[herbst]

> Usually it's in the logs.

That is definitely not usual

[Jwarder]

Facebook reported that they logged passwords in plaintext by accident a couple of years ago.

https://about.fb.com/news/2019/03/keeping-passwords-secure/

[thaumasiotes]

It's pretty common; a lot of places have blanket logging and it hasn't occurred to them to disable it for login attempts. It is obviously undesirable.

[herbst]

Not sure what you mean.

By default nether Apache nor Nginx log any post data. So with the 2 most popular options you actually have to go out of your way to enable this.

On the application side I mostly know Rails and it redacts even password hashes.