Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.

DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.

The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

A service or application has a backdoor password that was placed there by the developer.

The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

NFS exports system-critical data to the world, e.g. / or a password file.

An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access.

mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database.

BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password.

RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges.

Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file.

Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.

Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.

The installation of 1ArcServe Backup and Inoculan AV client modules for Exchange create a log file, exchverify.log, which contains usernames and passwords in plaintext.

A Windows NT domain user or administrator account has a guessable password.

A Windows NT domain user or administrator account has a default, null, blank, or missing password.

Buffer overflow in bash 2.0.0, 1.4.17, and other versions allows local attackers to gain privileges by creating an extremely large directory name, which is inserted into the password prompt via the \w option in the PS1 environmental variable when another user changes into that directory.

NBase switches NH2012, NH2012R, NH2015, and NH2048 have a back door password that cannot be disabled, which allows remote attackers to modify the switch's configuration.