I had a secondary Gmail account with a really nice short nickname (from the early invite/alpha days), forwarded to another of my mailboxes. It had a weak password, leaked as part of one of the many database leaks.

Eventually I noticed some dude in Brazil started using my Gmail, and he changed the password — but I still got a copy of everything he did through the forwarding rule. I caught him bragging to a friend on how he cracked hashes and stole and sold email accounts and user details in bulk.

He used my account as his main email account. Over the years I saw more and more personal details getting through. Eventually I received a mail with a plaintext password... which he also used for a PayPal account, coupled to a Mastercard.

I used a local website to send him a giant expensive bouquet of flowers with a box of chocolates, using his own PayPal and the default shipping address.

I included a card:

"Congratulations on acquiring my Gmail account, even if I'm 7 years late. Thanks for letting me be such an integral part of your life, for letting me know who you are, what you buy, how much you earn, who your family and friends are and where you live. I've surprised your mother with a cruise ticket as you mentioned on Facebook how sorry you were that you forgot her birthday and couldn't buy her a nice present. She seems like a lovely woman. I've also made a $1000 donation in your name to the EFF, to celebrate our distant friendship"

When a website uses https but stores passwords in plain text...

(sensitive parts censored)

Friend: Hey, can you hack my (some website) account?
Me: Depends... What's your username?
Friend: (tells username)
Me: (clicks forgot password?)
Friend: I will give $10 if you do it. There is 2 factor authentication enabled.
Me: (silence) Ok.
Website: Please type the class number you were in in 4th grade.
Me: Hey, did you graduated BLAH elementary school?
Friend: Yeah.
Me: Ahh, I remember. You moved to BLAH elementary school in what grade?
Friend: 4
Me: Hmmm, I don't remember seeing you. What class were you in?
Friend: 5
Me: Well, I now remember. Stupid me. (smirks)
Friend: Haha. (continues to play games beside me)
Me: (Types in 8)
Website: We sent you a password to blah@example.com
Me: (uhh, heads to example.com and clicks forget password?)
Email: Please type the class number you were in in 4th grade.
Me: (wtf is this, types 8)
Email: Please type the teacher's name when you were in in 4th grade.
Me: What was the teacher's name?
Friend: Huh?
Me: When you were in 4th grade.
Friend: Ahh! John Smith.
Me: Ahh, he was strict, right?
Friend: Yeah (continues to play games again)
Me: (Types in John Smith)
Email: Set a new password.
Me: (Types "youaresostupid")
Email: Done!
Me: (copies PLAIN TEXT password from email, logs in to website)
Me: Da-da!
Friend: (gasps)
Me: Money plz~
Friend: Nope.
Me: (wtf, then remembers i changed his email password) Fine then.

=====================

1. There is 2 factor authentication enabled. : Got it?
2. The website sent plaintext password.
3. He is just pure idiot.
4. I didn't got the money.
5. I am now a h4x0r

These "math question" captchas are really stupid.
It's not even an image that has to be OCR-ed, it's just plaintext. Why can't these people understand a captcha is supposed to be something only a person can do? This is math. Computers are amazing at math.

1. Forgot my password.
2. Clicked "Forgot" password button.
3. Received my forgotten password as plain text in my email

Dear me,

We have noticed you uploaded files to a public github with your API keys in plaintext.

Please proceed to bang head against desk until you have learned your lesson.

Sincerely me.

Just discovered that our student housing rental portal transmits our password in plaintext.

WHAT.THE.ACTUAL.FUCK

Facebook publicly announced that it won't build a backdoor into its services for the intelligence agencies as for the latest requests to weaken/remove the encryption.

I can only imagine the intelligence agencies going like this now:

NSA director: Alright, as expected they said no so they won't have more damage to their public image, lets go for plan A 2.0!
NSA employee: Aaaand that is?
NSA director: Serve them a FISA court order requiring them to do this shit anyways but also serve a gag order so they can't tell legally.
NSA employee: Ahh, fair enough, I'll get that rolling. By the way, how did we do this with WhatsApp's encryption again?
NSA director: Oh that one was simple. There's a backup function which nearly everyone uses on either Android/iOS which does plaintext backups to Google Drive/iCloud.
NSA employee: Oh, okay. How do we access that data again?
NSA director: PRISM/XKeyScore!
NSA employee: Right, but then still the issue of how we even collect the encrypted messages from Facebo...
NSA director: PRISM/XKeyScore as well, don't worry about that.
NSA employee: But, how'd we justify this....?
NSA director: We probably never have to as these programs operate outside of the public view but otherwise just call terrorism/pedophelia... BAM, done.
NSA employee: Gotya, let's put this into motion!

When you are resetting your password and the website emails you your current password in plaintext. 🤦

So our public transportation company started to sell tickets online with their brand new fancy​ system.

• You can buy tickets and passes for the price you want
• Passwords are in plaintext
• Communication is through HTTP
• Login state are checked before the password match so you can basically view who is online
• Email password reminders security code can be read from servers response

Oh and I almost forgot admin credentials are FUCKING admin/admin

Who in the fucking name of all gods can commit such idiocracy with a system that would be used by almost millions of people. I hope you will burn in programming hell. Or even worse...

I'm glad I'm having a car and don't have to use that security black hole.

*Showerthoughts*

Steam downloads games over plaintext, so can I whireshark a game and get it for free then?

*Showerthoughts*

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

I worked in the same building as another division in my organization, and they found out I had created a website for my group. They said, “We have this database that was never finished. Do you think you could fix it?”

I asked, “What was it developed in?”
He replied, “Well what do you know?”
I said, “LAMP stack: PHP, MySQL, etc.” [this was over a decade ago]

He excitedly exclaimed, “Yeah, that’s it! It’s that S-Q-L stuff.”

I’m a little nervous at this point but I was younger than 20 with no degree, entirely self-taught from a book, and figured I’d check it out - no actual job offer here yet or anything.

They logged me on to a Windows 2000 Server and I become aware it’s a web application written in VB / ASP.NET 2.0 with a SQL Server backend. But most of the fixes they wanted were aesthetic (spelling errors in aspx pages, etc.) so I proceeded to fix those. They hired me on the spot and asked when I could start. I was a wizard to them and most of what they needed was quite simple (at first). I kept my mouth shut and immediately went to a bookstore after work that day and bought an ASP.NET book.

I worked there several years and ended up rewriting that app in C# and upgrading the server and ASP.NET framework, etc. It stored passwords in plaintext when I started and much more horrific stuff. It was in much better shape when I left.

That job was pivotal in my career and set the stage for me to be where I am today. I got the job because I used the word “SQL” in a sentence.

It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.

The following has played out at more than one company:

App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up

*msg service team*

Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."

Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.

Today Facebook reveled that they stored millions of people’s passwords in plaintext in a database accessible to thousands of employees... shocking. And what’s more? Today their stock went up. Seriously guys!?!? Hold companies accountable! Make them pay!

*signs up for Skillshare*
> Sorry, your password is longer than our database's glory hole can handle.
> Please shorten your password cumload to only 64 characters at most, otherwise our database will be unhappy.

Motherf-...

Well, I've got a separate email address from my domain and a unique password for them. So shortening it and risking getting that account stolen by plaintext shit won't really matter, especially since I'm not adding payment details or anything.

*continues through the sign-up process for premium courses, with "no attachments, cancel anytime"*
> You need to provide a credit card to continue with our "free" premium trial.

Yeah fuck you too. I don't even have a credit card. It's quite uncommon in Europe, you know? We don't have magstripe shit that can go below 0 on ya.. well the former we still do but only for compatibility reasons. We mainly use chip technology (which leverages asymmetric cryptography, awesome!) that usually can't go much below 0 here nowadays. Debit cards, not credit cards.

Well, guess it's time to delete that account as well. So much for acquiring fucking knowledge from "experts". Guess I'll have to stick to reading wikis and doing my ducking-fu to select reliable sources, test them and acquire skills of my own. That's how I've done it for years, and that's how it's been working pretty fucking well for me. Unlike this deceptive security clusterfuck!

logger.info(String.Format(" User {0} changed their password from {1} to {2}", username, oldPassword, newPassword))

Production system. Plaintext log.

So I got my email and password delivered to me in plain text..

Time to leave this planet.. 🚀

What kind of supercomputer you have to use to get these fucking websites to work smoothly????

I'm on a fucking gigabit connection, ryzen 7 7700x, 32GB ram, and a fucking nvme, all it takes is opening a fucking recipe site and I'm instantly transported back to the 80s. I swear if i see another 4k asset I'm gonna punch something.

WHAT THE FUCK HAPPENED TO FUNCTION OVER FORM????

Oh do you want me to disable my addblocker??? How about: you make a site that works you fuck. No i will not fucking subscribe to your brain-dead newsletter why the fuck would I???
And since when are cookies needed for a fucking plaintext site you asshat??? Tracking??? I swear if you could you would generate metadata from my clipped fingernails if it meant you could stick "Big data" next to that zip-bomb you call a website.

I WOULD like to read your article, possibly even watch a couple of ads on my sidebar for you, but noooooo you had to have the stupid fucking google vinegrette or however the fuck they are calling the fucking thing now.

The age of the web sucks the happiness out of life, and despite having all of this processing power, I am jealous of my fathers RSS feeds.

I'm sorry web people, I know it's not your fault, I know designers and management don't give a shit how long a website takes to load. I just wanted to make a fucking omelette.

A few weeks ago at infosec lab in college

Me: so I wrote the RSA code but it's in python I hope that's ok (prof usually gets butthurt if he feels students know something more than him)

Prof: yeah, that's fine. Is it working?

Me: yeah, *shows him the code and then runs it* here

Prof: why is it generating such big ciphertext?

Me: because I'm using big prime numbers...?

Prof: why are you using big prime numbers? I asked you to use 11, 13 or 17

Me: but that's when we're solving and calculating this manually, over here we can supply proper prime numbers...

Prof: no this is not good, it shouldn't create such big ciphertext

Me: *what in the shitting hell?* Ok....but the plaintext is also kinda big (plaintext:"this is a msg")

Prof: still, ciphertext shows more characters!

Me: *yeah no fucking shit, this isn't some mono/poly-alphabetic algorithm* ok...but I do not control the length of the ciphertext...? I only supply the prime numbers and this is what it gives me...? Also the code is working fine, i don't think there's any issue with the code but you can check it if there are any logic errors...

Prof: *stares at the screen like it just smacked his mom's ass* fine

Me: *FML*

Buckle up kids, this one gets saucy.

At work, we have a stress test machine that trests tensile, puncture and breaking strength for different materials used (wood construction). It had a controller software update that was supposed to be installed. I was called into the office because the folks there were unable to install it, they told me the executable just crashed, and wanted me to take a look as I am the most tech-savvy person there.

I go to the computer and open up the firmware download folder. I see a couple folders, some random VBScript file, and Installation.txt. I open the TXT, and find the first round of bullshit.

"Do not run the installer executable directly as it will not work. Run install.vbs instead."

Now, excuse me for a moment, but what kind of dick-cheese-sniffing cockmonger has end users run VBScript files to install something in 2018?! Shame I didn't think of opening it up and examining it for myself to find out what that piece of boiled dogshit did.

I suspend my cringe and run it, and lo and behold, it installs. I open the program and am faced with entering a license key. I'm given the key by the folks at the office, but quickly conclude no ways of entering it work. I reboot the program and there is an autofilled key I didn't notice previously. Whatever, I think, and hit OK.

The program starts fine, and I try with the login they had previously used. Now it doesn't work for some reason. I try it several times to no avail. Then I check the network inspector and notice that when I hit login, no network activity happens in the program, so I conclude the check must be local against some database.

I browse to the program installation directory for clues. Then I see a folder called "Databases".

"This can't be this easy", I think to myself, expecting to find some kind of JSON or something inside that I can crawl for clues. I open the folder and find something much worse. Oh, so much worse.

I find <SOFTWARE NAME>.accdb in the folder. At this point cold sweat is already running down my back at the sheer thought of using Microsoft Access for any program, but curiosity takes over and I open it anyway.

I find the database for the entire program inside. I also notice at this point that I have read/write access to the database, another thing that sent my alarm bells ringing like St. Pauls cathedral. Then I notice a table called "tUser" in the left panel.

Fearing the worst, I click over and find... And you knew it was coming...

Usernames and passwords in plain text.

Not only that, they're all in the format "admin - admin", "user - user", "tester - tester".

I suspend my will to die, login to the program and re-add the account they used previously. I leave the office and inform the peeps that the program works as intended again.

I wish I was making this shit up, but I really am not. What is the fucking point of having a login system at all when your users can just open the database with a program that nowadays comes bundled with every Windows install and easily read the logins? It's not even like the data structure is confusing like minified JSON or something, it's literally a spreadsheet in a program that a trained monkey could read.

God bless them and Satan condemn the developers of this fuckawful program.

Dude
The client has a giant database with all credit and debit cards

ALL INFOS IN FUCKING PLAINTEXT
THE CARD NUMBER
THE CVV
THE EXPIRY DATE

I'M SHAKING AF

PLAIN FUCKING TEXT PASSWORD! How can this still be a thing in 2018?

Boss hands over to me an old security audit report and tells me "Go through this and check if all the problems mentioned have been resolved". Quick glance through the report shows all expected issues - SQLi, plaintext transmission and storage etc. I tell him that I need access to the application both from admin and a user with restricted privileges.
He hands me the admin credentials and tells me, "After you login in, just go the "Users" tab. You'll find the profiles of all the users there. You can get the emails and passwords of any user you want from there."
I had to hold back a chuckle. There's nothing to verify. If they haven't resolved storing plain text passwords in the database (AND displaying it IN PLAIN TEXT in the website itself (which to my surprise wasn't mentioned in the audit)), they probably haven't even looked at the report.

THERE IS NOTHING AS FRUSTRATING AS WAITING FOR A RESET PASSWORD MAIL... ONLY TO GET A STREAM OF 16 PLAINTEXT PASSWORDS 30 MINUTES LATER, WITH NONE OF THEM WORKING.

Fuck you, IKEA. 🖕

A website just emailed me my forgotten password in PLAINTEXT.

I'm out of breath from running for the hills so fast.

thou hast committed a grave sin

So we had a dev on our team who was on a performance improvement plan, wasn't going to pass it, but decided to quit before it was over saving us 2 weeks.

I was ecstatic when he left (caused us hell). I knew updating his code wouldn't be great, but he was only here 6 months

"how bad could it be" - practiseSafeHex - moron, idiot, suicidal.

A little run down would be:

- Despite the fact that we use Angular 2+, one of his apps is Angular 1 ... Nobody on the team has ever used Angular 1.

- According to his package.json he seems to require both mongoDb and Cloudant (couchDb).

- Opened up a config file (in plaintext) to find all the API keys and tokens.

- Had to rename all the projects (micro services) because they are all following a different style of camelcase and it was upsetting my soul.

- All the projects have a "src" folder for ... you know ... the source code, except sometimes we've decided to not use it for you know, reasons.

- Indentation is a mess.

- He has ... its like ... ok I don't even know wtf that is suppose to be.

- Curly braces follow a different pattern depending on the file you open. Sometimes even what function you look at.

- The only comments, are ones that are not needed. For example 30+ lines of business logic and model manipulation ... no comment. But thank god we have a comment over `Fs.readFile(...)` saying /* Read the config file */. Praise Jesus for that one, would have taken me all week to figure that out.

Managers have been asking me how long the "clean up" will take. They've been pushing me towards doing as little as possible and just starting the new features on top of this ... this "code".

The answer will be ... no ... its getting deleted, any machine its ever been on is getting burned, and any mention of it will be grounds for death.

Arglebargle.

I went to buy flowers for [redacted event] and gave the florist my CC info, number, and email for a receipt. He was a nice old man who loves what he does, and makes beautiful arrangements. But. He just emailed me all of my CC info, and asked what part of it was wrong. Twice. Emailed. Plain text. SMTP.

Guess who's requesting a replacement card?

😞

Just wow. I am amazed by what just happened.

A year ago my parents decided to switch from desktop to laptop for convenience. Knowing their needs, i bought them one without an OS and installed Ubuntu 16.04 on it. The thing is that if you do a regular maintenance of the laptop once a year at their partner company, you get additional 4 years of warranty (this offer is amazing).

So today was the day I brought the laptop for this maintenance for the first time. They make you a profile on their support website where you can track shit regarding your device, super convenient. First thing I notice that the login page was not https. Awkward, but there is no sensitive data here so i let it pass. Naturally i forgot my password, so I requested a new one and guess what? I recieved it in plaintext via mail. A tech repair oriented company does this, my god.

I went there, gave them the laptop in question and got a piece of paper, where they wrote that the laptop is in their hands now, and the current physical state of the laptop, and blabla.

I got home and I read what the guy wrote among other things: THE OPERATING SYSTEM IS NOT LEGAL.

How the fuck is Ubuntu not legal??? What the fuck is this shit? I sure as hell didn't torrent it or bought a booteged copy on the streets.

I used PHPMailer to send emails to a client's website user. SMTP host is smtp.gmail.com.

web was hosted on Bluehost. I found out that mailer was not working. I enabled verbose output and to my surprise I found out that Bluehost was intercepting my mail and responding with

220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail

when i was explicitly using smtp.gmail.com. Not only they were intercepting but also They were trying my credentials against its own smtp server and then showing me that authentication failed.

When i contacted chat they asked me to tell last 4 characters of Bluehost account password to verify ownership.

Dude do they have passwords in plaintext.🤔

I am working on a project with a retard.
I am supposed to focus on the mobile apps but the backend guy doesn't know shit about REST.I spend more time teaching him how to serialize data into JSON and telling him not to store passwords as plaintext(He's now using md5 despite me telling him to use bcrypt) than developing the mobile apps am supposed to.
Guess who will be blamed for missing the deadline?
Yea, it's me.
Guess who will get the credits for the backend i am developing?
Yea, it's him.
Fuck!

About a year ago I switched my job.
At the start everything seemed like magic. I was the It director, I've finally was able to call the shots on technologies, on new software architecture.
First step was to check the current state of the company.
"qqqq" as each pc password? Ok
No firewall from outside? Lovely
Servers running on Windows Server 2008? Spectacular
People leaving pc on after work and left the machine unlocked just not to type the password? Hell yeah
The IT dude playing games instead of working? But ofcourse
Plaintext passwords publically accessible eshop? Naturally.
The list goes on and on.
After all this time, I'm working to fix every hole like that like crazy and because it doesn't show results, I'm soon to lose my job. Well better luck next time as an intern I guess :')

Something I probably shouldn't talk about:

One of the projects at work has a specific path you can visit. The """security""" is that nobody should know the path. But I can guaran-fucking-tee you it's not difficult to guess.

On this page, ***without a login***, you can view some user information. Well, you can view all of it, but only certain fields.

And if you perform a specific action on this page, you can get their password, plaintext.

This project is not mine. But learning all of this made me super uneasy. I had to share it.

Trash, trash, trash.
Who the fuck writes this shit?

Who the fuck lets these trash should-be-junior devs roll their own crypto? and then approves it?

The garbage heap of a feature (signing for all apis) doesn't follow Ruby standards, doesn't follow codebase conventions, has `// this is bridge` style comments (and no documentation), and it requires consumer devs to do unnecessary work to integrate it, and on top of all this: it leaks end-user data. on all apis. in plaintext.

Fucking hell.

Today Comcast told me my account password over the phone... Fucking Comcast stores passwords in plaintext.

Sites that store plaintext passwords in 2017...

I have a friend in college who had made a GitHub a few years ago, and populated it pretty well. Turns out he never actually looked through what he added to his commits. Every repo had a copy of his GitHub login in plaintext.

My parents are real sticklers for who is allowed to be on Netflix. They only let people on when they are present, and they never click 'save password'.

Me being a poor college student and desperate for the Netflix password, created a fake website for one of my parents to sign into.

How did I do this? I created my own localhost server with a backend database for the password to go to. I then copied the Netflix home screen and log in and asked them to log me into their account.

They said I can be on for one hour, and then they were signing me out.

I agreed to these terms.

As a small twist, I had also copied the no internet tab from Chrome for the page to redirect to. Knowing that once they logged in they would be expecting the main UI.

They logged in and then waited for the page to load. I, of course, put in a delay for the page to load and then displayed the no internet tab. They were confused and asked me to refresh, still nothing. I asked them if the router was out, and they went to check.

While they were away I quickly switched back to the real Netflix website and yelled back saying I got it working again. They came back over and saw that it was asking for a password again. They signed in and saw the main homepage and none were the wiser that day.

Once they left I checked inside the DB and found the plaintext password they typed in... The damn password was so simple, I cursed myself for not having figured it out sooner. No matter, I had my parents Netflix password.

So you're probably wondering how they didn't see the URL above and think something was off?

I pressed F11 and fullscreened my entire browser. They did ask, and I simply replied with, I don't like seeing all the crap up above when I'm streaming. No further questions, perhaps I was lucky.

Let me tell you a story:
One upon a time poor lil PonySlaystation received a call. It was a nice guy who cried about his WordPress website had been hacked. So the clusterfuck began...

He gave me the login credentials for the hosting back-end, DB, FTP and CMS.
A hacked WP site was not new for me. It was probably the 6th of maybe 10 I had to do with.
What I didn't expect was the hosting back-end.
Imagine yourself back in 1999 when you tried to learn PHP and MySQL and all was so interesting and cool and you had infinite possibilities! Now forget all these great feelings and just take that ancient technology to 2018 and apply it to a PAID FUCKING HOSTING PROVIDER!
HOLY FUCKING ASSRAPE!
Wanna know what PHP version?
5.3.11, released the day before gomorrah was wiped.
The passwords? Stored in fucking plaintext. Shown right next to the table name and DB user name in the back-end. Same with FTP users.
EXCUSE ME, WHAT THE FUCK?!

I have to call Elon Musk and order some Boring Company Flame Throwers to get rid of this.

Long story long, I set up a new WP, changed all passwords and told the nice guy to get a decent hoster.

A few weeks ago I stepped onto the grounds of lovely Canada. Back then - coming from Europe - I was surprised. Free WiFi everywhere without all the bells and whistles of creating an account and such.

Well ... at least I thought so ...

Today I went to a location where they actually charge you for their wireless services - fair enough the coverage area is pretty huge - and provide you with an access coupon. All good my optimistic me told me but once the login page loaded...

There are a lot of things about UX I could rant about but let's put that aside. The coupon came from the office where they KNEW all your contact details but it required you to create an account with all of them again to redeem the coupon.

Not only that but it asked for things like the phone number - obviously asking for a Canadian landline number since hell who uses mobiles anyway with numbers longer than ten characters?! - and even though it had a nice country selection it kept the states field there even when selecting a country that doesn't have states ...
Oh, and on a regular phone screen (which would be the target user for WiFi on a campground I suppose) the input fields for state and zip were occluded by the margins of the input rendering the content invisible.

And if that weren't enough after creating your account they made you watch an ad as if the personal data and the 4$ you paid them wasn't enough for the lousy 400 KB/s you get for 24h ...

Gets better though! After creating the account they display your password to make sure you remembered it ... over a non-secured WiFi network ... and send you an email afterward ... password via unencrypted mail via an unencrypted WIRELESS connection ... not that it protects anything that would matter anyways you can just snoop the MAC of your neighbor and get in that way or for that sake get their password but oh well ...

Gosh, sometimes I just feel the urgent need to find the ones responsible and tell them to GTFO of the IT world ...

Is it just me feeling like this about crappy UI/UX design? Always wondering...

Finally got a new job, but it's already a horror story not even 2 hours in (making this while on break)

Everyone here is an Intern, IT? Interns, Designers? Interns, HR? Interns.

The Person who I should've worked with got fired yesterday, and now I have to work all of his shit up from 0, Documentation? Fragmental, a few things here and there, but nothing really.

IT security also doesn't exist in the slightest, there is an Excel sheet called "Master_Passwords" and every single password is in Plaintext, written out for everyone to see. (at least they used "strong" passwords)

And the place also looks run down, theres PC's, Laptops, Mics, Cables etc. lying literally everywhere no-one knows what works and what doesn't (since everyone is an intern)

Not to mention the "Server Room" is an absolute mess itself, cables hanging from literally anywhere, powerstrips are ontop of servers, each rack has like 2 or 3 2U Servers, (in a 40u Rack) and there are 10 of them!

Are there any website or public list that shame companies and websites for sending passwords in plaintext whenever we tend to reset the password?

former boss wrote three cyber-defense books. had his "collections" team sending plaintext passwords to high-side clients over unsecured email

Seriously, fuck that incompetent ISP of mine.

Stores passwords in fucking plaintext. Does VoIP calling in plaintext! Passwords are sent over postal mail! Passwords are at least not sent in plain via email anymore when you want to reset them. The password reset form, "cannot contain `", "cannot contain "", "cannot contain '", "must contain a special character" because why the fuck not mess with people's password manager's password generation function over our own incompetence, right?! And showing all those errors for a single password? Eh, no. Let's just show one error that applies to whatever password you've given at that time. JUST ONE, because "reasons"! And to top it all off, when I finally made myself a nice password with some padding to remove unwanted chars and put that in my password store and on the website. THE BLOODY THING CAN'T EVEN FUCKING LOGIN?!

Now I ain't no ISP, but being a sysadmin clearly isn't a requirement when you're going to apply for work at an ISP, THAT DOES NOTHING BUT FUCKING SYSADMIN STUFF!!! Incompetent pieces of SHIT!!!

I just got sent an email after registering an account at a webshop which contained my username and password.. *sigh*

Once upon a time, in a proprietary e-commerce framework used by few hundred sites...

I just took over a project where the previous developer stored password in two separate fields.

password & password_visible

First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.

Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂

Can someone just please come over and safe me? I am soooooo done with all this bullshit code. I understand why people loathe PHP, it enables totally worthless people to carry the title 'programmer' because hurrrdurrr look at my website, I made this. Fuck yes, you made that and you should SHAME yourself! What the actual flying fuck I can't begin to explain the monstrosities that I find checking out this worthless pile of fucking garbage.

User passwords saved as plaintext in database? Check!

Using hungarian notation, camecase and snakecase inconsistently? Check!

Typejuggling like you're the mainman of the Insane Clown Posse? Check!

Everything is a mess, there is no documenation, no consistency no nothing, this is straight from the 9th circle of programmers hell.

Aaaaaaarghhhhh I AM SO FUCKING DONE WITH THIS WORTHLESS PILE OF GARBAGE!!!!

The original dev prefixed every spagetthifile with his copyright shite so im gonna look him up and highfive him in the face with my laptop and after that printing out my resignation letter in comic sans fontsize 78 because FUCK YOU

So done.

About browsers and whole SSL CERT thing...

Most likely everyone here noticed, that https site with broken certificate will throw these big red warnings, in your face and there is so much wording like "ITS NOT SECUREEEE" or "ITS HACKEDDD" almost like it was written by passionate fanatic.

But when you are on plaintext http browsers reaction is like ¯\_(ツ)_/¯
Even if you have plaintext with password, it will for example in chromium put small little red thingy that almost no one notices.

I believe that broken cert with some error like invalid date is MORE secure than plaintext password, yet still there is this hypocracy with browsers...

I dont say that broken SSL cert is good, or something, Im just pointing out contrast of "broken" https vs plain http.... One looks for casual Joe like end of the world is coming and second is bearly noticable. Da fuck?

I disagree with this approach

I forgot my password to [SITE]. Of course, I click "forgot password", and enter my email, which I did remember. Fairly routine "ah shit we have a problem" steps.

Now, it takes a second. This is to be expected. So I'm not worried. I then get the email and...

Now, you will notice that I redacted some information, like the company name, email, and my PLAIN TEXT PASSWORD, and my name.

I would like to note that this isn't a small, very local company that's new (even then it'd be unacceptable), but this is a multinational, multimillion dollar company.
How'd someone fuck up THIS badly?

stored username and password in a cookie .... in plaintext

*speaks from my partner's point of view*

These dimwits emailed my receipt for my dues (not shown) AND MY USERNAME AND PASSWORD in the same PLAINTEXT UNENCRYPTED email...

Off to go write a cranky email...

Created an account on Juststickers.
This is the email I get

plaintext passwords
🙈

Current task:

Somehow, one of my predecessors made some sort of custom hook tied to woocommerce check out that pipes some data into a nightmarish spaghetti fuck pile of undocumented wild west visual basic bullshit. It does this, presumably, via a set of parameters passed as plaintext in a url. I know this because I found the singleton that declares this. Helpfully, Mr. Fuckass named the class "Default", so I only have around 30k instances being kicked back by my IDE when I search for it. The only reason I "need" to find this, is so that I can just change the button to an href pointing at my own MS for shipping, and I need to change the fifteen params being passed to just one - a customer ID, which should be stored in the session, and referenced by a cookie. Once that is done, I should be able to freely delete a couple of gigs worth of bullshit. Been stuck on this for three days now. God forbid we have a test environment or something.

I'm tired. Can't even get angry anymore really. Can't even think of anything funny to say about it either, I just can't wait until this is done and I can go back to sleep.

Aaah! Another cup of stupidity on this sunny Friday! 🍵

I just received a csv file with usernames, emails and passwords in plaintext for 1500 users.
Apparently that's what it means to "integrate with our database"

Two days ago, I was solving a coding challenge on hackerank, I was so frustrated I couldn't get one year to pass, I tried c++, python, Golang, same shit, still that same test...I couldn't sleep, I close my eyes, I see this in my sleep, I go back to my keyboard, 4am, I am still on this challenge, 6am, nothing, then I decided to go have breakfast and hang out with a friend, then while hanging out he said "don't finish the pizza, that's my lunch" immediately it clicked in my head that I was missing a logic of less than zero as it was stated as a constraint, I immediately went back home and now all test cases passed....guess what, I now have malaria from not sleeping under the net 😭😭...

P.S: I am Nigerian tho, mosquitoes are a thing

Signed up for a driving class...
This is what i get in the mail shortly after.

Fucking fantastic guys! Saving passwords plaintext. Is it because of the government?

Oh my fucking god people are stupid, or ignorant, or fucking both.

How hard is it to copy a password from an email and paste that fucker in and press login.
Seriously several times of “this is your email” and “THIS” is your god dam fucking password.
God kill me now.

(No the password isn’t stored in plaintext, I reset it myself before sending it to the user)

MENSA uses plaintext as a captcha.

Being intelligent ≠ Using your intelligence i guess

I taught an intro to programming class today, brought back memories of highschool...

I remember when I started my first IT class in grade 10, it was a 50/50 split between IT theory amd programming. Choices were java or delphi...I made the uninformed choice to do java (thank goodness) and really enjoyed it. For some reason the logic and OOP concepts really made sense to me and i was well ahead of the class. I was always top 5 for maths/physics/chem and english literature but never enjoyed them for a second. On the other hand programming was something i could do for hours and still enjoy. In my final year we had to do a project, most of my class was still struggling with very simple for loops and jframes. The projects were terrible drag and drop NetBeans UIs that would convert meters to feet.

I remember being upset with the quality and ended up writing an entire client/server chat system with file sharing, voice notes, voice streaming, server admin controls, usernames and passwords (plaintext sql of course 😂), admins/mods/guests etc...

Got 100% and a personal recognition from the headmaster...found out yesterday the staff at the college have actually been using it since the time I left.

I don't know why i typed this whole story, something about teaching the kids where i was myself made me feel warm and fuzzy inside

So, first time ranting, sorry if I mess anything up.
When I first started my current job and got introduced to the system we were coding in, something seemed a little fishy to me. Didn't like the system anyway, but at least the language is a compiler language, so it runs quite quickly, right?
In theory, yeah. If the lead dev liked the IDE that came with it. But he has to REALLY fucking hate it, because rather than using it, he codes in plaintext. No syntax highlighting, no auto-indent, nothing. And he's built the entire damn system around doing that. Sadly the compiler is only integrated into the IDE, so what do we do there? Copy the code from the plaintext file to the IDE to compile it there? No no, why would you. The language has a function you can use to compile some code at runtime.
And so he does. Every. Single. Fucking. Script. There's a single main script that runs and finds the correct textfile to then runtime-compile and execute. So we effectively made a compiler language into a massively unoptimized interpreter lang.
I even mentioned that this might be a problem, but I was completely dismissed, so at that point it's not my problem anymore and I have then switched to a different system anyway.
Couple weeks later I heard the same guy complaining that the scripts were running almost the whole night so we'd probably need some better hardware or something.
Well if only there was a really obvious solution that would improve the performance by probably about a factor of 20 or so...

This is the last part of the series
(3 of 3) Credentials everywhere; like literally.

I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.

This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.

However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.

So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.

The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.

Thank you, dear 3rd party vendor replying to my ticket to my work email and sending me my new password IN FUCKING PLAINTEXT!

Signed up for a market research company (ironically, that I used to work for as a transcriber about 10 years ago) to pull in a bit of extra cash.

They sent an e-mail back confirming my registration.

With the password in plaintext.

Oh boy, this is gonna be good:

TL;DR: Digital bailiffs are vulnerable as fuck

So, apparently some debt has come back haunting me, it's a somewhat hefty clai and for the average employee this means a lot, it means a lot to me as well but currently things are looking better so i can pay it jsut like that. However, and this is where it's gonna get good:

The Bailiff sent their first contact by mail, on my company address instead of my personal one (its's important since the debt is on a personal record, not company's) but okay, whatever. So they send me a copy of their court appeal, claiming that "according to our data, you are debtor of this debt". with a URL to their portal with a USERNAME and a PASSWORD in cleartext to the message.
Okay, i thought we were passed sending creds in plaintext to people and use tokenized URL's for initiating a login (siilar to email verification links) but okay! Let's pretend we're a dumbfuck average joe sweating already from the bailiff claims and sweating already by attempting to use the computer for something useful instead of just social media junk, vidya and porn.

So i click on the link (of course with noscript and network graph enabled and general security precautions) and UHOH, already a first red flag: The link redirects to a plain http site with NOT username and password: But other fields called OGM and dossiernumer AND it requires you to fill in your age???
Filling in the received username and password obviously does not work and when inspecting the page... oh boy!

This is a clusterfuck of javascript files that do horrible things, i'm no expert in frontend but nothing from the homebrewn stuff i inspect seems to be proper coding... Okay... Anyways, we keep pretending we're dumbasses and let's move on.

I ask for the seemingly "new" credentials and i receive new credentials again, no tokenized URL. okay.

Now Once i log in i get a horrible looking screen still made in the 90's or early 2000's which just contains: the claimaint, a pie chart in big red for amount unpaid, a box which allows you to write an - i suspect unsanitized - text block input field and... NO DATA! The bailiff STILL cannot show what the documents are as evidence for the claim!

Now we stop being the pretending dumbassery and inspect what's going on: A 'customer portal' that does not redirect to a secure webpage, credentials in plaintext and not even working, and the portal seems to have various calls to various domains i hardly seem to think they can be associated with bailiff operations, but more marketing and such... The portal does not show any of the - required by law - data supporting the claim, and it contains nothing in the user interface showing as such.
The portal is being developed by some company claiming to be "specialized in bailiff software" and oh boy oh boy..they're fucked because...

The GDPR requirements.. .they comply to none of them. And there is no way to request support nor to file a complaint nor to request access to the actual data. No DPO, no dedicated email addresses, nothing.

But this is really the ham: The amount on their portal as claimed debt is completely different from the one they came for today, for the sae benefactor! In Belgium, this is considered illegal and is reason enough to completely make the claim void. the siple reason is that it's unjust for the debtor to assess which amount he has to pay, and obviously bailiffs want to make the people pay the highest amount.

So, i sent the bailiff a business proposal to hire me as an expert to tackle these issues and even sent him a commercial bonus of a reduction of my consultancy fees with the amount of the bailiff claim! Not being sneery or angry, but a polite constructive proposal (which will be entirely to my benefit)

So, basically what i want to say is, when life gives you lemons, use your brain and start making lemonade, and with the rest create fertilizer and whatnot and sent it to the lemonthrower, and make him drink it and tell to you it was "yummy yummy i got my own lemons in my tummy"

So, instead of ranting and being angry and such... i simply sent an email to the bailiff, pointing out various issues (the ones

Creating username / password first time - checked
Storing password in plaintext - checked
Messaging password in plain text after a password change - whaaattt????

In my school, eleventh grade (so nearly "Abitur", A levels), we got the task to create a program which will be running on every computer here which should replace the Classbook (like a book where homework and lessons and stuff is written down).
Now, the class before mine already did a part of that, a program to share who is ill/not at school, with a mark whether it is excused or not.
So far so good. They all seemed not that bad when they were presenting it to us. Then, the first thing: they didn't know what git is. Well, okay I thought.
Next, there was this password field to access the program. One of them entered the password and clicked enter. That seemed suspiciously fast for an actual secure login. So fast, the password could have been in the Code...
Yesterday I copied that program and put it into a decompiler.
And... I was right.
There were the login credentials in plain text. Also, haven't thought of it but, IP address + username + password + database name were there in plain text, too.
Guess I am going to rewrite this program down to the core

In my ongoing quest to un-Google my life, I turned off the Whatsapp chat back up, which uses Google Drive. There's a message in that setting which says, "Media and messages you back up are not protected by Whatsapp end-to-end encryption while in Google drive".
Damn.
All my Whatsapp chats for years have been on Google servers in plaintext.
I assumed it uploaded one massive encrypted archive.

I'd never do anything "risky" in a prod environment if I considered it so at the time, but in retrospect there's *lots* of things considered risky now (both from a security and good practice viewpoint) that were standard practice not long ago:

- Not using any form of version control
- No tests (including no unit tests)
- Not considering XSS vulnerabilities
- Completely ignoring CSRF vulnerabilities
- Storing passwords as unsalted MD5 hashes (heck that was considered very *secure* in the days of plaintext password storage.)

...etc. I'm guilty of all of those previously. I daresay in the future there will be yet more things that may be standard practice now, but become taboos we look back on with similar disdain.

Have been using redis for my new system and wanted to try some gui, so I stumbled on "redis desktop manager", it supports ssh tunnels, privatekeys and more, great isn't it?

BUT IT SAVES YOUR FUCKING PLAINTEXT PASSWORD AND PATH TO YOUR PRIVATE KEY IN %USER%\.rdm\connections.json

WHAT THE FUCK, fucking ask that password during connection, don't fucking save it in plaintext and give an attacker literally the path to my key, wanted to PR it, but fuck c++, probably thats why he doesnt have it, because hes just using some library, so he doesn't have to fuck with the actual implementation of it.

sure.... That seems a reasonable arrangement of Gibberish =_=

A good life lesson:
1. DON'T DELETE FILES YOU MAY WANT TO RECOVER

And if you DO delete them and then recover them, then
2. DON'T SEND THE RECOVERED FILES TO A·N·Y·O·N·E

Today I found a lost µSD card in the street. I did what every sane person would do -- plugged it into my laptop :)

There I found a directory with recovered pictures. I figured, some of them may contain the author's info in metadata, so I ran a quick plaintext search for @gmail.com.

Turns out, inside some of the recovered picture files I could find embedded company director's emails in plain-text. I mean, open the picture with a text editor and read through those emails - no problem! And these emails contain some quite sensitive info, e.g. login credentials (lots of them).

Bottom line, if you delete and recover your files, then do your best to keep them close: don't share them, don't lose them. You might be surprised what these recovered files may contain

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

You can't decrypt plaintext.

Client asked us to modify site made in some obscure CMS. Authentication on AJAX request is done by sending email and password as plaintext in header and then it would do md5 on server side

My university has a internal developed system, where everything is managed from e-mails, exams to personal data.

What I'd like most about it, they talk all day about Internet Security and store our passwords in plain text and if you press the "I've forgott my Password button", they even send your password unencrypted, plaintext via e-mail. (Hello Wiresharks)

I don't know how to feel about this, it just hurts :(

Hang on... If online banks ask you for the n'th, m'th and p'th character of your password, they must be storing it on plaintext! WTF? I don't even understand why they do that in the first place.

Dear Arch Linux Maintainers. Why the fuck are you sending me my password in plaintext?! Not enough: You are sending me my fucking password every fucking month, so i do not forget it, because its important!??!?!?! WHAT THE FUCK! Fucking idiots...

It's okay to be confused with everything and life, but hey, stay away from production DB

Guys. I think h1z1 stores passwords in plaintext......

I've always thought I was somewhat lazy about not caring about plaintext password in RAM in WPF (or whatever) but then this guy made a super valid point...

I really think a hacker would just keylog at that point rather than trying to read your obscure program's memory for your password... especially if they have access to raw memory...

A conversation between an offshore developer and his manager at a fortune 500:

I'm a software developer and the company I work for is a vendor for $manager's and $offshore_dev's company. They provide endless hours of entertainment/terror. Recently, we've been trying to convince them that they need to stop sending sensitive information plaintext over HTTP and set up TLS/HTTPS which has led to tons of fun conversations such as this one they had during a conference call:

* $manager: "Did $offshore_dev implement TLS1.2?"
* $offshore_dev: "Yes, we enabled a parameter in the code to enable TLS1.2 in the code but according to $me's email, this requires HTTPS in order to work."
* $manager: "No this works, we're using TLS in $other_application right now."
* $offshore_dev: "Well, $manager, it's implemented but it currently doesn't encrypt anything as such."
* $manager: "Okay, HTTPS is in the roadmap in the next quarter, we can move forward without this for now."

I found an api that doesn't offer https when you use their free plan.

FFS, you have to send your api in plaintext... What dumbass of a developer didn't step up to marketing and told them to shut their fucking uneducated mouths

***ILLEGAL***
so its IPL(cricket) season in india, there is a OTT service called hotstar (its like netflix of india), the cricket streams exclusively on hotstar..
so a quick google search reveals literally thousands of emails & passwords, found a pastebin containing 500 emails&passwords ...but those are leaked last year most of passwords are changed & many of them enabled 2FA.. after looking through them we can find some passwords are similar to their emails , some contains birth year like 1975,1997 etc, some passwords end with 123 ..so after trying a few different versions of the passwords like
1) password123 -> password@123, password1234
2) passwordyear -> password@year
2) for passwords similar to emails, we can add 123 ,1234, @ etc
created a quick python script for sending login requests

so after like 30-40 mins of work, i have 7 working accounts

*for those who have basic idea of security practices you can skip this part

lessons learnt
1) enable 2FA
2) use strong passwords, if you change your password , new password should be very different from the old one

there are several thousands of leaked plaintext passwords for services like netflix,spotify, hulu etc, are easily available using simple google search,
after looking through & analysing thousands of them you can find many common passwords , common patterns
they may not be as obvious as password ,password123 but they are easily guessable.
mainly this is because these type of entertainment services are used by the average joe, they dont care about strong passwords, 2FA etc

So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D

ZNC shenanigans yesterday...

So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.

But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.

So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.

And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!

But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.

So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.

Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.

One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.

Bad: Delete your production database
Good: Have a backup
Bad: Can't reimport it because your backup procedure uses scheme that are no longer supported for import by your cloud provider
Good: Backup are plaintext and somehow easy to parse
Bad: Spending the rest of the day writing scripts to reinsert everything.

End of the story: everything is up and running, 8hours of efforts

- i registered at ***.com (pet store) with a super secure password and then they send me a welcome email with the password in plaintext...
- well, it sucks to have pets

A large update on UI rolls out, after around 10 rounds of public testing. Waves of complaints finally arrive.
Complaint 1: I liked the old plaintext UI because the UI now has some markdown
Complaint 2: I wish the tabs weren't multiline but I don't want to reduce the number of tabs nor sacrifice the accessibility by making it scrollable or something
Complaint 3: Why did you make boxes we did it fine with a single box filled with plaintext
Complaint 4: The lag is gone but I liked the old laggy UI because it was there for years

Me: dafuq?

PS: dev lead is happy with the results so things are okay at least for now

If you think parametised queries will save the day think again.

I occasionally test sites I visit throwing a few quotes at inputs and query params.

I also always test logging in as % with user or pass.

Not only are plaintext passwords a thing but so is this:

WHERE username LIKE ? AND password LIKE ?.

Once I saw an OR.

Google, please explain to me: Why the fuck would you create a hardcoded requirement in your libraries to use a plaintext json file with credentials to your API?

Credentials which give full access to all of the company email, addresses, cloud services, etc?

And why would you accompany this in your docs with example implementations which read as if they were an intern's first coding project — non psr compliant PHP, snippets of Go which won't compile due to type errors...

I'm starting to become convinced that the whole of the Google Cloud API was actually written by thirteen year old who found their parent's liquor cabinet.

Fuck this I'll build my own Google.

That's how this boy pushed Lorem ipsum to play store and the app now has an update v1.0.1

Compare against hardcoded plaintext password...
In Javascript...

Who the fuck congratulates themselves over email sent to others, these are the fuckers that will probably send you password in plaintext when you want to recover it.

What's your opinion on designed emails?

Do you have a themed template when writing to s.o. or do you use plaintext?

Or when an interesting newsletter offers both HTML and plaintext - which do you prefer?

I've actually really enjoyed getting to interview people. Mostly because I'm given the freedom to ask reasonable questions. At this point, my favorite is asking fresh grads to come up with requirements to make their favorite portfolio bit production-ready.

I want a list of things you need to fix because they're duct tape and bubblegum, but a lot of people sit there with passwords in plaintext and suggest new features.

# NEED SUGGESTIONS

I am working on a secure end to end encrypted note taking web application. I am the sole developer and working on weekends and will make it open source.

The contents you save will be end to end encrypted, and server won't save the key, so even I can't read or NSA or CIA.

So I wanted to know if the idea is good? There are lot of traditional note sharing apps like Google Keep and Evernote. But they store your stuff in plaintext. So as a user will u switch to this secure solution?

Boss hired a freelancer to work on a new reporting dashboard. Freelancer also built a backed. Boss wants me to work on fixing that backend. I check out the DB first only to find plaintext passwords. I threw up a little.

In university, I got really into cryptography. I wrote software that was testing the entropy of lots and lots of HTTPS encrypted packets, for sites that also supported HTTP. Meant that I had a pretty good idea what the plaintext was, and the quality of the encryption algorithms used. In the end, I got into lots of trouble with my university because apparently what I was doing could be deemed 'dangerous'! Never felt more like a hacker in my life.

Signed up for an account on an online store, which then proceeded to send me my full password in plaintext, and in an unencrypted email.

Sent them an email 3 weeks ago detailing the security issue (i was extremely nice about it), but no response.

What else can i do?

So I received an email from IEEE with my account credentials in plaintext and properly labelled as username and password.

Outlook just thinks it's smart by removing "extra linebreaks".
It's not like we had a special thought in mind as we formatted the plaintext mail as we did.
There is certainly no reason why we choose to break after exactly that word.
Outlook is much smarter than us, so we should be grateful for its insight. NOT.

And now we have to instruct customers to click the correct banner to display the linebreaks as they were sent.

And HTML is not an option in this use case.

The importance of not using static salt / IVs.

I've been working on a project that encrypts files using a user-provided password as key. This is done on the local machine which presents some challenges which aren't present on a hosted environment. I can't generate random salt / IVs and store them securely in my database. There's no secure way to store them - they would always end up on the client machine in plain text.

A naive approach would be to use static data as salt and IV. This is horrendously harmful to your security for the reason of rainbow tables.

If your encryption system is deterministic in the sense that encrypting / hashing the same string results in the same output each time, you can just compile a massive data set of input -> output and search it in no time flat, making it trivial to reverse engineer whatever password the user input so long as it's in the table.

For this reason, the IVs and salt are paramount. Because even if you generate and store the IVs and salt on the user's computer in plaintext, it doesn't reveal your key, but *does* make sure that your hashing / encryption isn't able to be looked up in a table

I changed my twitter password on web on the day they discovered the passwords in plaintext in their logs, and till today, I've not been logged out of the mobile client

Can you write me a sync plugin for this API. Wait the 'authentication' is with a 'key' in a plaintext unsecure GET request with no throttling? #omg

Now why would you set Content-type application/json as a response header if your response is plaintext? 🤔

Have people no respect for http headers anymore?

@all Next year I wanted to start a project, in which a neural network lerns programming out of a plaintext documentation... Eg: when u click on the button, a messagebox says helloworld gets translated into...

Connect (somestuf)

Fucntion
Showmessage (blablabl)

... For this I would need many people who actually help me out by giving thu neural network examples... Who would be interested in helping that project?? Itwould mean, that u first write that docs and then get the compiled file xD

So, I ran a test on one of the education websites I'm currently using (AT SCHOOL!!) To see how secure they are...... They sent me my password in plaintext FFS!

Okay so if a company decides to use md5 for hashing passwords after a million users already registered how the hell will they transition to any other way of storing passwords. As they don't have plaintext to convert them into the new hashing function.

At some point I need to do an older project i've had on hold a while, but it'd require writing my own ROM patch system as a major step in completing it, as i'd need to dynamically patch stuff into older games based on system, which current patch formats don't allow for. (This project will also help me learn a few things I need for yet more projects I've got stashed away, so it needs to happen eventually.)

Now, the interesting part: the patch format. I was debating on whether to use binary data, like IPS/BPS and similar formats do, which would be easier to implement... but if I were to have plaintext patches, you'd be able to not only understand what's happening, but also have things like scripting and conditionals and user-defined options and such. This would be WAY harder to implement, slow as fuck, and require an assembler per-target-system, either external or internal... but it'd be transparent, editable, and hella extendable.

This would all happen after I'm both over my burnout AND done chewing through my current stack of projects and such, of course, but still... which sounds better to you, dear reader?

my sophomore year of highschool I went to a public hangout / study area after class was over and installed a raspberry pi above the ceiling tile. I ran a cord along the wall and into the ceiling to power the device. I ran a sniffing script over the next few weeks and collected all the user/pass data that went through in plaintext. You'd be surprised what goes unencrypted... ;)

When after registration on some website you get your password, that you just set, send back to you in an email. Why the fuck do they store and transmit passwords in plain text.

Relatively often the OpenLDAP server (slapd) behaves a bit strange.

While it is little bit slow (I didn't do a benchmark but Active Directory seemed to be a bit faster but has other quirks is Windows only) with a small amount of users it's fine. slapd is the reference implementation of the LDAP protocol and I didn't expect it to be much better.

Some years ago slapd migrated to a different configuration style - instead of a configuration file and a required restart after every change made, it now uses an additional database for "live" configuration which also allows the deployment of multiple servers with the same configuration (I guess this is nice for larger setups). Many documentations online do not reflect the new configuration and so using the new configuration style requires some knowledge of LDAP itself.
It is possible to revert to the old file based method but the possibility might be removed by any future version - and restarts may take a little bit longer. So I guess, don't do that?

To access the configuration over the network (only using the command line on the server to edit the configuration is sometimes a bit... annoying) an additional internal user has to be created in the configuration database (while working on the local machine as root you are authenticated over a unix domain socket). I mean, I had to creat an administration user during the installation of the service but apparently this only for the main database...

The password in the configuration can be hashed as usual - but strangely it does only accept hashes of some passwords (a hashed version of "123456" is accepted but not hashes of different password, I mean what the...?) so I have to use a single plaintext password... (secure password hashing works for normal user and normal admin accounts).

But even worse are the default logging options: By default (atleast on Debian) the log level is set to DEBUG. Additionally if slapd detects optimization opportunities it writes them to the logs - at least once per connection, if not per query. Together with an application that did alot of connections and queries (this was not intendet and got fixed later) THIS RESULTED IN 32 GB LOG FILES IN ≤ 24 HOURS! - enough to fill up the disk and to crash other services (lessons learned: add more monitoring, monitoring, and monitoring and /var/log should be an extra partition). I mean logging optimization hints is certainly nice - it runs faster now (again, I did not do any benchmarks) - but ther verbosity was way too high.

The worst parts are the error messages: When entering a query string with a syntax errors, slapd returns the error code 80 without any additional text - the documentation reveals SO MUCH BETTER meaning: "other error", THIS IS SO HELPFULL... In the end I was able to find the reason why the input was rejected but in my experience the most error messages are little bit more precise.

New ad self-service portal too hard to integrate ssl and can't have users send their passwords in plaintext.

Setup apache proxy with ssl in same vpc to encrypt traffic to and from vpc.

All good as long as nobody is in my vpc sniffing traffic...

Super old affiliate management tool that wasn't updated since 2010 and stored all password in plaintext, including all coworker's and ceo's. I'm pretty sure it had some vulnerabilities to get those passwords from the outside as it was just a shitty piece of software. After finding that database it had to stay online for about a year against my recommendation until we had the chance to build an alternative.

Why is everybody using "wpa_passphrase" instead of "psk" in wpa_supplicant.conf is beyond me. You have an option to avoid plaintext passwords, the wpa_passphrase CLI tool even generates an entry for suppliant configuration, yet it seems nobody is using it.

N++ , nuff said. Plain as plaintext .