XenoPhage :verified:<p>Why is it that Home Depot has passkey support and my bank still wants me to answer those three questions?</p><p><a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://infosec.exchange/tags/FacePalm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>FacePalm</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
social.coop is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Fediverse instance for people interested in cooperative and collective projects. If you are interested in joining our community, please apply at https://join.social.coop/registration-form.html.
Administered by:
Server stats:
487active users
social.coop: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#securityfail
1 post · 1 participant · 0 posts today
Suzanne Aldrich (she/her)<p>Critical Next.js Middleware Vulnerability (CVE-2025-29927)</p><p>A major auth bypass vulnerability in Next.js middleware (prior to v14.2.25 / v15.2.3) allows attackers to inject the x-middleware-subrequest header and bypass authorization entirely. Exploitable via simple HTTP requests—no user interaction, no special permissions.</p><p>Patch. Now. Or block the header manually.</p><p>GitHub scored this 9.1 CRITICAL, but the real issue? This flaw exposes a systemic weakness in middleware validation, and some vendors weren’t exactly upfront about the risks.</p><p>Details + POC: <a href="https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">zeropath.com/blog/nextjs-middl</span><span class="invisible">eware-cve-2025-29927-auth-bypass</span></a><br>NVD: <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-29927" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nvd.nist.gov/vuln/detail/CVE-2</span><span class="invisible">025-29927</span></a></p><p>Security theater is easy. Secure defaults and transparency are harder—but essential.</p><p><a href="https://hachyderm.io/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://hachyderm.io/tags/AppSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AppSec</span></a> <a href="https://hachyderm.io/tags/NextJS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NextJS</span></a> <a href="https://hachyderm.io/tags/CVE202529927" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CVE202529927</span></a> <a href="https://hachyderm.io/tags/middleware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>middleware</span></a> <a href="https://hachyderm.io/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a></p>
Todd A. Jacobs | Pragmatic Cybersecurity<p>This isn't Apple's fault, as it still has to follow local laws to sell its products. However, this is a huge <a href="https://infosec.exchange/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a>.</p><p>Even though Apple no longer fights for mindshare in the enterprise computing market as it once did, this will force companies that require secure data to either avoid iCloud-enabled apps altogether—which can be hard to do on a Mac—or stop using Macs altogether for anything that processes <a href="https://infosec.exchange/tags/PII" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PII</span></a>, <a href="https://infosec.exchange/tags/PHI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PHI</span></a>, or even proprietary <a href="https://infosec.exchange/tags/sourcecode" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>sourcecode</span></a>. </p><p>In particular, many <a href="https://infosec.exchange/tags/softwaredevelopers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>softwaredevelopers</span></a> prefer <a href="https://infosec.exchange/tags/MacBooks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MacBooks</span></a> since they offer a mainstream user experience but run <a href="https://infosec.exchange/tags/Unix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Unix</span></a> under the hood. If they can't use MacBooks anymore for security reasons, companies will have to rethink some of their long-standing laptop and desktop <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> practices.</p><p><a href="https://www.bbc.com/news/articles/cgj54eq4vejo" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bbc.com/news/articles/cgj54eq4</span><span class="invisible">vejo</span></a></p>
Frank Filippone<p>Was slightly amused earlier today when looking at Task Manager on a Windows server and found a properly ancient version of TeamViewer running on it.</p><p>Did I mention this server has direct internet access?</p><p>And is part of the security system for this site?</p><p><a href="https://aus.social/tags/it" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>it</span></a> <a href="https://aus.social/tags/itsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>itsecurity</span></a> <a href="https://aus.social/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a></p>
Dyne.org foundation<p>In a surprising twist, the very backdoors designed to keep out the badGuys™ were used by the badGuys™. </p><p>Who could've seen this coming? It's shocking that no one ever warned the clueless legislators behind these backdoors. If only there were some sort of experts they could listen to. 🤦🔓 </p><p><a href="https://toot.community/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://toot.community/tags/BackdoorBlunder" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BackdoorBlunder</span></a><br><a href="https://www.reuters.com/technology/cybersecurity/chinese-hackers-breached-us-court-wiretap-systems-wsj-reports-2024-10-06/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">reuters.com/technology/cyberse</span><span class="invisible">curity/chinese-hackers-breached-us-court-wiretap-systems-wsj-reports-2024-10-06/</span></a></p>
🅰🅻🅸🅲🅴 (🗑️🔥)<p>I know I'm late to the NPD-bashing party, but the complete disregard for other's privacy they've shown warrants another go at them.</p><p>The fact that these companies buy, scrape, and steal our data, then compile it into a dox-bomb and secure it behind a "do not breach k thx" high-security post-it note, just fucking riles me.</p><p>And because it's "publicly available" data, the repercussions of any breach typically amount to having to write a whoopsie apology email and maybe offer an identity scraping—er protection—subscription.</p><p>It blows my mind that these parasites are legal-ish businesses. They basically provide doxxing as a service.</p><p><a href="https://infosec.exchange/tags/NPD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NPD</span></a> <a href="https://infosec.exchange/tags/Data" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Data</span></a> <a href="https://infosec.exchange/tags/Breach" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Breach</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Sevoris<p><a href="https://conduition.io/coding/ticketmaster/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">conduition.io/coding/ticketmas</span><span class="invisible">ter/</span></a></p><p>"Quite hilariously, TicketMaster actually makes token-extraction easy on us: The token is logged to the browser console automatically when the barcode renderer component is mounted on the web page."</p><p><a href="https://mastodon.social/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://mastodon.social/tags/securitytheater" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securitytheater</span></a></p>
QC<p><span class="h-card" translate="no"><a href="https://mastodon.social/@Edent" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Edent</span></a></span> If you call Bank of America, they will verify you using a code sent by SMS that contains, “DO NOT share this Sign In code.” </p><p>I’ll confirm with the agent that they’re asking for the one that says under no circumstances am I to share with anyone, and they reply cheerfully, “yeah that’s the one.” 🤦♂️</p><p><a href="https://mastodon.social/tags/bank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bank</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://mastodon.social/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a></p>
Asta McCarthy<p><span class="h-card" translate="no"><a href="https://mastodon.nl/@AlmereSP" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>AlmereSP</span></a></span> Want USA "publieke"cloud bedrijven zijn echt de enige die veilig een mailserver kunnen draaien :blobfacepalm:<br><a href="https://arstechnica.com/information-technology/2024/04/microsoft-blamed-for-a-cascade-of-security-failures-in-exchange-breach-report/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">arstechnica.com/information-te</span><span class="invisible">chnology/2024/04/microsoft-blamed-for-a-cascade-of-security-failures-in-exchange-breach-report/</span></a><br><a href="https://mastodon.pirateparty.be/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://mastodon.pirateparty.be/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://mastodon.pirateparty.be/tags/cascadefailures" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cascadefailures</span></a> <a href="https://mastodon.pirateparty.be/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Andres S<p>I installed <a href="https://social.ridetrans.it/tags/LibreElec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LibreElec</span></a> on a pi4. During setup, it asked if I wanted to enable sshd (which, like, *of course* I do).</p><p>Then it told me the default login and password, and suggested that I change the password. Okay, sure, good idea. I tried a shared, memorable password I use for home appliance devices (NAT'd & only accessible via sudo, as I use ssh keys). "Password too weak", and it didn't allow it. I tried two other passwords, both rejected. So I left it at the default. <a href="https://social.ridetrans.it/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Asta McCarthy<p><span class="h-card" translate="no"><a href="https://mastodon.online/@bartgroothuis" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>bartgroothuis</span></a></span> Security by obscurity is een slecht idee.<br><a href="https://mastodon.pirateparty.be/tags/opensource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>opensource</span></a> werken en onafhankelijke code reviews zijn een veel veiligere aanpak. <br><a href="https://mastodon.pirateparty.be/tags/microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>microsoft</span></a> <a href="https://mastodon.pirateparty.be/tags/securityfail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>securityfail</span></a></p>
Emelia 👸🏻<p>This form here transmits your encryption key to Backblaze's servers, but they pinky promise never to use it or store it. <a href="https://hachyderm.io/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://hachyderm.io/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://hachyderm.io/tags/Backblaze" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Backblaze</span></a></p>
Emelia 👸🏻<p>I'm trying out Backblaze for backups, and setup an encryption key. Turns out if you ever use the “View/Restore Files" feature on their website, they send the full encryption key to their remote server.</p><p>Which completely and absolutely defeats the point of the encryption key, because now they have a copy of the encryption key.</p><p><a href="https://hachyderm.io/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://hachyderm.io/tags/Security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Security</span></a> <a href="https://hachyderm.io/tags/Backblaze" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Backblaze</span></a></p>
Fraser Smith🏴<p>This morning I checked my email and there was a standard name change email from Discord for a user name that I never created, to a variation of my gmail address that I have never used.</p><p>As I never use Discord these days, I instigated a password change for that gmail variation, changed the password and logged in. Sure enough, here was a Discord account that I had never created. It hadn't joined any servers, indeed it looked as if it had never had any activity, so I deleted it. </p><p>For good measure, I logged in again with my main Discord login (the one I rarely use) and deleted that too. I doubt I'll miss it.</p><p>I'm not sure what happened (or when it happened) but I really don't know how somebody could create an account without email verification.</p><p><a href="https://octodon.social/tags/Discord" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Discord</span></a> <a href="https://octodon.social/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://octodon.social/tags/SecurityFailure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFailure</span></a> <a href="https://octodon.social/tags/IdTheft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IdTheft</span></a></p>
C.<p>Bank emails: Never click links in emails claiming to be from us, your bank! It's not safe.</p><p>Also Bank emails: To complete this transaction, click this link.</p><p><a href="https://mindly.social/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> <a href="https://mindly.social/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>security</span></a> <a href="https://mindly.social/tags/fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fail</span></a> <a href="https://mindly.social/tags/stupidity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>stupidity</span></a> <a href="https://mindly.social/tags/idiocy" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>idiocy</span></a> <a href="https://mindly.social/tags/email" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>email</span></a> <a href="https://mindly.social/tags/scam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>scam</span></a></p>
Claudius Link<p>Moving on to <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> <a href="https://infosec.exchange/tags/Guidance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Guidance</span></a> in general</p><p>Microsoft offers the following Password Guidance<br><a href="https://www.microsoft.com/en-us/research/publication/password-guidance/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">microsoft.com/en-us/research/p</span><span class="invisible">ublication/password-guidance/</span></a></p><p>Side note, the PDF contains no (visible) version information or date :-(<br>Please, if you publish guidance, especially if you are an influential company, include a date in your documents. I treat a guidance form 2016 differently than a guidance from 2023</p><p>Back to the recommendations. Most of the are solid but some stick out</p><p>1. Maintain an 8-character minimum</p><p>That seem awfully short. <a href="https://infosec.exchange/tags/NIST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NIST</span></a> states "Longer is better", the <a href="https://infosec.exchange/tags/HPI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>HPI</span></a> recommends 15+ characters and, wait for it, Microsoft themself recommends 12 or better 14+ characters.</p><p>4. Ban common passwords, to keep the most vulnerable passwords out of your system.</p><p>The <a href="https://infosec.exchange/tags/NIST" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NIST</span></a> recommendation check against "commonly used and compromised passwords" considerably extends this!</p><p>Microsoft at other places recommends "Not a word that can be found in a dictionary or the name of a person, character, product, or organization."</p><p>5. Educate your users not to re-use their password for non-work-related purposes.</p><p>Work related reuse is OK????</p><p>I would love to know if <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> internally really follows these password rule. Or if they enforce a stricter set. If anyone knows about this, please let me know (but don't if this would get you fired)</p><p>BTW, the other place where Microsoft recommends a different/stronger set of password rules is here (again no date):<br><a href="https://support.microsoft.com/en-us/windows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">support.microsoft.com/en-us/wi</span><span class="invisible">ndows/create-and-use-strong-passwords-c5cebb49-8c53-4f5e-2bc4-fe357ca048eb</span></a></p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>Some more context to my rant about the shortcomings of <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection:</p><p>1. The risk is greatly reduced if you use <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MFA</span></a> </p><p>BUT while I'm not sure if <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> enforces MFA they enforce the weak password rules. </p><p>And a recent event caused me to reevaluate my assumption on how well know <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>2FA</span></a>/MFA really is:</p><p>I gave <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> talk to non-IT people (still technical so) and closed it with a set of recommendation. One was to enable Second Factor Authentication wherever possible. Which lead to the question from one participant "What is Second Factor Authentication"</p><p>That was quite a 😵 moment. I had the wrong assumptions. How can I assume that MFA reduces a risk if many people don't know about it.</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>One more thing</p><p>Another shortcoming of <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection, I can't wrap my head around:</p><p>They recommend to not mandate regular password changes (good) BUT they check the password against known bad passwords ONLY when changing it!</p><p>So, to detect weak passwords I have to enforce a password change which is (rightfully) not recommended 🤡</p><p>You could simply do this on entry. Every time (or once a day) the user enters the password it is checked if it isn't well known and complies to the current rules.</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>Sleeping over it I noticed another issue with <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/Entra" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Entra</span></a> ID <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> </p><p>Regarding the Global banned password list they write "The contents of the global banned password list aren't based on any external data source, but on the results of Microsoft Entra security telemetry and analysis."<br>(<a href="https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">learn.microsoft.com/en-us/entr</span><span class="invisible">a/identity/authentication/concept-password-ban-bad</span></a>)</p><p>Now I have more questions:</p><p>WHY are passwords part of the security telemetry data?</p><p>The only case where I see this as ok, would be in a honeypot.</p><p>And what kind of data would be in the security telemetry data? Usually it's failed attempts, so you risk overestimating passwords attacks which fail (anyway). Again, this would only be OK with honeypots.</p><p>But if you are getting your data solely from honeypots, I fear you're getting a pre-selected type of data. Namely opportunistic, random attacks not targeted attacks.</p><p>While I think it's valuable to protect against these kind ob attacks, I really would like passwords to withstand even targeted attacks, even from the inside.<br>E.g when the attackers are in the Lateral Movement or Privilege Escalation. Especially if the attackers can start to crack hashes.</p><p>For this Microsoft Entra ID Password Protection seems completely useless there.</p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a></p>
Claudius Link<p>And the Custom banned password list of <a href="https://infosec.exchange/tags/Microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Microsoft</span></a> <a href="https://infosec.exchange/tags/EntraID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EntraID</span></a> <a href="https://infosec.exchange/tags/Password" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Password</span></a> Protection just continues the joke.</p><p>First, it can only contain 1000 entries. And yes, I really don't want to manage a big custom list.</p><p>And it gets even worse. The list is intended to contain company specific banned words like brand or product names, company-specific internal terms as well as abbreviations. Entries must be at least 4 characters. </p><p>WTF, half the companies I worked for had 3 letter names. And there are many other BWM, KIA, SAP, IBM, GM, BBC, NBA, NFL, UPS, DHL, ...</p><p>And don't get me started on acronyms. <a href="https://infosec.exchange/tags/TLA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>TLA</span></a> (Three-Letter-Acronym) is a term for a reason.</p><p>This means, taking my current company as an example, that SMA12 would be an accepted password (if it would be for the length) because 'SMA' 3 points + '12' 2 points is 5 points).</p><p>To reach the necessary length you could simply combine it. E.g. 'SMASolar1' would be an accepted password even if 'Solar' was a banned word.</p><p>And I CAN'T do ANYTHING!!!</p><p>Or at least not anything sensible. If I start to put combinations of 'SMA*' in the custom banned pw list, I'm back at an inadequate big list I have to manage myself 🤮.</p><p>And even then SMASolar1234 stays valid 🤬<br><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/Fail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Fail</span></a> <a href="https://infosec.exchange/tags/SecurityFail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SecurityFail</span></a> </p><p>Call for <a href="https://infosec.exchange/tags/Help" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Help</span></a>: I would be very happy if someone can show me that I'm wrong. The state of Microsoft Entra ID Password Protection is a MUCH bigger pain than that I would have been wrong 😜.</p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload