this post was submitted on 14 Jul 2026
919 points (98.9% liked)

Programmer Humor

32303 readers
2020 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] theneverfox@pawb.social 2 points 13 hours ago (1 children)

Better than hard coded... Ideally we use tokens+fingerprint or something to avoid storing the creds directly (if possible), but putting them in environment variables is pretty common

It's not the worst thing, it's very convenient (so people won't go around it) and usually not the weak point in security (although AI being able to easily see it is an interesting twist)

[–] percent@infosec.pub 1 points 4 hours ago* (last edited 2 hours ago) (1 children)

Of course it's better than hard coded, but still pretty bad to store production creds locally in plaintext — if at all.

In the uncommon event that I need production creds, it's a manual human chore by design. Normal development/experimentation should almost never connect to prod environments. That was generally a bad practice long before AI agents existed.

[–] theneverfox@pawb.social 1 points 1 hour ago

How do you bounce the system? How do you auto restart the service if it fails? At the end of the day, a lot of creds have to essentially be stored in plain text somewhere

And to be clear, to me production creds mean creds that live on the production system, not creds that give access to the production system

The crazier thing here is why was an AI working on or pushing to prod