
Why aren’t big companies implementing best practices to protect user’s data? - PabloR
Why aren’t the big companies hosting millions of users using the best practices and tools available to protect user’s data like passwords, emails, etc?<p>It seems that modern hashing techniques like bcrypt and salting are not being implemented.<p>Is it because of the cost or hassle? Is it laziness, ill advice, lack of care for customers safety or poor management decisions? Or is it something else?
======
davismwfl
I have consulted at a lot of firms. From small to enterprise, most I have been
at lacked adequate security and many violated the simplest of standard
security procedures. I would run into policies about how they didn't want a
developer having access to a production server, yet passwords were stored in
plain text, servers went un-patched and there was little to no intrusion
security protection. Hell, I found developers at more then one place, hacking
into their own production servers to "fix" critical issues after hours with
management being fully aware of it and turning a blind eye. Hey dumb ass, if
your own developer can do it so can others.

At one mid-sized firm, they had personal data on millions of consumers, yet
every password issued to clients and staff was defaulted to the same one and
no user was ever forced to change it. Passwords were stored in plain text as
well, and on a number of occasions I saw internal and external people log into
the platform as another user to see the data they shouldn't be able to.

The answers I have heard consistently as to why not fix it; it isn't a
priority, too many things "might" break, there is no revenue in fixing it, no
one cares about us enough to hack us. The last one always makes me laugh,
true, at most of these places no one had to care to hack them because hacking
would imply that it would require effort.

At least in my experience, most good developers care to implement security,
but are many times overruled because of either schedule or cost. I generally
don't give a breakout of security procedures or time estimates (about
security) simply to avoid bone headed decisions on removing security. However,
when someone else is paying the bills and I am being directed to do something,
I will raise the issue if I think it is wrong, document my objection and then
implement what I am told so I can get paid while I find a new client or place
to call home.

------
minimaxir
Big companies often have legacy systems which were architected before password
dumps were a regular occurance. You can't just implement strong password
hashes on those systems without causing issues or paying a large amount of
capital.

~~~
davismwfl
I agree you can't implement a strong password hash on some legacy systems and
that replacing them is capital intensive which may not even be possible in
some cases. However, that doesn't stop good security procedures to isolate
those systems, add layers in front of them and minimize the attack vectors.
Even the act of air gapping certain legacy systems is the right move, it at
least minimizes the attack vectors, and can keep costs reasonable.

So if the company cares about security there are ways to layer it in and
provide a robust solution (albeit not necessarily ideal), but many times they
just don't care enough to make it a priority.

