November 25, 2025

Password confessions you can’t unsee

Article URL →HN comments →

Stop Putting Your Passwords into Random Websites (Yes, Seriously, You Are the PR

People keep pasting logins into random sites and the comments are feral

TLDR: Researchers found tons of passwords publicly exposed via “formatter” sites where people saved and shared secret data. Commenters split between shock, YOLO password habits, and snark, turning it into a meme-filled warning: stop pasting your logins into random sites or expect chaos.

The internet just got caught with its passwords hanging out, and the crowd is losing it. In a new watchTowr deep dive, researchers found piles of exposed logins and secrets sitting on public links from “JSON formatter” websites—tools that prettify app data. Translation: people are copy‑pasting sensitive stuff into random sites and hitting “save,” then sharing the link like it’s a grocery list.

The comments are a circus. One user casually admits, “I keep all my passwords in a text file on my desktop,” triggering full-on facepalms. Another proudly practices password improv—no notes, no manager, just vibes—arguing resets are “fine.” Meanwhile, the serious folks point out this isn’t about reusing passwords; it’s about literally posting them online. When one formatter shut off its save feature citing “NSFW” (not safe for work) content, the crowd cackled: Yeah, nothing says NSFW like your bank login on a public link.

Hot takes flew. Some mocked the “YOLO security” crowd; others dunked on companies outsourcing their safety to tech tools they don’t understand. The mood: equal parts comedy and horror. The big lesson, delivered in meme form: Stop pasting secrets into random websites, use real tools, and maybe don’t share your bank’s keys with the entire planet.

Key Points

  • watchTowr Labs reports discovering large volumes of publicly exposed passwords, secrets, and keys tied to sensitive environments.
  • The post is part of the ongoing “watchTowr vs the Internet” series documenting systemic internet-wide security issues.
  • Prior watchTowr research included demonstrating certificate issuance for .MOBI via abandoned WHOIS domains and leveraging backdoors to compromise government networks.
  • The article references earlier work compared in scale to the SolarWinds supply chain attack to contextualize severity.
  • An example highlights an MSSP posting bank Active Directory credentials on a public website, illustrating continued operational security failures.

Hottest takes

"I keep all my passwords in a text file on my desktop" — ThrowawayTestr
"I make up all my passwords on the spot and never write them down" — RyanOD
"Leaking your credentials is pretty unsafe for your work" — pavel_lishin

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.