I recently used a website to sign up for online Health insurance access and noticed they console.log your password back to you in clear text whenever you hit submit. Now maybe 99% of the population won't know what to do with that, but despite the fact that someone's debug log for passwords made it into production which tells me all I need to know about their standards, what if they are using something like rollbar, fullstory, or god knows what else that captures log output? What about malicious browser extensions? I called their technical support helpline, and I got the typical joke of a "oh that's not my department" response. Imagine what they are doing with our healthcare data.