. It's a startup, and custom emails for things cost money, and haven't been a thing here forever, so it's probably oen of the CTO's email aliases. he likes dots and full names so that narrows it down. Now for the password.... his are always crappy (so they're "easy to remember") and usually have the abbreviated company name in them. He also likes adding numbers, generally two-digit numbers, and has a thing for 7s and 9s. Mix in some caps, spaces, order...

Took me a few minutes, but I managed to figured it out.

"Nevermind, I guessed them." I reported.

After getting into Cloudinary, I couldn't find anything amiss. Everything looked great. No outage warnings, metrics looked fine, images all loaded. Ex-cto didn't revoke payment or cancel the account.

I checked our app; everything started loading -- albeit slowly.

I checked the aforementioned site; after a few minutes, everything loaded there, too.

Not sure what else to do, and with everything appearing to work, I said "Fixed!" and closed the issue.

About 20 minutes later, the original person said "thanks" -- never did hear anything from the ceo. I've heard him chatting away in the other room the entire time.

Regardless, good thing for crappy passwords, eh?

Unique Passwords..😂

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

My school stores everyone's username and passwords (including admins) in plain text on a Windows 2007 server that they remote desktop into.

!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

I wanted a long, secure(ish) password.

I opened VI editor and told my mom to close it..

I used to work in a call center for a local hospital.

One night, all of our lines are swamped. Literally no time for a break between phone calls, +15 minute wait times. I answer the next call:

Me: "Its a marvelous Monday at AskIT, how may I help you?"

Doctor: "This is Dr. [Noone Care]. I need you to fix my password now."

Me: "Absolutely! You should be able to enter a new password now."

Doctor: "MY HANDS ARE NOT FOR PASSWORDS, MY HANDS ARE FOR SURGERY!"

😩 So glad I don't work for doctors anymore. Oh and the best part is, he had selected the general phone queue, rather than the doctor queue (~3 minute wait time instead).

Worst passwords of 2017

Girlfriend: There are so many passwords to remember, man. What's my amazon password, baby?

Me: Just use a password manager?

Girlfriend: That sort of thing exists?

Anyone ever entered a password and it keeps saying wrong password, so you decide to reset the fucking password and now the problem is ....the systems/website tells you that you can't reset the password to your current password or a password you are already using... like okay what the fuck!!!!!.....

Bank forces me to change my password. Figured I'd use Safari's strong password generation. Submit. Password changed.

Go to log in with new password. Password not saved because I had previously told Safari not to save this site's password.

Okay… so the strong password you JUST generated and submitted without showing me is now my banking password but neither of us knows what it is?

Fucking brilliant. I mean at least let me fucking copy it so I can store it in my password manager. The most hilarious thing is the message that appeared on the generated password saying my password would be available from Safari preferences. Yup, nope. Nothing there except a note saying no passwords will be stored for this site.

This is the state of Apple in 2018, folks. Fucking sad.

I used PHPMailer to send emails to a client's website user. SMTP host is smtp.gmail.com.

web was hosted on Bluehost. I found out that mailer was not working. I enabled verbose output and to my surprise I found out that Bluehost was intercepting my mail and responding with

220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail

when i was explicitly using smtp.gmail.com. Not only they were intercepting but also They were trying my credentials against its own smtp server and then showing me that authentication failed.

When i contacted chat they asked me to tell last 4 characters of Bluehost account password to verify ownership.

Dude do they have passwords in plaintext.🤔

I started using Keepass and changed all my passwords to auto generated passwords. Somehow, my PC crashed before I saved the database. That was the day, where I lost access to my primary email address.

"Lets store passwords as-plain-text"

Security rant ahead - you have been warned.
It never fails to amuse and irritate me that, despite being in the 2019 supposed information age, people still don't understand or care about their security.
I've travelled to a lot of ports and a lot of countries, but, at EVERY port, without fail, there will be at least one wifi that:
- Has default name/password that has been cracked already (Thomson/SpeedTouch/Netfaster etc)
- Has a phone number as password (reduces crack time to 15-30 mins)
- Someone, to this day, has plain old WEP
I am not talking about cafeteria/store wifi but home networks. WTF people?! I can check my email (through VPN, of course) but it still bugs me. I have relented to try and snoop around the network - I can get carried away, which is bad. Still...
The speed is great though :P

Why the FUCK wouldn't you use a salt on passwords?!!!??

Today Comcast told me my account password over the phone... Fucking Comcast stores passwords in plaintext.

This “Caps lock is on” feature when typing in passwords was probably very angrily added by a developer after several failed log in attempts.

As it turend out, just after ranting about increasing my online security, I had an unapproved sign-in from Russia into my Netflix account about an 3h ago.

Notice :

Citizens are advised to store all their passwords into either text files or Google Keep, OneNote, Evernote so that it would come in handy whenever you forget the Password.

Please share this among your family and friends.

Have a nice day :)

Too week 😋

Relying on Chrome to remember all my passwords. I have no idea any more what passwords I have chosen for several important sites. Don't even want to think about what happens the day I switch PC or reset that cache somehow.

Encrypting passwords with AES and storing the decryption key alongside te passwords file.

Sites that store plaintext passwords in 2017...

- Guys, today the security auditors are coming, don't forget to remove your sticky notes with passwords. And for God's sake wear the badges for a least a day!

Boy, sure wish I knew about this before putting all of my passwords into lastpass. This looks way more secure. Handwriting in English is pretty much as good as encryption.

Wrost security fix ever seen?

encode that passwords in base64 is safe enough.

And keep the password.txt accessible from internet it's safe because nobody know that it exists...

A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.

Well ... at least I thought so ...

Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...

There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.

Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.

And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...

Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...

Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...

Is it just me feeling like this about crappy UI/UX design? Always wondering...

"I know, I'll set my password as '12345'. No one will guess it because it's too simple right? RIGHT?"

"The default password is your birthday"
They don't even make you change it

Philosophy 🤣🤣
Credits: commitstrip.

Just received a mail from my college that my college's student account password does not contain any special characters and I should change it immediately. Wtf? How did they know that?

when you work for a place that has plain text passwords in the db. lol
I asked head of department if he knew what salting/hashing passwords was and he said no.... is this real life?

Storing passwords in plain text.

To be fair, it was a feature requested by the client, but still...

At least encrypt it man.

Recently, one of our passwords was accidently published on a public page for a few minutes before it was noticed and removed. Unfortunately, this password opens nearly every locked account so it's a pretty big deal.

Management was informed of this mistake and told that we should change the passwords as well as implement a few other protocols to make sure this doesn't happen again including things like unique passwords, more secure passwords, using a password manager, etc.

Their response? It wasn't online long, probably no one saw it. There will be no changes in how we handle ours or our clients' secure passwords.

Are there any website or public list that shame companies and websites for sending passwords in plaintext whenever we tend to reset the password?

Tesco.com, you deep pool of creamy baby shit. I've tried to reset my password three times already. My new password has way more entropy than your mathematically impaired rules command, but apparently using password managers is bad practice. It should be about having at least one special character, not EXACTLY one. I've got lots of uppercase characters, not PRECISELY one.

Forgot my password at school, say so, they tell me the password. Have they never heard about security?

By the magic of Javascript, I made an unhackable password!!!

My trusty password manager, so I dont have to remember those shitty passwords. (its however being rebuilt after a failed firmware upgrade who bricked it).

Best decisions:
- Switching to Linux entirely
- Learning how to use the shell

Worst decisions:
- Using Windows 8
- Hardcoded passwords (I built a small thing for myself, don't judge)

Our sysadmin just wrote our new work account passwords on our office whiteboard, visible to everyone... Now that's how you create chaos

Can people just fucking stop using "hacked" as a synonym for "my password has been found out"? Even devs do this shit! Devs should know better about what a "hacked" account is.

Never ever have a tab open on production server database. Changed all users passwords by mistake. Thought was my test database.

The "Change Password" function autofilled the old password. Dev told be it didn't matter because "if you set the field type to password you can't see it".

I wonder how many decades it will take until employees stop to fucking stick their passwords to the computer screen at their station. It is a complete fucking nightmare if you are responsible for the network!
Can we bring back the guillotine? But it must be stub!
Those nitwits shall suffer!

New password cannot be one of your four previous passwords.
Password must conatin upper and lower case characters, at least two numbers and two special characters
Password cannot contain five or more consecutive letters of username.
Password cannot include any _illegal patterns_.

Locked out of your system? Drive over to HQ and ask the admins to reset your password in person.

When your school doesn't give you the root password of your openSUSE laptop but an encrypted file with all the passwords of the school even the director's one just to stimulate you

When your client wants you to store password in plain text and it makes your life easier but it still feels really wrong

If($password = $password2) {
//login
}

Keep in mind that password is the salted and hashed input and password2 is the Salter and hashed pw in the database...

Who needs passwords am I right?

It took forever to get SSH access to our office network computers from outside. Me and other coworkers were often told to "just use teamviewer", but we finally managed to get our way.

But bloody incompetents! There is a machine with SSH listening on port 22, user & root login enabled via password on the personal office computer.

"I CBA to setup a private key. It's useless anyways, who's ever gonna hack this computer? Don't be paranoid, a password is enough!"

A little more than 30 minutes later, I added the following to his .bashrc:

alias cat="eject -T && \cat"
alias cp="eject -T && \cp"
alias find="eject -T && \find"
alias grep="eject -T && \grep"
alias ls="eject -T && \ls"
alias mv="eject -T && \mv"
alias nano="eject -T && \nano"
alias rm="eject -T && \rm"
alias rsync="eject -T && \rsync"
alias ssh="eject -T && \ssh"
alias su="eject -T && \su"
alias sudo="eject -T && \sudo"
alias vboxmanage="eject -T && \vboxmanage"
alias vim="eject -T && \vim"

He's still trying to figure out what is happening.

My ex-Physics teacher didn't have a towel with him today 😢

Btw I left this on the library "core" computer

Tldr; make sure what you study is relevant to the field and you enjoy it otherwise don't waste your time.

BTW: devrant is awesome it gets me through the day.

So I am almost 3/4ths through a master's in cs and I am contemplating why I went to school in the first place/dropping out.

My program is basically an extension of the bs I got from the same school meaning we learn very general cs topics. There is only one ai class for example.

I had a junior developer position before I even got my bs so now that I am this far along and looking at job openings I'm wondering what why and how my school is able to get away with teaching us this shit.

After all my schooling I learnt more on my own and through Google. I have little to show for my school work other than a degree that says I did a bunch of busy work. And the specific things that I did learn I will never ever remember. Seriously. Who here knows what a MIB and OID are and have actually used them?

I wish I tried harder to get into a school like Berkeley but just looking at their applications is depressing. I always had issues with school and they expect my to have the grades, extra curriculars and other shit. I'll build you a robot or make you a website but I'm not doing that nonsense.

And then there's Google and apple and all these big tech companies expecting me to have written full Enterprise software and know every single algorithm and programming language because everyone uses something different. Sure I wish I had experience in all 50 languages that are popular right now but I don't. And I'm not gonna learn it from school that's for damn sure.

Who here actually went to a good school and can say it helped them in the real world? How many employers actually care about school over actual experience?

Who knows how to burn a school down and get away with it? Or at least make teachers with Phds stop reading off slides all lecture. I know how to fucking read for fucks sake. Not too mention they use shitty software made in 2003 that's no longer supported. And I could go on about the teacher last quarter who graded the midterm on final day while he flirted with the 3 girls in class. And I could go on and on and on but I feel like I need to start being productive so I don't waste away.

Just so done.

I'm sick of the tyranny of websites who say your password must include at least one shady character, one special agent, and a number of other filthy things. Only makes your passwords impossible to remember, hard to type, and not a bit more secure.
"mynameisronalddumpandimanorangehairedorangutan" is a million times more secure than "P4$$word".

I'm going to add "Ability to memorize numerous passwords" to my resume.

“Password length mustn't exceed seventeen characters.”
Why? Why do some Web sites still have this rule? It's 2018. We should be using passwords of at least twenty-four characters. This is crap.

Default passwords

A friend actually asked me this..
He is building an android app for selling his stuff and haven't used hashs for storing passwords..

These dimwits emailed my receipt for my dues (not shown) AND MY USERNAME AND PASSWORD in the same PLAINTEXT UNENCRYPTED email...

Off to go write a cranky email...

A few years ago I found a public AWS S3 bucket owned by a fortune 500 company containing a database dump backup with all of their users unsalted md5 hashed passwords.

I didn't report it because I don't want to get sued or charged. I don't know whether it's still public or not.

Yup, long weird strings are the way forward.

This is why having strong and secure passwords are important. Your social media team must be ass BWW.

Why the fuck would you allow special characters in your passwords, when some of them are considered "potentially dangerous!" can't even login ffs!

Client from a big company requested that all sensible data should be encrypted, passwords included.
We agreed that was OK, and that we were already saving the hashes for the passwords.
The reply was "Hashes should be encrypted too"

Microsoft seriously hates security, first they do enforce an numer, upper and lowercase combined with a special character.
But then they allow no passwords longer than 16 characters....
After that they complain that "FuckMicrosoft!1" is a password they've seen to often, gee thanks for the brute force tips.

To add insult to injury the first displayed "tip" take a look at the attached image.

Updating code for big client.

Find that they are not encrypting passwords in the database and are not sanitizing user input from forms.

Do not trust the user!

Just saw this during a speech ... 😅

That moment when you find out your school is using unsalted md5 passwords, and your school project requires using it too... FUCK

My local library still hasn't noticed the change of name. They need to stop using a default password for the printer! Imagine how users would feel knowing private documents they scanned can be seen elsewhere? Making good passwords either needs to be incentivised, or factory passwords should be generated. Or I guess one day, people and maybe companies too will have such trash IoT security everywhere else too that you get the smart home hack from Mr Robot.

Seriously, it's dumb.

I will immediately change all my ”123456” passwords.

When you forget your password, go to change it and get greeted with:

"Your new password cannot be the same as your current password!"

On chat today.
Dude: can you run a script for me? We don't have permission.
Me: what kind of script? Who wrote it?
Dude: posts screenshot of DML select/update statement he tried to run.
Me: I'm a DBA. We don't run DML for people.
Dude: Oh. Can you give me the password?
Me: examine script and notice he tried to run it on QA DB.
Me: No. We don't memorize passwords, and this is QA; you need to check the password out of the safe. You also need a change ticket to DevOps, and they will run it for you.

At that point I ended the discussion, because running anything in QA or Prod without a change ticket gets you fired. And I like my job. Really annoyed.

After watching Mr Robot, I installed Kali and learnt to hack WiFi passwords via brute force. Was utterly disappointed that, most crackers just use prebuilt tools instead of developing their own algorithms and programs.

So, in my last rant I established that my classmates give a rat‘s ass about privacy. Want proof? Here it is. These absolute braindead dimwits fucking save their outlook passwords in the browser on public PCs. I can log into their accounts without their passwords.
Bonus points for linking that email address with windows itself. On a public computer. I am too tired to come up with swearwords for such utter mindlessness and stupidity, but believe me, I wish traumatic rape, sex slavery, painful death and scorching fire in hell to the fuckers who called me a paranoid schizophrenic, yet save their passwords and associate it with windows on a public computer. Motherfuckers!

Uhm. I don't like this

Why the Fuck is PayPal only allowing passwords up to 20 characters . Even the most useless websites aren't doing that (at least not visisible, maybe they shorten it in the backend).

For security reasons and to have stronger passwords, my organization enforces us to use '@123' at the end of the password!! Dumb motherfuckers!! :P

Signed up for a driving class...
This is what i get in the mail shortly after.

Fucking fantastic guys! Saving passwords plaintext. Is it because of the government?

How secure are you passwords guys? Like specifically, along with your username.

plaintext passwords
🙈

Reset 65 passwords today already, a new personal best for one day! No idea why the reset password button is so hard for clients to use, aghh!

Interns built a user login portal. Password reset page takes user email from a GET parameter.
You can literally reset passwords if you know the emails 😂😂😂😂

Registered an account with a local pizza business and rated them 5* on Yell moments before checking my email and finding they had emailed me my unencrypted password, GREAT NOW I WON'T BE ABLE TO EAT

When you spend 5+ minutes creating a secure password for your new bank account and you get a message saying the password must be between 6 and 12 characters long.

Not sure I want to open this account any more.

Fuck me.

Today, this made me think: My bank limits the password I can choose to 16 chars, and only letters and numbers are allowed, no special chars. Meanwhile on Typeracer.com I was able to use 60 character password, including numbers, letters and special chars.

Just reviewed the code of an online financial system used for managing payroll and investments. Cracked the admin password in less than three minutes.

This is a system operating in a sector with regular audits, how am I the first person to spot how bad this is?

Why is every company so BAD at working with spaces in passwords? Just trying to setup Hulu on my PS4, apparently I forgot my password? No, my password had a space in it. So maybe Hulu's just one of those companies that doesn't allow spaces in passwords? Wait no, I can log in with no problems on my Switch or PC with the space. It's just SPECIFICALLY the PS4 app that doesn't allow spaces. Cool cool cool.

Like, am I missing something? Is there some reason it's harder to hash than other characters? It's just an ASCII character, it's not like I'm copy/pasting in some fringe unicode shit. Some companies straight up ban it. Some like Amazon don't recognize it as a special character, while demanding I use a special character. Why is this so terrible?

Confidence is key.

HOLY UNICORN TITS fuck passwords and my incredibly weak short term memory lol

Why do some websites have password limits? I want to have unlimited characters for my password.

More than 2 years ago I alerted management that the default password we use for client accounts (and two of the variations) were pwned in database breaches. Today we receive an all-staff email that management "has reason to believe this password may have been compromised" and that we needed to change it across the 1200+ accounts where it's being used (200+ clients, several accounts per client).

Is it unprofessional to send a few "I told you so" memes and gifs?

"The password must have 7 or 8 characters (numbers and/or letters)”
says Movistar, the biggest ISP and telecom company in Spain ... I can't even.

Password

Domain server goes down, it's the gateway and DNS too.

Ok I'll just remove the domain, it's been orphaned really since you went to the cloud.

Don't have local admin password.

Ok call old it company who set up gear

Out of business

Ok boot to Linux and reset

Usb boot locked

Don't have bios password

Call old it company

Still out of business.

Wait, can I just set manual ipv4 ? Ok domain without a domain controller... If it works it works.

In my school, eleventh grade (so nearly "Abitur", A levels), we got the task to create a program which will be running on every computer here which should replace the Classbook (like a book where homework and lessons and stuff is written down).
Now, the class before mine already did a part of that, a program to share who is ill/not at school, with a mark whether it is excused or not.
So far so good. They all seemed not that bad when they were presenting it to us. Then, the first thing: they didn't know what git is. Well, okay I thought.
Next, there was this password field to access the program. One of them entered the password and clicked enter. That seemed suspiciously fast for an actual secure login. So fast, the password could have been in the Code...
Yesterday I copied that program and put it into a decompiler.
And... I was right.
There were the login credentials in plain text. Also, haven't thought of it but, IP address + username + password + database name were there in plain text, too.
Guess I am going to rewrite this program down to the core

Signed up for a market research company (ironically, that I used to work for as a transcriber about 10 years ago) to pull in a bit of extra cash.

They sent an e-mail back confirming my registration.

With the password in plaintext.

"Do you want me to remember your password?"

"Click here"

FX [ Clicks.. ]

FX [ Time Passes . . . ]
(Bonus points to anyone that gets that reference..)

"Please enter your password"

Grrrrr !!!

Why is it so hard for some applications/etc. to do this, whilst others I've had the same password remembered for over a decade !

Even worse..

"Check email for password verfication."

That'll be the, it takes 4 hours for the email to arrive email server..

Or the email server will be down at that moment.

Or so full of unread messages it takes you half an hour to find the one you want..

Or they just don't send the email. :-)

I just wanna log in !

Sometimes its just something like a game, you know, not a national priceless treasure that needs protecting by a dozen layers of security.

Whatever happens to a desktop short that just loads the game and plays it..

But no, we have to have an internet enabled game to cut down piracy (Even though you can download it someplace with that bit disabled..), and when the company goes out of business, or stops selling that game, oh dear it doesn't work anymore, even though you paid for it !

Grrrr !

New way of storing passwords "securely":

1. Open word and write your passwords in plain text
2. Save that word document and open it in notepad
3. Delete a random character but remember which one and in which position & save

Now the document won't be accessible with word and to fix it you have to put back the character you deleted.

This is robbed me of too many passwords.

Colleague just found out that redislabs silently truncates passwords to 20 characters. Naturally our development department was horrified. It also explains why we couldn't access our account anymore. Who would even come up with such a thing?

Installs Nessus. Creates Admin account. Forgets to save the 32-char random password to a password manager and locks himself out. Installs Nessus...

I saved passwords to db hashed to SHA-1 with no salt... I left that company but I'm sure that application is still actively used today.

Omg how stupid some people are... Today at my university I used the first time one of the computers in the computer room and there is a portable Firefox installed in a shared space on the computer and that is also where it saved settings etc. So this is the same for every user on that particular computer.

And when I checked the security settings I found that about 10 different accounts were saved and accessible with website username and password.

So of course the shared space Firefox is bad, but you still shouldn't save you password on a public computer :S

PS: If anyone needs a webmail account or an account for the german university network contact me :P

Password Rules are bullshit. I am the one to decide what password is safe for me. If even I can't remember my password it's not fucking safe. Morons.

Following on from my school having terrible passwords. Turns out they stored all our passwords in plain text somewhere - so some script kiddie (Do you even need to be a script kiddie to find this - probably not, but the guy who did this was a script kiddie) could just remote log me out twice, log in as me, be a twat, and have a conversation in Notepad.

I am doing some freelance work for a client who is thankfully mindful about security. I found out that they are so strict with their access because they had a huge data breach last year.

Today I was given access to their repo for connecting to their AS400. In the docker file the username and password were included and were the same for dev and prod. They also are performing no sql injection prevention. They are just joining strings together.

Well shit, according to my school’s system, my LastPass generated password isn’t safe enough

Speaking of.. What in your opinion would be an appropriate way to warn someone about security problems, like db passwords in git?

I once came across dozens of extremely sensitive services' infra accesses: alibaba/aliexpress, natuonal observatories, gov institutions, telecomms, etc. I had dozens [if not hundreds] routers' and firewalls' credentials along with addresses. I tried one to confirm validity - it worked. I wanted to warn them but did not want to get in trouble.

If it were servers, I'd set a motd or append some warning messages in .profile. But not sure how to do it for non-server devices

what would you do? How would you warn them?

P.S. Deleting that record was a smart move, buddy ;)

p.P.S. Sorry, wrong category... Can't edit now :(

A lot of larger companies seem to be a happy about forcing employees to change their password every three months or so. They do it for security measures so that it is more difficult to break through the system, however most people end up making the worst passwords.
Instead of forcing a very good password on them every year or two maybe, they all end up having passwords like: "Summer16", "Qwer1234", "London15".
I used to work for our national police, and this was the case there as well...

Finding out a service your school uses doesn't bother encrypting passwords is always fun, isn't it?

sure.... That seems a reasonable arrangement of Gibberish =_=

My university has a internal developed system, where everything is managed from e-mails, exams to personal data.

What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)

I don't know how to feel about this, it just hurts :(

Best password manager?
I usually use the post-it-jutsu art to save my passwords.

But I think that when you have too much passwords, there should be a better way to store your info.

Soooo.. facebook got breached today, 50 million accounts compromised. I'm sure that will help their stock price.. 😂

Change your passwords, ladies and gents!

Guys. I think h1z1 stores passwords in plaintext......

You know this MD5 encryption?

Me too - especially when saving customer passwords 😂

Scored another win as the family tech guy! I found out my wife's sister and her husband were storing all their passwords in a Excel spreadsheet. Long story short they are now using a password manager. 😁

Why are the MOST important passwords in my life (banks, financial, insurance) the LEAST secure (i.e. Max length 12, no special chars)

Passwords.. how do you guys manage yours? I'm one of those who often used the same semi weak password for nearly everything

I'm more than likely going to get a password manager but I have no idea which, do you use any?

I've been informed that through some level of recognition and certification, today is "Password Day," seemingly in an attempt to encourage people to have strong passwords. I will do my part and say that if you're not using a password manager, you have missed out on years of your life.

To all the privacy conscious people

Does anyone know your/one of your password(s)?

Hacking is awesome and looks easy!!! And seems like even pentagon might have toooons of exploits and backdoors, and qwerty passwords !!
After watching Mr. Robot...

I set up unRAID on my server this weekend, and only just checked my logs to see if anything weird was happening. Turns out 2 IPs have been trying to brute-force the SSH password all weekend. I quickly installed the DenyHosts plugin and reminded myself to always use a strong password, which luckily I did.

A bit later now, and one of the 2 gave up, the other one keeps trying but of course the connection is refused. Just keep trying buddy :P

I really think it's like to make passwords a thing of the past!

And another shitty hoster...
Translation:
“The password is to long. Please choose a password that is not longer than 16 characters”

Don't you just hate *silly* password restrictions? Surely there is a very limited number of possibile passwords

On top of this their "password prompt" says passwords are between 6 and 10 characters...

Just found out that a big hosting provider saves a user's SQL and FTP password in a plain text file just at the parent folder of the normally accessible ftproot.
Using some linux commands you can
cat ../mysql_pw
cat ../ftp_password.txt
IT'S NOT EVEN ENCRYPTED OR HASHED
(This is tested on a minecraft server, would also work on other services)

Am I the only one whose passwords are 256-char long and randomly generated?

Accidentally pushed my android keystore credentials to my open-source android project on GitHub. I have spent the last 3 days filtering all branches to ensure that everything is okay.
Good save.
Hope so.

Putting the API keys, secrets and passwords in the code and pushing it to git.

Goddamit I hate it when services advertise how they are about security and then deny me using random readable words with hyphens as passwords.

Short sad story:

The backend team in my company stores plain text passwords and I am making a view in the website to view all the users password in the system

The wordpress site I told my friend her friends I would take a look at made me feel a bit like a real hacker.

Without knowing them I guessed their username and password for the admin panel in 15 tries. Today they send me the password and username via email.
I just told them I already had access and that they should change the password.

TL;DR first off you are lazy, it isnt such a long text, but the real tldr is "Me Hackerboy"

When you're guessing passwords and this time it took a bit longer... but it was still wrong...

Slow internet problems...

Boss hired a freelancer to work on a new reporting dashboard. Freelancer also built a backed. Boss wants me to work on fixing that backend. I check out the DB first only to find plaintext passwords. I threw up a little.

My passwords are so secure, they want to talk about sex with me.

About 5 years ago I worked at a small company developing websites and .NET applications.

They haven't changed any passwords which means, I still have access to ALL of their customers DNS setups.

Of course I wouldn't do anything.

But just the thought, that I could make an infinite loop, by redirecting the domains, is amazing.

Or redirecting them to a porn site.

People, even on devrant, are complaining about having to change their Twitter passwords. A major security event is not the only occasion to change your password (for anything).

You should change your passwords for everything regularly. Like, once every month or two.

This is why password managers are brilliant.

This is the kind of company that provides online ticket sales for one of the bigger cinemas in Italy. Yes, registration is unavoidable.

I think I have figured out a way of making memorable and secure passwords...

Look through your old code and pick the cringiest, the worst snippets of code you can find, and use them as your passwords

Just had a very "OMG WTF!" kind of mini conversation with my co-founder, of a web dev startup.

Him: So what's LastPass then?
Me: It's a secure password management system.
Him: So let's use LastPass instead of Dropbox then. :-)

** quickly searches dropbox for passwords **

A little knowledge can be extremely dangerous if left unsupervised.

Sysadmin's nemesis: a DBA. Especially an oracle DBA. There's no other kind of tech worker I've seen who's more opposed to best practices.

How about for devs?

If you think walking on your parents while they're having sex is bad, hear(read) this:
Today I heard my mom asked my dad her email's password, and she's a doctor. Why and how can't you memorize your only password? I mean if she wasn't a doctor this situation would be more believable.