Short sad story:

The backend team in my company stores plain text passwords and I am making a view in the website to view all the users password in the system

What's the company's name? Asking for a friend

Oh boy, that's a lot to unpack!

- Did management decide this?
- Did the backend guys not revolt?
- Are there laws against this?
- Is it a public system?
- Is the admin panel running behind a firewall?
- Is the admin panel well protected?
- Could you anonymously report the company to plaintextoffenders?
- How hackable is the system?
- Are you going to object?

Just curious :D

@endor it is in Egypt and I "Legally" can't say their name as per the contract

@alexbrooklyn never heard about plaintextoffenders before 👌

@alexbrooklyn

1- Yes, management did.
2- One did but their opinion was ignored
3- In Egypt, I don't think so.
4- Nope, private system for schools.
5- Nope no firewall, just regular ass JWT Authentication.
6- Admin panel can be unlocked if you get your hand on a authorization token
7- I will, when I get out for sure.
8- Regarding other security practices, they actually are trying their best.
9- I was told to just accept and do what I was told because I am too young to understand business needs.

NO

Don't be a Sinner

@asgs EXACTLY

If 70%> of the world tells you not to do it, then the business should just go fuck itself (simpler said than done of course...)

@kgbemployee if I'm not horribly wrong, it can only end in one way

Wait a minute do we work at the same company?

I'd refuse. Damn, I'd rather lose my job but I would not put others' sensitive info in jeopardy. And if they do fire me - I'd blow the whistle for sure.

@ahmedHusseinF business needs my ass, I would have argued that you can ask any security professional what's more appropriate and the sure that pain text passwords are not.

That's nothing. I had to download bank account details in plain text to my laptop in order to do any development

If fixing this would not be an option, I'd fucking resign.