Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
kvsm6688ySo they not only log it, but they have the old password stored somewhere in plain text too. Nice.
-
Someone forgot to use logger.debug(...) instead of logger.info(...). Just make sure the right level of logging is turned on 😜
-
philcr30548y@nanowireUK I read an article about password security and the insecurities of changing every 30 days causing mutations like passW0rd&1, passW0rd&2 etc, you are allegedly much better increasing password length to 30 characters and changing every 90 days and having a password that's easy to remember such as 'icaughtmyG0atButtFuckingmYrabb1tfor$s'
-
aikone5718yIf this is a Log4j logger then there's no need for String.format(). But this is amazing. Love it! 😂
-
@kvsm not really. You should confirm the old password just in case the account was left on somewhere else with remember me set. But if that screw up was put in i wouldn't doubt it
Related Rants
-
hexacore3Picked up a legacy site to re-build, turns out just adding: '?admin=1' to the query string gave you full ad...
-
blauesocke6One of our customer thought it would be too unsecure to send us his AWS credentials by email. So he printed it...
-
Tale-Of-X97Don't know if this has been post yet before but ohhh well
logger.info(String.Format(" User {0} changed their password from {1} to {2}", username, oldPassword, newPassword))
Production system. Plaintext log.
undefined
wk25