

Ask HN: Service sends password in plain text, what's my responsibility? - aarondf

Hi there, I'm currently working as an iOS contractor for a big company. I recently requested a way to authenticate users against their database for a demo app I was building. The "Technical Marketing" team built that endpoint, but the answer was to transmit the username and password in the clear AND as a GET request.<p>What is my responsibility here? All I do is build the apps that help them demo their software, but it has certainly made me uncomfortable to think of transmitting this information in the clear. Has anyone encountered this? Any tips?
======
zekenie
Well, its a demo, right? Will there be any real users on it? If the meet and
bones of the demo isn't user authentication, does it really even matter? As
soon as there is real data, I'd say its a problem.

~~~
aarondf
Well, not technically. They are a large software company and have lots of demo
servers and demo images to show their software. They have built a user
management platform in front of all of their demo images, which is what I'm
authenticating against. So in the end, it's real user data

