It is a security risk for any application, and can have legal ramifications.  In the following example, a developer's debugging code was accidentally checked into source code control and a few weeks later all user private passwords were found in the console log for Tomcat – in production:

public void setKeyPassword(String password)
{
    System.out.println("Setting key password: " + password);
    this.keyPassword = password;
}

This could also occur if all web service calls were logged arbitrarily and one of the calls was a login(username,password) call.

If you must debug passwords, do it in such a way that it can never inadvertently be checked into the project.

blog comments powered by Disqus