Writing good security software is difficult, but that doesn't stop places who really shouldn't be doing it from trying and succeeding in a business sense. https://thycotic.com/products/secret-server/ passes JSON in URLs, and we're not even talking base64 here. Also, it's called "thycotic" like you're holding your tongue and saying "psychotic". There are more problems that I won't go into.