#SquareEnix, your password and e-mail restrictions, use of security questions and other sign-up form requirements suck...

• Password field can't be pasted into
• Password field can't be filled by the browser's password generator (option doesn't show up)
• Password phrases aren't possible as spaces seem to be disallowed
• Additional restrictions such as limiting the amount of repeated characters only provide additional rules for brute force systems, thus reducing the total amount of possible choices. In addition they make it hard for password generators to create a valid password.
• Putting limitations on the kinds of special characters allowed, makes me wonder doubt your user input sanitation...

In addition to this, they are asking for a 'security question', which are notoriously easy to find, guess or social engineer.
The first couple of answers I gave were also refused.

Plus-signs are also not allowed in the e-mail address field, thus making it impossible to use #PlusFiltering, while also going against the #EMailRFC, which states that plus signs are allowed in the local-part of the address.

#Password #Passwords #PasswordFail #Security #SecurityFail #Squeenix #SquareEnix #FFXIV #emailFail #PasswordRestrictions #SecurityQuestions

Scenario: You're asked to provide security monitoring on logs from a bespoke system or one that uses technology that there isn't much in the way of security tooling or rules for already, say an API interface.

What's your approach? I guess it's going to be a 'it depends' depending on how it's deployed right? (e.g. facing internet), or do you reject it and only take on logs you know have a known security value? Or keep them but just for incident response?

#detectionengineering #detection #siem #securityquestions #blueteam #mssp

Nihilistic Password Security Questions https://www.schneier.com/blog/archives/2020/09/nihilistic-password-security-questions.html #securityquestions #Uncategorized #passwords #humor