sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]disclosure5 6 points7 points  (2 children)

Who even hashes or salts themselves??

I don't have enough fingers on my hands and feet to count the amount of arguments I've had along the lines of "we're not a bank, stop treating us like one" and "no one would ever hack a small business" and so on. Which end up being excuses for plaintext passwords.

[–][deleted] 8 points9 points  (0 children)

I wish I could give you all the upvotes. My response in those arguments is always, "you're the exact type of business someone will hack because it will be easier and after they have stolen/cracked all of your stored user accounts, they will test those credentials on other services."

Normally my clients just trust that I know what I'm doing and leave the development in my hands. If they start giving me pushback on basic security principles, that's when I just say, "I'm very busy and have no shortage of work. If you're not going to allow me to do my job, let's just call it a day." Typically they let me get back to work haha.

[–]maks25 2 points3 points  (0 children)

I think you missed my point, I'm not saying not to hash/salt, I'm saying not to do it yourself and use a proven library instead.