[com2kid]

Google shouts at you, about 500 times, to secure your Firebase instance. Tutorials are thrown at developers left and right, and the docs mention it again and again.

And the security system is super simple to implement. If the built in language is too hard, a simplified templating language is also provided.

The plaintext password thing just confuses me. One of Firebase's big draws is integration with their auth system. Why in the world is anyone storing passwords in Firebase? Unencrypted?

[orev]

How many times do we need to go through issues like this before people realize that just yelling louder has no effect? Services like this should simply not function at all until basic things like a password are put in place.

[com2kid]

> Services like this should simply not function at all until basic things like a password are put in place.

New Firebase instances starts off locked down by default, not allowing global reads or writes.

[orev]

The fact that this was not the default since the inception of the service is inexcusable. Sadly, too many other projects still take the approach of yelling at people in some document somewhere instead of forcing security by default.

[QML]

I’m guessing because most developers have no training in web security. Using Firebase as an authentication tool, you’re not supposed to have access to users passwords — unless you are specifically parsing for it and storing them into the database after account creation.