

Ask HN: How to argue coworker saying strong database encryption is unimportant? - aerovistae

I am no security specialist, and my knowledge of it is generally weak, but I looked into the subject enough to know best practices and what makes them the most secure, such as bcrypt, scrypt, and PBKDF2.<p>When I discovered my company was encrypting passwords with SHA2, I tried explaining how this was wrong and got talked down by a coworker arguing that this was unimportant compared to the importance of making sure nobody gets to the database in the first place. She was basically saying that that&#x27;s much more important and if that&#x27;s done right then having strong encryption isn&#x27;t that vital.<p>Unfortunately I didn&#x27;t know enough to counterargue and had to say &#x27;okay,&#x27; which bothers me to this day (several months later).<p>Can anyone explain why she was wrong, or conversely why she was right?
======
HCDevid
Were you trying to persuade the coworker, or trying to persuade your boss with
your coworker being against?

~~~
aerovistae
I was just sort of noting this to a roomful of relevant engineers in the hopes
of gathering some support for strengthening encryption and got talked down by
one of them and nobody else cared enough to say anything.

