Your pet peeve, technical or otherwise.

[pcprogrammer]

You missed

Portal 1 and 2
Portal bridge builder
The Turing test

[paulca]

Kids games.  Education games.

Fail.

[paulca]

every single damn thing these days requiring your name email and phone number to log in.

Yep!  100% tired to **** with this.

In work as the holiday period code freeze approached the broadcast went out that all developers must complete 10 hours of online training in code security and policies.

I ignored it.  They have done the same thing every year.  It goes away again.  The system they direct you to has changed many times and is always sh1t.  Can't find what course to so, find a wiki with 100 pages and "self assessment tests".  Meh.

My manager repeated the broadcast so I went and looked.  I was redirected to a third party website and asked to accept a privacy policy, which I denied.  I also raised concerns with my employers data controller.  I haven't done that training.  When I get back in after new year week it will have disappeared as the code freeze is gone, but I'm still annoyed.  What information was given to this 3rd party?  Who consented or authorized the data transfer cross borders?  My data controller basically said they will claim "Legitimate interest use" of my data and we discussed that as a UK citizen sharing by contract, data, to the USA and there currently being ZERO legal framework for UK+GDPR+US ... means my data is free game in the US now.

I bought a router.  In order to log into it and configure it without a mobile phone internet connection took me a day of messing.  It constantly wanted me to log in and create a an online account and would NOT tell me the IP of the device only a hostname that redirectly through their mDNS.   Grr.  I did manage it though.

My fear is that 99% of people don't know, and thus don't care.  They are the product and they don't see how dangerous that is.

[Infraviolet]

Please warn as to which dreadful company is making those routers which need a phone to visit the interent to configure them...
The very idea of a router expecting you to have internet acces at the time you're configuring it is madness, a lot of people set up a router's settings first when they move house before trying to connect to the wider interenet at al, and cannot get to the wider internet until they've done setup.

[mendip_discovery]

Please warn as to which dreadful company is making those routers which need a phone to visit the interent to configure them...
The very idea of a router expecting you to have internet acces at the time you're configuring it is madness, a lot of people set up a router's settings first when they move house before trying to connect to the wider interenet at al, and cannot get to the wider internet until they've done setup.

That reminds me of the older windows issue that used to say something along the lines of you have a problem with your internet, to fix this problem go onto the internet to this site to find a solution.

[mendip_discovery]

My pet peeve at the moment is websites expecting and requiring me to set up 2FA, usually insisting on a mobile number. Now when the website leaks my info it will leak that extra bit of info which means I will then be on a list to get scam text messages. I understand the use of this for things that are important but really DGAF if its for an online shop.

Much like the websites that made you use very complicated passwords with UPPER and lower case letters, symbols, >12 digits but <15 etc. which often you would get wrong so you reset it only to find the new password you set can't be used as it's the same as the old one.

[paulca]

It was a NetGear Nighthawk R7000.  It's stock firmware lasted about 24 hours before it got OpenWRT'd.

I believe the way it's meant to work is...  you download their app via the QR code on the router.  The QR code also contains the hardware generated SSID and Passcode for it's config WAP.  So the app connects your phone to the routers Wifi and does the initial configuration.  All while sending all the data back home.

The next pet peeve on my list to kill off is the SmartTV advertising at me.  I put them out on the guest network when they were found "rummaging" in fileshares.  Seems PiHole is not preventing them downloading ads.  I only need network on the smart TV to watch 4K netflix so I might make it optional, in the sense I can pull the network cable out of hte TV unless I want to watch netflix

All 3 of my APs are OpenWRT, including the central Linksys WRT3600 central router.  All my LAN is VLAN hardware switched.  2 VLANs, Open and Guest.

[james_s]

Much like the websites that made you use very complicated passwords with UPPER and lower case letters, symbols, >12 digits but <15 etc. which often you would get wrong so you reset it only to find the new password you set can't be used as it's the same as the old one.

The thing that drives me up the wall with that is the conflicting requirements of different sites. Some require special characters, some don't allow them, etc, which prevents using the same system of passwords. I don't share passwords across any sites I actually care about, but my passwords to mostly follow a convention that makes it possible for me to remember them. Password managers help mitigate that but they also make me a little uneasy because if someone does manage to compromise my password manager (say they break in and steal my laptop) then they have access to EVERYTHING.

[james_s]

It was a NetGear Nighthawk R7000.  It's stock firmware lasted about 24 hours before it got OpenWRT'd.

I have one of those too, I used the stock firmware for just long enough to boot it up and flash it with Tomato. I don't know why but stock firmware on consumer routers is universally garbage.

[PlainName]

It was a NetGear Nighthawk R7000

Netgear have form for creating firmware that resembles a steaming pile. Hardware tends to be OK (their metal-cased dumb switches were nice) but software requires a skillset they've never been able to assemble. The classic example is them hardcoding the IP address of an NTP server at a university, and then having it looked up every second. On every router they sold. And then ignoring the reports of the problem that resulted due to excessive traffic.

A long writeup of it is here: https://pages.cs.wisc.edu/~plonka/netgear-sntp/

[SilverSolder]

[...]
Much like the websites that made you use very complicated passwords with UPPER and lower case letters, symbols, >12 digits but <15 etc. which often you would get wrong so you reset it only to find the new password you set can't be used as it's the same as the old one.

The whole concept of these super-complicated passwords is completely shot through the head anyway -  since any reasonable web site should lock the account after 5 or so failed login attempts.   How complex does a password have to be to survive 5 attempts?  -  obviously a few letters/digits is more than enough.

[PlainName]

If the user hasn't got it right in 5 attempts then they've probably forgotten the password. But the proper way to do it is to either unlock the account after some period (30 minutes, say) or implement increasing pauses between attempts. The idea is simply to slow things down so it would take the heat death of the universe to brute force access but still allow a genuine user to recover from a senior moment.

[mendip_discovery]

Often on a webserver you use somthing like fail2ban which you can set various triggers for and it just watches your logs and looks for attempts to get into SSH, Wordpress etc. Its rather annoying that you have these script kiddies out there who are just setting up a script to go off in search of a potential hackable site.

The sad thing is the password is only 1 part of the problem. Hackers/scammers evolve to work with the current protection protocols. The human is again the weak link. It's worth it to them to keep at it as we do so much online that there is real money in it for them.

[paulca]

The password strength thing has two poles.

On one side the person who wrote the original password complexity and updating garb in the 70s admitted that he had not expected it to be picked up so widely, but also admitted he had caused so much insecurity in computing because... the majority of people start writing passwords down when they get too complicated to remember.  Defeating the purpose.

On the other side however, in todays world of cloud castles which present perfect targets.... all your eggs in one big basket alone with everyone elses...    databases get hacked.  Entire user data tables get stolen.  Thankfully 99% of them, these days, if it wasn't written by a 16yo in his bedroom will encrypt or at least hash passwords.  Turns out however if you had that table of hashed passwords to a 3080 GPU running custom software it will have most of the 6 or less digit passwords brute forced in minutes.  It's only when you get above 10 digits which include the full upper, lower, number, punctuation 70 odd characters... that it starts to take hours and hours and hours.  I believe it takes several weeks to crack the 12 digit complex passwords if it can.  They don't just use rotating guesses either.  It is pre-trained and has massive pre-canned "seed" passwords like "password", "passwd", "petsname", It scans with those, then modify them slowly, combine them etc. etc.  The software just generates milliions of passwords a second and compares the hashs to all the passwords in the DB.  They even have the most popular few thousand passwords pre-hashed.  Heck there is a website out there that will give you the possible values for a hash.  No shocker that short passwords like "password" tend to reverse quite easily once you filter out the random garbage.

[SilverSolder]

The password strength thing has two poles.

On one side the person who wrote the original password complexity and updating garb in the 70s admitted that he had not expected it to be picked up so widely, but also admitted he had caused so much insecurity in computing because... the majority of people start writing passwords down when they get too complicated to remember.  Defeating the purpose.

On the other side however, in todays world of cloud castles which present perfect targets.... all your eggs in one big basket alone with everyone elses...    databases get hacked.  Entire user data tables get stolen.  Thankfully 99% of them, these days, if it wasn't written by a 16yo in his bedroom will encrypt or at least hash passwords.  Turns out however if you had that table of hashed passwords to a 3080 GPU running custom software it will have most of the 6 or less digit passwords brute forced in minutes.  It's only when you get above 10 digits which include the full upper, lower, number, punctuation 70 odd characters... that it starts to take hours and hours and hours.  I believe it takes several weeks to crack the 12 digit complex passwords if it can.  They don't just use rotating guesses either.  It is pre-trained and has massive pre-canned "seed" passwords like "password", "passwd", "petsname", It scans with those, then modify them slowly, combine them etc. etc.  The software just generates milliions of passwords a second and compares the hashs to all the passwords in the DB.  They even have the most popular few thousand passwords pre-hashed.  Heck there is a website out there that will give you the possible values for a hash.  No shocker that short passwords like "password" tend to reverse quite easily once you filter out the random garbage.

I wasn't thinking about that side of it, but you're right, it protects you against others getting hacked. 

Usually I sign up to everything I can with disposable IDs, but there are absolutely some places where you can't do that!

[AndyBeez]

Most hacked passwords revealed as UK cyber survey exposes gaps in online security
https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

Plug these into your pentest scripts - a small selection from the most loved passwords out there:

123456
123456789
qwerty
password
...
1q2w3e4r5t
qwertyuiop
123
monkey
...
ginger
nicole1
mylove
arsenal
...
patrick1
loser1
mother1
lalala
...
cowboy24
memyselfi
trevor3
nudist

There are 100,000 listed in this flat text document.

Educate and inform: https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt

[CatalinaWOW]

Sure, using a common password makes cracking easier.  But as stated above, if methods are used to slow down the attempts it is still robust enough.  A brute force attack on a 100k list will take 50k attempts on average.  Just putting a five second delay in would make that a nearly 3 day effort.  And if you are willing to slightly inconvenience those who need multiple attempts to enter their own password it is easy to raise that time into years.

The problem isn't in the intrinsic security of passwords due to length, it is the vulnerability to attacks that completely bypass the login process.  Things like getting access to the table of passwords or phishing attacks to get people to voluntarily expose their password.

[Ed.Kloonk]

Most hacked passwords revealed as UK cyber survey exposes gaps in online security
https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

Plug these into your pentest scripts - a small selection from the most loved passwords out there:

123456
123456789
qwerty
password
...
1q2w3e4r5t
qwertyuiop
123
monkey
...
ginger
nicole1
mylove
arsenal
...
patrick1
loser1
mother1
lalala
...
cowboy24
memyselfi
trevor3
nudist

There are 100,000 listed in this flat text document.

Educate and inform: https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt

That list is nearly as dodgy as Hunter's laptop.

[PlainName]

the VPS operators make sure that you have a secure password emailed to you on signup

Here in the UK a well-known VOIP provider uses an 8-digit number as the account name, and a 6-digit number as the password. No non-digits allowed and you can't change them - I presume this is because they need to be presented via a phone during connection, and the protocol allows only digits. However, their website login used (until 6 months ago) the same details for account login.

[pcprogrammer]

If they break into your house and hold you at gunpoint though while your laptop is powered up and unlocked, what are you gonna do? Die for some passwords? No.

All forms of security has its limitations.

When this happens, chances are that you die either way. People who have no morals and go to the extend to break into your house and hold you or your loved ones at gun point, mostly won't hesitate to kill to make sure no one can testify against them.

[negativ3]

Accepting cookies and turning off ad blockers.

[mendip_discovery]

Seems Listy is reading this thread,

Hackaday: The Problem With Passwords.
https://hackaday.com/2023/01/03/the-problem-with-passwords/

Some of the comments are interesting.

[paulca]

the VPS operators make sure that you have a secure password emailed to you on signup

Here in the UK a well-known VOIP provider uses an 8-digit number as the account name, and a 6-digit number as the password. No non-digits allowed and you can't change them - I presume this is because they need to be presented via a phone during connection, and the protocol allows only digits. However, their website login used (until 6 months ago) the same details for account login.

The point with numerics is they can be totally "pure".

My bank uses purely numeric tokens.  I say tokens, things only used for online banking, a "customer number" and a 8 digit pin + a RSA token generator.

Point is that none of them have any relevance to anything, they are entirely pure numbers.  Could be anything.  Nothing can be implied from them at all.

Recently they also added mobile app authentication, which is trusting that finger print sensor an awful lot.

[armandine2]

hot glue guns?

my limited experience is not a happy one (or expensive) - luckily the last one I bought came with a spare nozzle

[PlainName]

Spend a bit more and get a decent glue gun, not the cheapest.

Worth looking at battery powered ones - those tend to warm up in seconds, whereas the cabled ones take half of forever.