ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.

When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.

L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.

Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and password.

NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.

Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.

DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.

The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.

A service or application has a backdoor password that was placed there by the developer.

The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

NFS exports system-critical data to the world, e.g. / or a password file.

An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users to read the data without a password by directly accessing the files with a different application, such as Access.

mysqld in MySQL 3.21 creates log files with world-readable permissions, which allows local users to obtain passwords for users who are added to the user database.

BackWeb client stores the username and password in cleartext for proxy authentication in the Communication registry key, which could allow other local users to gain privileges by reading the password.

RealSystem G2 server stores the administrator password in cleartext in a world-readable configuration file, which allows local users to gain privileges.

Hummingbird Exceed 6.0.1.0 inadvertently includes a DLL that was meant for development and testing, which logs user names and passwords in cleartext in the test.log file.

Excite for Web Servers (EWS) 1.1 allows local users to gain privileges by obtaining the encrypted password from the world-readable Architext.conf authentication file and replaying the encrypted password in an HTTP request to AT-generated.cgi or AT-admin.cgi.

Excite for Web Servers (EWS) 1.1 records the first two characters of a plaintext password in the beginning of the encrypted password, which makes it easier for an attacker to guess passwords via a brute force or dictionary attack.