1. I moved into a 10-unit apartment building and wanted to set up FedEx Delivery Manager. I just put in my new address, no verification whatsoever, and I was immediately given access to the previous tenant’s delivery instructions which included the buildings private garage code. Any thief could have done the same.

2. When I moved out of that building I wanted to add my new address to delivery manager … but I couldn’t. The site errored every time. The reason? Some forums revealed the correct hypothesis that if you have special characters in your password then some parts of the site are permanently broken for you. Including the change password flow. So I had to have my wife make a new account with a worse password.

Truly amateur stuff for an otherwise very impressive company.

I've also been nearly run off the road by FedEx drivers on the highway before. One guy was so angry that I was only going 10 over that he tailgated me within a foot and then punish passed me.

They're also the only service that still corrects my other address to the wrong address. I tried for a whole month to get ahold of anyone there who even knows what address correction is and then just stopped using them for anything important.

They doubled down on "digital" during the pandemic and fired a bunch of CSRs and stuff. It doesn't look like it's working out very well for them.

Depot workers can get up to the weirdest stuff. One time I was returning unused product (oil well perforating guns, a UN 1.4D explosive device) via Yellow Freight. I handed over the cases and signed all the appropriate paperwork to handover custody at the depot and went on about my day. The supplier called me ~10 days later saying they never received the shipment! Perturbed, I called down to the depot who basically shrugged it off with "no idea lol not our problem". Their attitude changed when I told them that in accordance with my license and federal law I would be notifying the ATF at the end of the day that there were missing or lost explosives and it would very much be their problem.

A couple hours later they called back and told me the boxes had missed their truck and were just sitting in the corner of the secure cage in the loading dock, forlorn and forgotten. What the fuck, guys.

Holy fuck. We never shipped these using commercial couriers, but transported them using company trucks and company labor. We'd also have a heavily armed security person escorting them at all times.

For reference, these are long tubes containing many shaped charges. Sometimes you can have hundreds or thousands of shaped charges for a single perforation job. AFAIK, the oil field is the only industry that uses shaped charges outside of the military. Their primary application is piercing tank and ship armor. They kind of "implode" rather than "explode", and generate a sort of lightsaber-beam of superheated copper that lances straight through armor. In this video[0], blue is just a steel casing, yellow is the explosive, and red is the copper which pierces the target.

Not a good thing to "go missing".

0: https://www.youtube.com/watch?v=NoetLNb1Fc4

The manufacturer shipped them to us via Yellow, so we figured it was the simplest route to return the unused items via the same route, since they're properly credentialed and insured and all. It was a specialty project (perforating the casing in a newly drilled geothermal well at depths not more than 100m) so we only used in the realm of a dozen 50# cases of loose perforating guns and built the strings ourselves, bringing the high explosives (det cord that made up the string, detonators) from our own magazines.

> AFAIK, the oil field is the only industry that uses shaped charges outside of the military. Their primary application is piercing tank and ship armor.

They're quite often used in demolition as well, to shear through structural steel members. I've used them to bring down warehouses, bridge decks, bridge piers/supports, assorted industrial buildings and even hand built some crude shaped charges when scuttling a ship. I once went down a fun rabbit hole ordering custom built linear shaped charges for a demo project that saw the LSC's used so deep underwater that the static water pressure in the cavity of the charge would prevent the penetrator from forming properly. It was an interesting iterative design process with the manufacturer to make a sealed unit that maintained an air pocket inside the device at those depths and would seal flat agaisnt the object to be demolished. All akin to military uses sure (especially that last one, i bet the SEALS or some branch of frogmen have underwater satchel charges or limpet mines handy but those weren't available to us) but this was in the civilian construction domain.

> Not a good thing to "go missing".

Not at all!

The chances of that baggage being lost or misdirected is basically zero.

Myself and many of the people I worked with all tried their best. But at the end of the day there is only so much you can do as a temp seasonal worker to prevent such things. They'd rather have a higher amount of damaged/lost items and a higher throughput.

It'd be interesting to see a competitor that made it their goal to handle packages with more care and not have this attitude. However I can't see them getting too far. They would likely have to charge more money, and any of the big companies are not going to care to pay more. They'd rather take the risk and just ship it again if it gets broken on the way. It'll end up being cheaper for them that way. The ones who lose out are the smaller businesses and individuals shipping personal items. It pissed me off when I'd see a damaged package of an item that was clearly a personal homemade thing. Something that isn't easy to just quick send another copy of.

There are "personal courier services" or "white glove courier services" where you hire a specific person to move your package from point A to point B. They stay with your package the whole time, and either carry it on a plane or drive it themselves.

It's expensive, obviously, but the service does exist.

Just like you, I'd love to see a middle-ground, scalable option exist.

The true cost of destroying or misplacing a parcel is often higher than the nominal value of the item inside. Sometimes it’s a sentimental good, sometimes it’s time sensitive and not having it in time results in additional costs to the recipient, sometimes the recipient spends significant time attempting to locate the package.

None of these are appropriately compensated for.

Make these companies liable for the economic cost of the goods plus $200 and they’ll start taking more care.

UPS, on the other hand, can go pound sand. They often refuse to deliver due to weather, then force me to either drive two hours round trip to their distribution center, or charge me to pick it up at the local UPS store.

When when FedEx couldn't get their truck to my house due to road conditions, they were totally fine with my picking it up at their store.

Every service relies on the USPS to some extent, which makes the Republican attempt to gut the organization so baffling. There's no replacement and nobody is looking to replace it.

From my perspective as an ex letter carrier, your personal experience with package delivery is determined almost entirely by whoever runs the local hub and handles last-mile. Unfortunately it's a McDonald's Assistant Manager kind of role; anyone truly competent will be able to find better work sooner or later.

https://www.vox.com/2020/8/18/21374014/post-office-usps-loui...

> the organization could use some serious cuts

Miss the part about them being the backbone of package delivery in this country? Or the part where there's nobody to replace them? Well it doesn't matter since the USPS is financially self-sustaining.

Sarcasm I hope?

https://thehill.com/opinion/congress-blog/4138391-the-usps-n...

"The $company/government isn't doing their job, we need to fire/change government/privatise this function, it would solve everything!"

Well, where do you think the former employees will work after their previous employer shuts down? It's not the form of government/company culture that is the biggest problem I'm affraid.

https://www.bikelaw.com/2017/07/punishment-pass-defined/

I spent 72 hours waiting (3x24 periods they told me to wait and call back tomorrow while they "investigated") for a $1300 package. Initially they said it must have been stolen and its my loss, to which I said "no I was home and near the front door all day, you didn't deliver it". Pretty absurd they can't just look where he was when it was "delivered" and deal with it. Or maybe they can and they just don't bother.

Eventually the person actually called me using my number on the box and said it was delivered there.

Still no recourse from FedEx, whom I have not informed I got the package in the end.

I'm also in the video.

At least that could explain why the driver showed up to the address without dropping off the package. If finding the package takes a non-trivial amount of time, it would add up over the course of the day.

It's otherwise just wild to me that the driver did 99% of the delivery and just noped out of the last 1%.

You have nothing to lose, it’s not like they could threaten to stop delivering your packages.

Problem you'd probably have is getting the judgment, if they show up at the hearing. Their clickwrap agreements are one barrier. Also, you have no relationship with them -- you weren't the customer (and if you were see point 1).

Would be interesting to see what type of claim would work. Maybe conversion (ie theft) if they delivered it to the wrong address. But if they just hold it at the depot, I don't know what claim you could make. Would probably have to take it up with the seller.

Honestly, finding a sheriff to enforce a judgement against FedEx property sounds like the fun part.

As for the SMSs - in Portugal, and I’d guess Australia too, they contract all of their local operations out to some random group of muppets who can’t organise their way out of a paper bag - the SMSs they send me come from a mobile number, are handwritten (they seem to literally have someone whose job it is to write messages, on a phone, and send them), as are the emails. When it comes to delivery, i’m inevitably the last delivery of the day as I live way out in the boonies, and they just go “it’s 5pm I’m going home”, and it goes back to the depot. They drive it back and forth for a week before declaring the parcel undeliverable.

These days, if I see someone has shipped something with FedEx, despite my instructions not to, I immediately request a refund, as I know it won’t arrive.

The whole thing beggars belief.

In my case I got an email about customs and tax payment which was needed, but the link was clearly to fedex.com.

They're telling both that my package will be delivered this afternoon, and that it's in a distribution center 3000 miles away.

i mean in the first case what's at risk is the five-dollar trinket you bought off amazon

I ended up reversing charges for the missing phone and Google immediately wrecked me - I was using Fi at the time so they killed my cell service and killed my ability to use Google Pay for anything - including the Play Store. Probably some other stuff I don't even remember. Between my personal account and my business accounts I realized at that moment that Google could completely wreck my life. Be careful about retaliation for a chargeback, if you live within one company's ecosystem it can be a brutal retaliation you're not ready for.

After getting the account, immediately I get shipping bills for international shipping in the thousands of dollars, both sender and recipient have nothing to do with me. Credit card on file was auto-charged. Removed credit card, started getting thick FedEx bills in physical mail.

It turns out FedEx allows billing to be charged to any account as long as you have their nine-digit account number, so of course scammers do this all the time just generating random numbers. FedEx didn't give a shit, denied my reporting of fraud, allowed more scam shipping even after I reported. Finally I had to initiate chargeback via the credit card issuer and only then did they close the account. But I still get marketing emails that I can no longer turn off. Absolutely not a company anyone should use.

When I moved they someone opened a second account in my name and kept billing me for the original account.

I called Fedex to try to rectify this and, as far as I remember, they either never answered the phone or told me they had no way of contacting the delivery driver (??).

I've always avoided fedex (and UPS, for that matter, since they destroyed two antique lamps that I ordered through ebay) since then.

That's insane lmao

You need separate bins/boxes/whatever for other services to use.

I specifically got a custom domain and email address for any non-personal/"professional" comms, which is essentially just me@<custom-domain-featuring-my-name>.com.

At least with non-ASCII characters in passwords, while I think it is stupid to not handle those properly, I can at least see some sort of an excuse there, no matter how weak it is. All it takes to mess this up is not thinking about handling those scenarios, so I can definitely see "this issue was created due to us not thinking about this possibility or not willing to deal with handling it."

But what's even the reason to not allow sub-3-character local portions of emails? How does one even mess those up, aside from intentionally setting some triggers for less than 3 characters in local portions of email addresses?

Wild guess: someone copy-pasted an incorrect email address validation regex, and different parts of the system are using different criteria for email address validation.

Wonder if they share a vendor.

It's probably better if it shouldn't. It's generally better to prevent passwords from containing characters that can't be entered on a decent proportion of devices you may encounter.

Emojis are particularly problematic because new ones keep being added which require OS upgrades, and you might find yourself needing to log in from another device that just doesn't support those emojis yet.

Also it's not like Unicode makes everything easy. For example, you have to remember to normalize the password before hashing. Otherwise something as simple as "ñ" may be a totally different byte sequence depending on which device you're using.

It is no longer realistic to pretend that only ASCII exists and try to get away with that.

    Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
    >>> "ñ".encode("utf-8")
    b'\xc3\xb1'
    >>> "ñ".encode("utf-8")
    b'n\xcc\x83'

For way too much information on this, see: https://www.unicode.org/reports/tr15/

Even a lot of Unicode-aware code written by a developer aware of at least some Unicode issues often fails to normalize properly, most likely because they're not even aware it's an issue. Passwords are a case where you need to run a Unicode normalization pass on the password before hashing it, but, unfortunately, if you're already stored the wrong password hash fixing it is rather difficult. (You have to wait for the correctly-incorrect password to be input, then you can normalize and fix the password entry. This requires the users to input the correctly-incorrect password; if they only input an incorrectly-incorrect password you can't do anything.) I'd suspect storing a lot of unnormalized passwords before learning the hard way this is an issue is the majority case for homegrown password systems. You hear "don't roll your own crypto" and think reaching for a bcrypt or scrypt library solves it, but don't realize that there's some stuff that needs to be done before the call to those things still.

Emoji weren't officially supported until Unicode 6.0, though there are a subset of current emoji (less than a quarter) that work on Windows 7 in practice.

Meanwhile the current standard is 15.1.

There's no security or convenience necessity whatsoever for supporting emoji in passwords, but inconsistent OS support is an excellent reason against it.

(I've spent about 6 years of my career running video streaming services... People watch a lot of video on TVs, it turns out, so you probably don't want to let them put these sorts of characters into their passwords when they sign up on mobile or computer devices.)

I'm not trying to invalidate your personal experience. You've seen a lot of good social reasons users probably "can't" be trusted with emoji passwords. but at a purely technical level the number of OSes in 2023 that can't pop up an emoji keyboard if asked is incredibly slim and the number that can't have an emoji keyboard in user space as a software addon is even slimmer. If a device doesn't support at least UTF-8 encodings in 2024 that's an entirely different can of worms (and probably a bad sign for the security of the device itself).

Both the Xbox and PS4+ have emoji keyboards. Apple TV has an emoji keyboard. Almost every version of Android TV and Samsung Tizen and Roku and Fire OS and ….

Go ahead, tell me you have a lot of customer support problems that you don't want to support emoji in passwords. That I can believe. I can't believe it's a technical problem in 2023. Emoji are universal enough now in 2024 that OSes are broken if they can't send/receive emoji and don't have some sort of keyboard to input them. Even if we are still turning off the emoji buttons on password fields because we don't trust users to do it for social reasons rather than technical ones.

As I said, it's not about support for emoji as a class.

It's about support for specific emoji. Different OS's are on different versions of Unicode that support different sets of emoji. The older versions don't support the newer emoji.

So yes, in 2024, it would be incredibly easy to create a password using an emoji on your up-to-date Mac that simply can't be entered on your Android-based TV you purchased 3 years ago, because it doesn't have that emoji even though in supports emoji in general.

So no -- it's not for social reasons, it's very much for technical ones.

And trying to implement a rule like "emoji are allowed but only the ones that were present in Unicode 6.0" is incredibly confusing and opaque for end-users, so it's a better experience just to not allow emoji at all.

Additionally, I'm not sure that supporting full Unicode access (or even just the hundreds (?) of emoji) using a D-pad as an input device would be a good UX.

The upper layer might change now and then, to give a veneer of modernity. But just like Windows being built on 90s technology, the stuff underneath could be even more ancient.

Would it, really?

P0 would probably be "10% of our customers can't submit an order." Or "20% of our vendors are experiencing 404s."

We're taking OP's word for it that FedEx doesn't allow certain characters as passwords (actually, from the description, it seems more like FedEx only allows specific characters which is even worse). If either of those are true, it is most certainly a defect. Whether FedEx treats that defect as an emergency is up to them I guess. I'm saying many modern companies would.

You originally said "Weird password issues don't count as broke." I think this might just be a case where we have to "agree to disagree".

If I read it right it sounds even worse. Fedex allows the characters and then random stuff just breaks.

It is much preferred to get a simple "only english alphabet and numbers please" warning message when you are trying to set the password than not getting any warning and then things breaking.

It never makes you feel very confident in an institutions security when they can't even figure out how to get a username/password to work properly on their systems.

I meant broke in the sense of "if it ain't broke, don't fix." If there are over 300 microservices running code, connected to mainframes running code that was originally from the 80s, but they occasionally have password issues - the risks caused by trying to fix it might be greater than it's worth.

That doesn't mean FedEx can't do a better job telling people not to use special characters - or detecting if their current password contains them and forces a password change.

And we ended up where the thread originally begin "FedEx may have the worst and least secure digital platform for a major company."

Besides that is horrible! There should be 1 microservice which deals with passwords, the authentication one. Everything else should just get a token attesting that the user is authenticated (or not).

Thankfully they fixed it at some point, but it's absolutely mind blowing to me that anyone thought it was acceptable in the first place.

(And no, nothing is wrong with my email, it's hosted by a professional email host with the proper MX records and literally only Schwab claims to have this problem with me).

When I graduated, I pulled the money back out. Apparently they issued the final interest payment after I'd emptied the account. For at least a year after that, I got monthly statements informing me that I had an account with less money in it than the postage on the statement.

I remember comparing notes with fellow employees at a previous job, and depending on when you'd started working, the system had different password rules for you (users who'd been created earlier had a smaller set of allowed characters, etc.). Pretty sure it worked out to some Oracle nonsense.

to their credit, they took me seriously and I believe they fixed it reasonably promptly.

At least they don't automatically lowercase and truncate your password behind the scenes like AMEX. Lol.

I used to be able to load the rewards to my account without logging in at all, just clicked the link in my email, but I guess they fixed that and then I realized I didn't know my password.

The package got returned to the sender who wouldn't respond. When I quibbled with my credit card company (Cash App) they said the package had been delivered to the sender, so it was technically "delivered" and I was not eligible for a refund. When I persisted they permanently terminated my account with them so I can never have another Cash App account, thanks to FedEx.

I no longer use FedEx for any shipment that I need to have arrive.

Turns out he actually was from the bank and he did cancel the loan application.

Appropriately enough, the last thing they did was to insist —demand, really— that, in 2018, I fax them my demand. It just so happens that this could have been relatively safe because, after asking everyone I knew for a week (including some venerable hackers), the only way that I found to send a fax was to ask the local branch of the same bank.

Asking them to authorize the transfer wasn’t possible (by showing them all relevant documentation). Asking them to let me send a fax, using their machine, to a sister branch to tell them to authorize a transfer without anyone verifying my ID, was fine.

Because if I got my SSN in my late teens, then my date of birth shouldn't mean much at all to anyone trying to use that method you describe, right?

It’s not impossible but, wow, that’s grinding it out day after day.

Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.

But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...

I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example

The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.

The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.

Besides that it also needs to perform the payment, why do they need to pull 180 days of transaction history just so that I can give the merchant their money? (I'd be happy to just be given an IBAN number and transaction description to use and do it myself.)

At least that's what the consent screen said it was going to do: assess my creditworthiness before withdrawing the money. There was no way to pay without sharing who my employer is and how much I earn, which shops I visit in which cities, where I've been on holiday, what online purchases I do and on which platform and how frequently and for how much, etc. Obviously I declined this but since it's one of the logos you see every time, I guess a lot of people "consent" to this (knowingly or otherwise)

Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.

As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.

I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.

The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.

SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.

No point. If he is a scammer he has a thick skin. If he is working for the bank this is either a training or a policy issue.

Just refuse politely and report to the bank. (preferably to some security channel if there is one.)

Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.

Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/

The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.

Plot twist! Didn't see that coming.

Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.

- Coming from a domain that looks nothing like the official domain of the company, rather some generic @itservice.com or something. - Subject: "URGENT: your account is expiring soon". - Multiple links provided in the email body, all illegible and multiple lines long, none of them from a domain that I can immediately link to the company. - No alternative way of resolving the issue is provided other than clicking on one of those links (no "go to your account settings", "contact your line manager" or so).

And still, it turns out it was real.

~100k employees company btw

The same guys also force us to change our passwords every 6 months and block the last twenty. Passwords we have to enter in systems that can’t pull directly from password managers and thus have to type 10-20 per day. Guess the average strength of an employee password!

I think IT incompetence should lead to audit fails or even better delisting from exchanges.

Combined with the fact that the largest single source of spam I'm seeing right now is also coming from random tenant GUIDs .onmicrosoft.com (is Azure really missing that much SMTP security for random M365 tenants?) and this sort of corporate anti-training users to follow bad transactional email links, it certainly feels like we are in a perfect storm of M365 phishing.

Overall when compared to Google's suite of products, M365 just seems so sloppy.

This should be out of the hands of the local IT clowns entirely.

However, the password rotation requirement was until relatively recently something that many IT auditors would actually recommend, even though it leads directly to bad user password choices. In fact I wouldn't be at surprised to learn that was still the case in a lot of places.

People understandably get really fired up by the idea of not having to change their password every 90 days, but forget that the guidelines are a package that contains a lot of "shall"s (no password expiration is a mere "should") that would be more painful for organizations stuck with a lot of legacy software, like the requirement to use two authentication factors and the use of secure authentication protocols.

Note: I only do this when I have these requirements and I can’t use a password manager.

ReallyLongP@assword$01, ReallyLongP@assword$02, ReallyLongP@assword$03, and so on.

Then I became CTO and retired the policy to align to modern NIST recommendations, so that "18" is in there forever :)

Now there's a positive rule about not doing it.

When the NIST added the bad rule into their ruleset (it was mostly a collection of bad rules at the time), it was already widely mocked in popular culture (well, within the target population).

I now wonder if that ruleset (the original one, that basically mandated you copy every flaw on Windows NT) was honest.

"Come to think of it, it's about time to replay Deus Ex again..."

NIST has very good password complexity and management guidelines. Just USE THEM! It’s not that hard!

How do you have billion dollar companies that can’t RTFM.

On the other, an expert witness has specifically represented themselves to be an expert. Is there any level of incompetence that raises to the level of perjury in that case? IMO there ought to be.

Whether the technique or theory in question can be, and has been tested; Whether it has been subjected to publication and peer review; Its known or potential error rate; The existence and maintenance of standards controlling its operation; and Whether it has attracted widespread acceptance within a relevant scientific community.

The expert does not “know.” The expert is the only witness who can give an opinion, more or less. Because the opinion is backed up by something, the court considers it useful.

The technique they use is what’s important, not whether their opinion contradicts a fact. I think you will find in many expert trials, two experts get the same facts and come to two completely contradictory opinions, neither of which is perjury.

It's good we have 26 letters, that comfortably leaves you a margin of 6 combinations :-)

While I know this may be fruitless, it might be worthwhile to point out to them that the official guidance from NIST and similar organizations is now not to do this.

The IT department where I work required yearly password changes up until I brought this change to their attention, at which point they changed to simply recommending a password change if you have reason to believe it might have been compromised.

Same problem here. My solution: Get a mouse with internal memory for macros, such as Natec Genesis GX78 (old, no longer available, but this is an example). Program your new password on one of the unused mouse buttons or in a different profile. Use the mouse to type the password.

Could make it double as a YubiKey.

Surely this exists already?

No, it identifies as a keyboard. It also defaults to generating a password that will use the same scancodes on (most?) western keyboard layouts so that computers configured to default to e.g. QWERTZ or AZERTY will still result in the same password.

It's very niche, but in those rare situations it'll be a big time-saver compared to human transcription or the rigamarole of setting up some other kind of data channel.

1: http://inputstick.com

2: https://github.com/inputstick

Fear of policy is why you get things like "force us to change our passwords every 6 months and block the last twenty". Getting a central arbiter of IT competence is a hard problem.

It is interesting how sometimes creating "more secure" measures results on less security. Our IT department decided that using 2fa for vpn is not enough, we should also extra 2fa for connecting to the webmail even through intranet or vpn. Guess who stopped using the vpn.

Meanwhile, one can set up and use our email through any email client app on desktop or mobile without any 2fa at any step. Go figure.

If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.

They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)

There are 1000s of such organizations, and many conflict with each other.

My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.

Does that make it so? No.

Password1

Password2

Password3

Etc

PasswordFebruary2024!

Where month and year update on the date of forced password change.

hunter3

hunter4

hunter5

Password1

Password1

Password1

Etc?

So a hacker can infer that my password is tacokissies69000 of some sort..

So I hang up and call my bank directly. I spend 10 minutes going through the phone maze to talk to someone. Finally I get to them, and they confirm that is a number that they use to contact people. How come when you list numbers on your website you don’t list this one? Well, they said they often call from numbers they haven’t listed online. How about that e-mail, do you send those? Well, we sometimes contact people by e-mail, if it says it’s from us in the from: line you can click on it. Did you guys send that one? I don’t have that information; don’t click on it if the from: line isn’t us, but if it is, go ahead.

Worth noting - do not trust the incoming callerid number. This is trivial to fake.

Sorry for the probable sarcasm. In a company that size, if the IT center does not provide a means to report phishing attempts then there are more serious problems than a dodgy email campaign.