from Hacker News

Ask HN: Coworker is logging plaintext passwords

by hlmencken on 9/30/14, 11:46 PM with 4 comments

I'm of the opinion that we should never store plaintext passwords anywhere no matter what, he is logging them before hashing them. Is this common and or acceptable?

  • by pfooti on 9/30/14, 11:48 PM

    That is in no way responsible, acceptable, or (hopefully), common. At best, it's an unbelievable security risk. At worst, he's keeping them for his own nefarious reasons.

  • by namecast on 10/1/14, 12:08 AM

    Common: sadly, yes. Acceptable? Yikes no!

    Important details: whose passwords are being logged? His own? Other co-workers? Management? Clients? Is management or anyone else for that matter aware of this? How are they being logged? As part of an application or some sort of active traffic monitoring?

    Context is king, as in all things - this could be anything from a junior dev fresh out of college with some bad habits that he'll need to be coaxed out of, to a malicious employee logging client passwords to keep them on hand when he leaves so that he can sell to the highest bidder on some Russian cracker forum. It's probably not kosher no matter what the context is, but it's hard to offer advice on how to react to this without knowing more details.

  • by charford on 9/30/14, 11:51 PM

    In my opinion, passwords should never be stored in a log file. I can't think of any exceptions to this.