logger.info(String.Format(" User {0} changed their password from {1} to {2}", username, oldPassword, newPassword))

Production system. Plaintext log.

Err wow!!!!

So they not only log it, but they have the old password stored somewhere in plain text too. Nice.

Someone forgot to use logger.debug(...) instead of logger.info(...). Just make sure the right level of logging is turned on 😜

@kvsm was fun to see entries like old password "p@ssword3", new password "p@ssword4" (since naturally users were forced to change password every 30 days, because security)

@nanowireUK I read an article about password security and the insecurities of changing every 30 days causing mutations like passW0rd&1, passW0rd&2 etc, you are allegedly much better increasing password length to 30 characters and changing every 90 days and having a password that's easy to remember such as 'icaughtmyG0atButtFuckingmYrabb1tfor$s'

correcthorsebatterystaple 👍

If this is a Log4j logger then there's no need for String.format(). But this is amazing. Love it! 😂

@aikone no logging framework - everything written from scratch

@nanowireUK even better 😂

@kvsm not really. You should confirm the old password just in case the account was left on somewhere else with remember me set. But if that screw up was put in i wouldn't doubt it