Ask HN: Coworker is logging plaintext passwords

1 points by hlmencken ↗ HN
I'm of the opinion that we should never store plaintext passwords anywhere no matter what, he is logging them before hashing them. Is this common and or acceptable?

4 comments

[ 2.9 ms ] story [ 1911 ms ] thread
That is in no way responsible, acceptable, or (hopefully), common. At best, it's an unbelievable security risk. At worst, he's keeping them for his own nefarious reasons.
In my opinion, passwords should never be stored in a log file. I can't think of any exceptions to this.
Common: sadly, yes. Acceptable? Yikes no!

Important details: whose passwords are being logged? His own? Other co-workers? Management? Clients? Is management or anyone else for that matter aware of this? How are they being logged? As part of an application or some sort of active traffic monitoring?

Context is king, as in all things - this could be anything from a junior dev fresh out of college with some bad habits that he'll need to be coaxed out of, to a malicious employee logging client passwords to keep them on hand when he leaves so that he can sell to the highest bidder on some Russian cracker forum. It's probably not kosher no matter what the context is, but it's hard to offer advice on how to react to this without knowing more details.

Not logging them specifically at all, just in general logs he's not sanitizing them. He basically said no one else should be able to see the logs, but i'm of the opinion i should never see our user's passwords. I've left multiple websites when they sent me an email with my plaintext password