Password Of The Day

August 18, 2025

So you’re telling me you wrote an unsalted, date-seeded, unsigned, deterministic password generator?

In the initial interview, the client expressed a desire to modernize their security. They wanted someone with multiple iterations of implementing other types of authentication. MFA, passwordless device flows, SSO. I told them I was pretty well versed in SAML and OIDC, and had some hard-earned experience doing multi-generational technology leaps, and thought I might be well suited for the task. I even worried that I had insulted the manager’s competence by claiming Basic Auth is (still) a useful stepping stone in some scenarios.

Continue reading →

Tagged: security, daily-wtf

The NSO (No Sign On) Auth Scheme

August 13, 2025

In what is perhaps the most brilliant act of malicious compliance I have ever witnessed…

Early in my career I bullied my way into a de facto tech lead position on a small software team in a pretty big organization.

The most powerful and vocal of our users used our software passively as a kind of combination dashboard and news aggregator. They had lots of passwords to lots of systems, and they did not want another one for ours. They made this very clear - not one more goddamned password.

Continue reading →

Tagged: dailywtf, security, malicious-compliance