The model knows what a password column should look like. It also knows what bcrypt is. What it does not do, unless you ask, is wire the second thing into the first. So you end up with a users table that works — and a password column that reads like a phone book.
Cryptographic failures cover everything from storing passwords in plaintext to signing JWTs with 'secret' to leaving TLS off on an internal hop. The common thread is that something sensitive is sitting somewhere it should not be, in a form anyone who gets their hands on it can read. It is rarely about picking the wrong cipher — it is about not picking one at all.
What your AI actually built
You asked for user signup and login. The model gave you a clean auth flow: form, API route, database insert, session cookie. Every step looks right when you test it as yourself.
What you did not notice is that the password hit the database exactly as the user typed it. No hash, no salt, no pepper. The signing secret for your JWTs is the literal string 'secret' sitting in an env file that was committed last Tuesday.
Everywhere else, the pattern repeats. API keys stored in plain columns. Password reset tokens generated with Math.random. TLS terminated at the load balancer and then cheerfully proxied over HTTP inside the VPC. Each one looks fine on its own. Together they are a single compromised backup away from a headline.
How it gets exploited
An old database backup ends up on a misconfigured S3 bucket. The attacker does not need to exploit anything — they just list the bucket.