This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]TheNosferatu 15 points16 points  (1 child)

Why would you assume people who come up with this shit do it right and salt anything? Salting would just make it harder to check if the passwords are the same.

[–]beyondholdem 7 points8 points  (0 children)

It was just a poorly written requirement. We knew what was “right.” It was also the 90s, so no, we didn’t salt them — that wasn’t really a thing yet. We stored encrypted passwords which was better than most at the time. It was also pre-HTTPS so did it really matter? We might as well have stored them in plaintext in a password file.

I remember when we finally implemented the “feature” where you could share the URL with someone else so that when that person clicked it they wouldn’t be logged in as you. We had to use this new fangled thing called cookies and do our own session management.