Skip to content
DevMeme
3086 of 7435
This Kong Stores Passwords in Plaintext
Security Post #3401, on Jul 10, 2021 in TG

This Kong Stores Passwords in Plaintext

Why is this Security meme funny?

Level 1: The Open Secret

Imagine you have a big secret – say, the answer to a puzzle or who you have a crush on – and you ask a friend to keep it safe. But instead of hiding that secret or writing it in a special code, your friend writes it on a big poster and sticks it on the wall for everyone to read. You’d be shocked and upset, right? This meme is joking about a similar situation, but with passwords on a website. Your password is like a secret key that only you and the website are supposed to know. Normally, the website should lock it up in a coded form so no one else can read it. But here, the website did something silly: it kept the password in plain text (just normal writing) and even emailed it back to you exactly as it is. That’s like the website shouting your secret out loud instead of keeping it locked up. In the pictures, the cartoon monkey (from Donkey Kong) looks more and more defeated in each panel – just like we feel when we realize our secret password isn’t secret at all. It’s funny in a “I can’t believe they did that” way, because even kids know you shouldn’t show everyone a secret. So when a site doesn’t hide your password, it’s so absurd that it makes us laugh a little, but it’s also scary because it means our private information isn’t safe. The poor ape in the meme is basically all of us thinking, “Uh-oh, I trusted them with my secret, and they didn’t protect it at all.”

Level 2: Plain to See

Let’s break down what’s happening in this meme in simpler terms. The scenario is about a password reset email – normally, when you click "Forgot my password," the website should send you a link to reset it or a temporary code. However, in this case the email actually shows your current password in plaintext (i.e., written out exactly as you originally set it, with no hiding or masking). This is a huge red flag in security.

  • Plaintext password: This means the password is stored with no protection – not encrypted, not hashed, just sitting in the database as regular text. If your password is Banana123, the database literally has "Banana123" in it. Anyone who gains access to that database (a malicious hacker or an irresponsible insider) can read it. It's like having a diary where your secret is written plainly on a page instead of in special code – anyone who opens it can see everything.

  • Hash: A hash is essentially a one-way scrambled version of your password. When you create a password, the system can run it through a special function (a hash function) that turns Banana123 into a seemingly random string of characters (for example, it might become 5e6a1b...). The important part is that this process is not meant to be reversible – you shouldn't be able to take 5e6a1b... and easily get "Banana123" back out. When you log in, the system hashes the password you type and compares it to the stored hash to see if they match. Not using a hash means the system isn’t doing this; it’s just keeping the original password around in a readable form.

  • Salt: In password security, a salt is some extra random data added to your password before hashing. For instance, the system might take "Banana123" and add a random string like "XyZ!@#", making "Banana123XyZ!@#", and then hash that. The salt is different for each user and is stored along with the hash. The reason to do this is so that even if two people have the same password, their stored hashes will look different. It also helps defend against rainbow tables (which are like giant cheat-sheets of common passwords and their hashes). Without a salt, if two users both chose "Password1", a hacker would see the exact same hash value for both in the database and immediately know those users used a common password. Salting is a basic practice to make guessing or cracking passwords much harder.

Now, the meme says "He has no hash" and "He has no salt," emphasizing that this system skipped both of those steps. In other words, they are likely storing passwords in a raw readable form. This is often referred to as storing passwords in plaintext, and it's one of the worst things you can do, security-wise. It's practically an invitation for trouble. If someone hacks that database, they don't have to crack or guess the passwords – they literally just get all the passwords handed to them. By contrast, if the passwords were hashed (and especially if they were hashed with salt), the hacker would only obtain jumbled strings that they'd then have to spend a lot of time and computing power to try to turn back into the real passwords (and for a strong hash algorithm with salt, that is extremely difficult).

A common best practice is to use strong hash algorithms (like SHA-256 or, even better for passwords, a specialized hasher such as bcrypt or Argon2) with a unique salt per user. This means even if two users choose the same password, their stored hashes will be different, and hackers can’t use one cracked password to automatically get another. Not having a salt, and not hashing at all, throws all those protections out the window.

Also, you might wonder, what about Encryption? That means transforming data so it’s unreadable without a secret key. Some naive systems might think, "Well, we could encrypt the password and then decrypt it to send it via email." But that’s also a bad idea – if the system can decrypt the password, then a hacker who breaks in could also find the key and decrypt the passwords. With proper hashing, there is no decryption; even the website doesn't know your password once it's hashed. That’s why secure sites never email you your existing password – they themselves don’t have it in a readable form. They opt for a password reset link or code instead.

The images in the meme are from a classic Nintendo game, Donkey Kong 64. The character shown is an orangutan-like ape (Chunky Kong) on a wooden stage. The text in the meme parodies a line from the game’s goofy theme song (the "DK Rap"). In the original song, they sing, "He has no style, he has no grace." Here it’s changed to "He has no hash, he has no salt" as a nerdy joke. The final line, "THIS KONG IS STORING PASSWORDS IN PLAINTEXT," is the meme explicitly shouting the problem. Chunky Kong’s slumped, defeated posture in that last image perfectly captures how a developer or security-aware person feels upon realizing a website is doing this. It's like a combination of shock and "oh no..." rolled into one image.

So, to put it simply: this meme highlights a huge security vulnerability where a website isn’t keeping passwords secret the way it should. Instead of hashing (scrambling) and salting (adding randomness) to protect passwords, they just kept them as plain text. We find it both shocking and darkly funny because it’s such an obvious no-no in the tech world. The meme uses a funny video game reference to get the point across, but the takeaway is serious: if you ever see your password being sent to you in plain text, you know something is very wrong with that site's security practices.

Level 3: No Hash, No Salt, No Hope

So you open a password reset email and, to your absolute dismay, it contains your actual password in plain text. Any seasoned developer's reaction is a mix of laughter and horror: they did what? It's the hallmark of an utterly insecure design. This meme captures that feeling by referencing the old Donkey Kong rap: in the game’s song, one verse goes "He has no style, he has no grace." Here it's twisted into “He has no hash, he has no salt,” and finally the punchline spells it out: “THIS KONG IS STORING PASSWORDS IN PLAINTEXT.” The cartoon ape (Chunky Kong from Donkey Kong 64) goes from crouching in shock to slumping in defeat, just like a developer discovering each layer of this security disaster:

  • First panel, "He has no hash": Wait, this app isn't hashing passwords at all? That's Security 101 – strike one.
  • Second panel, "He has no salt": Wow, they didn't even try to add a salt for uniqueness – strike two.
  • Third panel, "storing passwords in plaintext": Yep, it’s confirmed. Strike three, you're out – this is a full-blown credential_storage_failure.

For experienced devs, this progression is painfully relatable. We’ve all heard the horror stories (or lived them). The meme’s humor is that it’s so on-the-nose: it's basically narrating the internal monologue of a developer who just realized a company's entire password database is a ticking time bomb. It's funny in the way gallows humor is funny – you laugh because otherwise you'd cry thinking about the fallout.

Every senior engineer knows that storing passwords in plaintext is one of the gravest SecurityFlaws imaginable. It's like leaving the keys to the kingdom under the welcome mat. If an attacker ever breaches the database or intercepts that password reset process, all user passwords are immediately compromised. No hashes to crack, no encryption keys to find – just free credentials. It's the ultimate example of SensitiveDataExposure: secret data (user passwords) exposed in its raw form. And it doesn’t matter whether users chose strong or WeakPasswords – plaintext storage makes all of them vulnerable instantly. (In fact, attackers love weak passwords in plaintext dumps because they can try those credentials on other services people use.)

The caption about no salt drives the point home further: even if the developers had hashed the passwords (which they didn't), not salting would still be a rookie mistake. Salting prevents attackers from using precomputed hash dictionaries (rainbow tables) and stops them from instantly spotting if many users share the same password. Not using a salt suggests the developers have never read even the first chapter of a security handbook. It's absurd enough to be darkly comedic. What’s next, storing credit card CVVs in a public spreadsheet?

The fact that the password reset email shows the actual password is the smoking gun. Modern systems never do that – instead, they send a one-time reset token or link. If I see my password echoed back to me in an email, I immediately know: "Oh no... they know my password. In fact, anyone with database access or logs probably knows it too." It's a huge red flag. As a user, you'd be right to freak out and go change that password everywhere else you used it. As a developer, you feel a mix of smugness ("I know exactly what's wrong here") and dread ("People still do this in 2021?!").

This meme resonates with the battle-scarred developer crowd because it points out an almost cartoonish level of negligence. It's the kind of mistake that keeps incident response teams employed and makes it into security conference talks as a cautionary tale. Many of us remember real incidents: the RockYou breach where 32 million plaintext passwords got leaked, or when LinkedIn's unsalted hashes were cracked with laughable ease. Those events were basically the real-life version of what this meme depicts. So when we see Chunky Kong looking defeated, we imagine the poor IT guy or security auditor who discovers such a setup in their company’s system – head in hands, muttering "you have got to be kidding me."

On top of that, the meme uses a cheeky video game reference to amplify the message. The Donkey Kong 64 rap was infamous (and a bit cringe) in gaming circles, with lyrics like "He has no style, he has no grace, this Kong has a funny face." By swapping in "no hash" and "no salt," the meme creators perfectly bridged a silly nostalgic reference with a serious tech screw-up. It’s an inside joke layered on an inside joke: if you’re a dev who grew up on Nintendo, you get an extra chuckle. But even if you miss the DK rap reference, the image of a forlorn ape and the clear captions get the point across immediately.

In a senior dev meeting, if someone showed these images, you'd get groans and knowing chuckles around the table. Everyone might start sharing war stories:

"I inherited an app from 2005 that did this, and the first thing I did was spend a week refactoring it to use bcrypt. The users had to all reset their passwords and boy were they mad – but it had to be done."

"We failed a security audit once because an old legacy system was storing admin passwords in plain text. The scramble to fix that before the next audit was not fun."

It’s sadly a common enough scenario that the humor hits home. The meme exaggerates it into a dramatic format (thank you, Donkey Kong), but beneath the exaggeration is a very real caution: don’t be that developer or that company. The tone might be humorous, but the lesson is deadly serious. In the world of software, this kind of mistake is how you end up on the front page of data breach news.

So, this level of analysis appreciates the meme’s wit while also nodding vigorously at the underlying truth. It’s a senior developer’s nightmare encapsulated in a few silly screenshots: a system with zero regard for security, and the inevitable facepalm that follows. No hash? No salt? No hope. You can practically hear every experienced engineer saying, “This is fine 😬,” in that meme-within-a-meme way. It’s funny because we all know how badly this can end, and we nervously laugh, grateful that at least this time it’s just a meme and not our production server.

Level 4: Rainbow Table Rumble

Picture a cryptographic catastrophe in the making. In modern Security architecture, passwords are never stored in their original form (plaintext). Instead, they go through a one-way hash function — a mathematical transformation that is computationally infeasible to invert. The idea is simple: even if an attacker steals the stored hash, they shouldn’t be able to recover the original password without brute-forcing it. Typically, we also add a unique salt (a random string) to each password before hashing to defeat rainbow tables (precomputed lookup tables of hash values for common passwords). By salting, identical passwords produce completely different hash outputs, and attackers can't reuse precomputed hashes across multiple accounts.

Now, in this meme’s horrifying scenario, none of those precautions are in place. No hash means the application isn’t using any cryptographic one-way function at all – the password is basically sitting in the database exactly as you typed it. No salt means they didn't bother to introduce any user-specific randomness. The result? This system is effectively storing credentials in plaintext, which is a cardinal sin of Cryptography and secure software design. It violates fundamental principles like confidentiality and one-way encryption that have been established for decades.

To put this in context, storing a password in plaintext is like publishing a user's secret in a public ledger – an attacker who gains database access doesn’t need any sophisticated cryptanalysis or cracking tools; they can just read the passwords directly. Even the most rudimentary hashing (like an unsalted MD5, which itself is weak by today’s standards) would at least force an attacker to do some work to reverse it. But here, there's an utter absence of computational barriers. The defense is zero, which is why any cryptography engineer seeing a plain text password in a reset email would recoil in horror.

From a theoretical standpoint, this is a failure to apply the very concept of a one-way function. A proper hash function H(password) should produce a digest (like 0x5e884... for "password"). Without hashing, we have effectively the identity function: I(password) = password. That's not security; that's a no-op. Combine that with no salt and you eliminate protections against dictionary attacks and rainbow table attacks entirely. The absence of a salt means that if two users by chance have the same password "banana123", the database will store exactly the same string for both. An attacker could identify common passwords immediately or use one cracked password to compromise multiple accounts. Salt is supposed to add entropy and uniqueness – mixing a random value into the password (e.g., H(password || salt)) so that even if two users choose "banana123", their stored hashes look totally different (say H("banana123||salt1") = X vs H("banana123||salt2") = Y). By not salting, they've thrown away a critical layer of defense.

The meme’s tagline “HE HAS NO HASH, HE HAS NO SALT” succinctly summarizes a complete disregard for these cryptographic best practices. It implies the developers either lack understanding of basic Encryption and hashing concepts, or willfully ignored them. In formal security reviews (like an OWASP audit), this would be flagged as a critical severity vulnerability under categories like Sensitive Data Exposure or Insecure Storage. Any seasoned security engineer or cryptographer reading that plaintext password email would likely do a double-take and utter something along the lines of, "Are they seriously storing passwords in clear text?" – possibly followed by a face-palm. It's a scenario where all the theoretical warnings about password storage have been ignored, creating a perfect storm for an eventual breach.

Even historically, the importance of hashing and salting passwords has been known since the early days of multi-user operating systems. Unix systems in the 1970s used the crypt() function (a form of DES-based hashing) with salts to store passwords in /etc/passwd (later /etc/shadow to hide them from normal users). These practices were put in place specifically to avoid what this meme is depicting: the nightmare of credentials being compromised wholesale. So encountering an application in 2021 that doesn’t even attempt hashing or salting is not just a minor oversight—it’s a direct throwback to the dark ages of computer security. It's the cryptographic equivalent of discovering that a supposed high-security vault uses a child's toy lock — simultaneously absurd and alarming.

At the theoretical level, password hashing leverages the properties of certain functions that are easy to compute but hard to invert. For example, given an output h = H(p), finding p (the password) from h should require exhaustive search (on the order of $2^{128}$ operations for a 128-bit secure hash, for instance). Throw in a unique salt for each password, and the complexity multiplies because an attacker cannot re-use work across accounts. By skipping both these measures, the developers left the system with effectively O(1) protection: one look and the secret is out. There’s no cryptographic puzzle for an attacker to solve, no math problem to grind through — just a free buffet of credentials.

In summary, the meme zeroes in on a scenario that makes cryptographers and security experts cringe: a complete breakdown of password storage protocol. The humor (and horror) lies in how flagrantly the system violates well-known cryptographic safeguards. It's a Rainbow Table Rumble waiting to happen — if this database ever leaks, attackers won't be cracking hashes at all, they'll be logging in directly with users' actual passwords. In other words, no hash + no salt = no security.

Description

This is a three-panel meme that uses characters and themes from the video game Donkey Kong 64 to criticize poor password security. The top of the image has text that reads, 'When the password reset email shows your password in the clear...'. Below this, three panels feature the character Lanky Kong. The first panel's caption is 'HE HAS NO HASH', the second is 'HE HAS NO SALT', and the final, bottom panel concludes with 'THIS KONG IS STORING PASSWORDS IN PLAINTEXT'. The meme cleverly parodies the lyrics of the 'DK Rap' from the game, replacing the original lines about style and grace with fundamental security concepts. For senior developers, this is a direct and humorous jab at any system that fails to hash and salt user passwords, which are basic, non-negotiable security practices. Receiving your password in a reset email is a dead giveaway that the service is storing it in plaintext, a massive security vulnerability that exposes all users

Comments

58
Anonymous ★ Top Pick Finding plaintext passwords in a database is the adult version of finding out the DK Rap lyrics were actually meant to be serious
  1. Anonymous ★ Top Pick

    Finding plaintext passwords in a database is the adult version of finding out the DK Rap lyrics were actually meant to be serious

  2. Anonymous

    When a reset email coughs up my password in plaintext, I skip the pentest and just `grep -R "INSERT INTO users VALUES("` - if they’ve never met bcrypt, they’re probably blind-dating SQL injection too

  3. Anonymous

    The real security vulnerability here isn't the plaintext storage - it's that after 20 years in this industry, we still have to explain to product managers why 'but the customer wants to see their password' isn't a valid requirement, right before they ask if we can just ROT13 it twice for 'extra security'

  4. Anonymous

    When your password reset email reveals your actual password, you know someone skipped the entire OWASP Top 10 and went straight to 'A02:2021 - Cryptographic Failures: Speedrun Edition.' It's the security equivalent of finding out your bank stores account numbers in a public Google Sheet - technically impressive in its commitment to doing everything wrong. At least they're consistent: no hash, no salt, just raw passwords marinating in a VARCHAR(255) like it's 1995. The real tragedy? Somewhere, a senior architect approved this in a design review while nodding sagely about 'keeping it simple.'

  5. Anonymous

    This Kong's DB schema: passwords varchar(255), security varchar(0)

  6. Anonymous

    My reset email included my password; turns out their auth is literally SELECT password FROM users, KDF: none, salt: regrets, and the KMS is the Sent folder - end-to-end plaintext

  7. Anonymous

    If your app can email my password, that wasn’t a reset - it was SELECT password FROM users; their KDF is ‘hope’ and the breach report writes itself

  8. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

    Encryption can't be broken thats not present.

  9. @RiedleroD 5y

    storing all the keys and salts in the same table as the passwords

  10. @viktorrozenko 5y

    if my recollection is correct, having access to a salted hash and the salt doesn't actually pose a risk as rainbow tables (the sole reason to use salts) are still useless even if you have the salt

    1. @RiedleroD 5y

      I don't know that much about encryption, I'm just trying to be somewhat funny.

      1. @viktorrozenko 5y

        i was just a bit concerned with my own knowledge. cuz we do have to implement such data stores at work

        1. @RiedleroD 5y

          I have 0 practical knowledge in the field, I'm taking your answer over mine every time. But do research it if you're unsure.

    2. dev_meme 5y

      _Currently_ existing rainbow tables are useless. Nothing prevents you from generated new one specifically for leaked DB / salts of selected users. But yes, entire process still is a mess and problematic. Anyway, good, strong password with weird symbols still could be considered as "unbreakeable".

      1. dev_meme 5y

        with or without rainbow tables

      2. @viktorrozenko 5y

        Thanks :)

        1. dev_meme 5y

          Just don't use md5 or similar outdated unsafe shit

          1. @viktorrozenko 5y

            Ofc not. I'm not that retarded

            1. dev_meme 5y

              Good for you!

  11. @viktorrozenko 5y

    😂

  12. @viktorrozenko 5y

    and i was afraid that if i'm wrong... then we're fucked

  13. @furqan 5y

    is this still a reality?

  14. @furqan 5y

    I mean do organizations still store passwords? in plain texts?

    1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

      Some yeah like startups or minecraft servers lol

      1. @furqan 5y

        how difficult is hashing for them? I mean what's the reason? I am baffled tbh

        1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

          They dont know better

          1. @furqan 5y

            https://www.google.com/search?q=best+practices+to+store+passwords+in+DB&oq=best+practices+to+store+passwords+in+DB First result:

      2. @feskow 5y

        Imagine writing minecraft plugin that stores players' pasword in plain text for admin to see lol

        1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

          Lol thats probably real

        2. @sylfn 5y

          and placing some backdoor to join as admins on other servers

          1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

            😂😂😂

          2. @feskow 5y

            2b2t in a nutshell

          3. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

            Like that PHP hack recently

            1. @furqan 5y

              do you have a link about this?

              1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

                Yeah

              2. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

                https://www.google.com/amp/s/arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-after-breaching-internal-git-server/%3famp=1

          4. @furqan 5y

            hahaaha

    2. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

      Btw just remembered that telegram stores the local pin in plain text lol

      1. @RiedleroD 5y

        I mean, the pin is mostly for toddlers to not accidentally send stuff, no?

        1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

          Well yeah because all pictures and media is unencrypted in the folder too

          1. @RiedleroD 5y

            a non-issue then

            1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

              But the problem occurs when u use the same pin on other places

              1. @RiedleroD 5y

                that's the users fault imo

                1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

                  Yeah😂😂😂😂

                2. @furqan 5y

                  hahah yeah but apparently cause of users faults company's names get tarnished so thye have to keep in mind that the users going to be a dumbass

                  1. @RiedleroD 5y

                    there really is no justice in this world…

                  2. Deleted Account 4y

                    If you don't put a warning saying "we store your (pin|password|details) in plaintext, it's wrong to do so.

                    1. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

                      Yeah this should be a regulation. Good idea

                3. Deleted Account 4y

                  No

              2. @furqan 5y

                yeah, and many people do that duh

      2. @furqan 5y

        WOW the app lock pin?

        1. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

          Yes

        2. @ZgGPuo8dZef58K6hxxGVj3Z2 5y

          The one that is not stored online

      3. Deleted Account 4y

        Wait what

        1. @ZgGPuo8dZef58K6hxxGVj3Z2 4y

          And yeah this was the case I am not 100% sure but I think they store a hash now

          1. Deleted Account 4y

            Ok

  15. @RiedleroD 4y

    :0

  16. @sylfn 4y

    i use incorrect as my password: when I ever forget it, website reminds Your password is incorrect.

Use J and K for navigation