How actually insecure is a passwords.txt?

Added: 2026-05-12

[00:00:00]the lighting is going to be a bit shittier for this video because uh it's kind of late at night. So, I've been thinking about this for a while and me and my friend were talking about this because he actually uh stores his passwords in plain text in text files in a folder on his desktop. And uh we were chatting about that and it it's an interesting topic for me. I wanted to make a video on it because every time someone mentions, you know, storing your passwords in a text file, I've seen so many like even cybersecurity people and stuff acting like your computer is going to just instantly explode and every hacker on earth is going to own your identity and you're so [ __ ] right?

[00:00:36]I I think the reality is more nuanced nuanced than that. Um to be clear, though, I I I think before the security people, you know, go in my comments and start typing essays, I'm not saying storing your passwords in plain text files on your desktop is a good idea, right? I don't personally recommend it.

[00:00:53]I think that um using proper password management is just so easy. It's so trivial these days that like you honestly just should be doing it.

[00:01:03]There's there's very little reason not to. Um but I do think the actual risk gets misrepresented online quite a bit, right? So, here's the thing. Um a file sitting on your desktop, you know, called like passwords.txt or whatever is not inherently um exposed to the internet, right? Um random attackers attackers can't just remotely your computer and steal your files, right? Just because a file exists um because that's not how computers It's not how security works. Um for somebody to actually get that file, they would have to um have meaningful access to the machine first, right? And this would mean uh executing malware or uh a remote access Trojan or some kind of info stealer, perhaps. Um supply chain attacks. So, if you're running actual legitimate software like Discord, for example, a lot of people run Discord that just sits in the background of their computer all the time and it auto updates. So, imagine uh their update servers get compromised and it downloads a malicious version of Discord that had like some malware in it, right?

[00:02:05]Or physical access or some kind of remote code execution, right? Just something like that. Um then they would have meaningful access to the machine.

[00:02:13]And this is where it gets interesting though because a lot of commodity malware, I would say, a lot of like the more typical low-hanging fruit malware that you see is actually designed around very specific targets, right? So, a talk it attackers automate what's very standard. Um so, most malware, if you look inside of it, there's just hard-coded paths, right? And typically what they're looking for is like password saved to your browser, crypto, you know, uh keys or whatever.

[00:02:42]Um they're they're looking for very specific things. Uh Discord accounts, Minecraft accounts, whatever. And I you know, any of commodity malware that's hard-coding these paths isn't going to be looking for passwords.txt on the desktop.

[00:02:58]Most of the time they don't have those paths, you know, hard-coded in, right?

[00:03:02]So, instead of digging through your docu- documents folder, you know, randomly and manually, a lot of attackers are targeting these specific things, you know, um session tokens, VPN configurations, SSH keys, whatever, right? Um and that's because they're predictable. They're almost always stored in the same locations and they're massively scalable. And that's what a lot of commodity malware is about, it's scale.

[00:03:28]Um you're just trying to steal things at scale because um getting one account, one person's passwords and credentials and stuff isn't very useful. But if you get it at scale and you get a lot of these accounts, you you farm a lot of these and you can actually do useful things with them, malicious useful. When I say useful, I mean maliciously. Um you know, like a lot of malware campaigns, you know, just I'm sure you've seen it before where if your friends Discord account gets hacked and then they start posting that Elon Musk sent them $40,000 or whatever. Um And and this is very efficient for attackers, right? So, in that sense, a random text file somewhere on your system is actually less ideal for automated theft than password browser database, right? Um the password database of like your typical web browser.

[00:04:18]So, um there's an important caveat though and it's that modern malware is getting a lot more aggressive about um broad harvesting.

[00:04:28]And a lot of newer info stealers that are going out there don't just target specific files anymore. They're getting more advanced. They're recursively searching user directories. They're searching for keywords, right? Like wallet or seed or password, right? And so naming your file passwords.txt is basically putting a giant glowing sign on it, right? But once malware is actively running on your system, I feel like you have bigger fish to fry, right?

[00:04:56]I feel like you have bigger problems than your passwords.txt getting stolen.

[00:05:00]I feel like you got you know, more worries than that. So, really you know, because at that point attackers are already going to have um auto fill data, key logs, clipboard data, OAuth tokens. They're going to have your cookies, um session tokens, right? And ironically, session theft is even more dangerous than password theft because it completely bypasses multi-factor authentication. So, a lot of attackers are often looking for that instead of just passwords because if you know, even with passwords, if you have two factor authentication, then it's kind of useless. So, um that's that's something that not many people realize, you know? And technically, yes, you know, if you have a Windows Pro or above, you know, not Windows Home, but any of the other versions. If you right-click a file and select properties, then you can actually click like encrypt this content to secure its data or whatever.

[00:05:55]And if you encrypt the file, this does help in some scenarios, but you see the thing is um Windows has a thing called EFS, and it's called encrypted encrypting file system, I think is what it's called.

[00:06:07]Um and this is useful, but it mainly protects against offline access, right?

[00:06:13]So, um stolen hard drives, uh if someone's booting up a Linux system on your machine and trying to like dig into your Windows files or raw disk extraction, something like that, right?

[00:06:25]Um it doesn't save you from malware that's already running on your user account. So, it's it's a more specific scenario that it's protecting against.

[00:06:33]And uh this is because Windows decrypts all your files um for your active session, right?

[00:06:40]So, if malware is already executing as you, it can just read the file normally anyways. Um and this is where most people confuse EFS with BitLocker, by the way. So, BitLocker encrypts the whole hard drive, and then EFS encrypts individual files. Uh um both are great for offline protection, but neither magically protects you from an active compromise either, right? So, my overall position with this all is that a plain text password file is not instant doom, right? But the internet exaggerates how directly exposed it is.

[00:07:12]Um it still removes security layers, though, that are for basically no reason, right? Um especially nowadays. Modern password managers are super easy. Um you know, Proton Pass, BitLocker, you name it.

[00:07:27]KeePassXC.

[00:07:28]I could keep going on.

[00:07:30]Um And they encrypt everything, they auto lock, they clear your kit clipboard automatically, they generate unique passwords. They a lot of them sync to your phone automatically, you know, the ones that are cloud connected and stuff.

[00:07:42]You may have to pay money for those fancier ones. I think Proton Pass is free, though.

[00:07:47]Um and honestly, this is just such a convenient option now. Honestly, more convenient than a passwords.txt, right?

[00:07:55]Cuz if it has, you know, cloud syncing like that between your devices, and a lot of these come with automatic, you know, uh form filling out, where it automatically fills out your password for you, so you don't even need to type your passwords and stuff, right? Like at that point, why not just use a password manager? There's There's like It It's kind of just dumber at that point, right? To just use a plain passwords.txt.

[00:08:17]And they improve your security significantly. So at that point, the more secure option's just a more convenient option, you know?

[00:08:26]Um so at this point, using passwords.txt is less catastrophically insecure, but it's more just outdated, right? And uh one final hot take before I end this video, I'm just going to say it. Uh past plain text file containing a strong, unique passwords is probably still safer than someone reusing the same password across 30 websites.

[00:08:49]Um bad bad password habits are often worse than bad password storage, I think. Um so if you're using the same password across like 30 different services, then um easily if one account gets compromised, then all of your accounts are compromised, right? There's a lot of automated attacker tools out there where if I know the email address and I know the password, it'll just automatically try that email-password combination across like every major service.

[00:09:15]Um my friend actually, the other day, accidentally ran an infostealer, and I was helping him with it, but within the span of like 30 minutes, like 10 different of his accounts all got logged into automatically and like all got, you know, attacked. Um so it's like it's very easy for an attacker to just try that same combo everywhere. So having uh unique passwords, I would say, is actually more important than the password storage itself.

[00:09:43]Uh, but I, you know, this is kind of just a long yap. We've been going on about 9 minutes here.

[00:09:49]It was just an interesting conversation that I wanted to, you know, just kind of yap about, I suppose.

[00:09:55]Um, overall conclusion is just that I really don't think passwords.txt is actually all that insecure, but it's still just kind of stupid compared to modern options. Um, because it is less secure and less convenient than just a password manager. Overall conclusion of the video, use a password manager.

[00:10:12]That's about it.