undefined | Better HN

0 pointsherbst4y ago0 comments

> Usually it's in the logs.

That is definitely not usual

0 comments

Facebook reported that they logged passwords in plaintext by accident a couple of years ago.

https://about.fb.com/news/2019/03/keeping-passwords-secure/

It's pretty common; a lot of places have blanket logging and it hasn't occurred to them to disable it for login attempts. It is obviously undesirable.

herbstOP4y ago

Not sure what you mean.

By default nether Apache nor Nginx log any post data. So with the 2 most popular options you actually have to go out of your way to enable this.

On the application side I mostly know Rails and it redacts even password hashes.

j / k navigate · click thread line to collapse