

Ask HN: Coworker is logging plaintext passwords - hlmencken

I&#x27;m of the opinion that we should never store plaintext passwords anywhere no matter what, he is logging them before hashing them. Is this common and or acceptable?
======
pfooti
That is in no way responsible, acceptable, or (hopefully), common. At best,
it's an unbelievable security risk. At worst, he's keeping them for his own
nefarious reasons.

------
namecast
Common: sadly, yes. Acceptable? Yikes no!

Important details: whose passwords are being logged? His own? Other co-
workers? Management? Clients? Is management or anyone else for that matter
aware of this? How are they being logged? As part of an application or some
sort of active traffic monitoring?

Context is king, as in all things - this could be anything from a junior dev
fresh out of college with some bad habits that he'll need to be coaxed out of,
to a malicious employee logging client passwords to keep them on hand when he
leaves so that he can sell to the highest bidder on some Russian cracker
forum. It's probably not kosher no matter what the context is, but it's hard
to offer advice on how to react to this without knowing more details.

~~~
hlmencken
Not logging them specifically at all, just in general logs he's not sanitizing
them. He basically said no one else should be able to see the logs, but i'm of
the opinion i should never see our user's passwords. I've left multiple
websites when they sent me an email with my plaintext password

------
charford
In my opinion, passwords should never be stored in a log file. I can't think
of any exceptions to this.

