

Ask HN: Why would you NOT hash your passwords? - jehna1

I find that many sites and organizations still, for some reason, don&#x27;t hash their passwords.<p>For example, in this TED talk they were able to actually get all the passwords from a university to run their statistics program on:
http:&#x2F;&#x2F;www.ted.com&#x2F;talks&#x2F;lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd<p>So why? Why on earth would anyone NOT hash their passwords?
======
leepowers
From a security perspective I can't think of a single reason to _not_ hash.

Not hashing is like not brushing your teeth. There's no immediate
repercussions but you're risking extreme pain and cost in the long run.

My guess as to why people don't hash is mostly inline with why people don't
brush their teeth:

* Laziness

* Lacking a culture of health

* Ignorance

Laziness probably comes mostly from the developer side. A developer makes the
wrong trade-off: faster launch today over long-term security. It's easier to
write a program that emails the plain-text password to a user than to create a
password-reset mechanism.

Lack of culture. An organization or a group of developers don't prioritize
issues of security and long-term sustainability. They are stuck in an eternal
day-to-day, short-term focus.

Ignorance. Management and decision makers that simply aren't aware of the
dangers of non-hashing. Brushing & flossing your teeth is actually a very
weird and non-natural behavior. Most kids need persistent years-long training
to develop the habit. Like brushing, if decision makers haven't been educated
about hashing they will probably only recognize the benefit after some
unpleasant disaster (database breach, e.g. teeth start rotting & falling out).

------
buttscicles
Ignorance is the only reason I can think of.

I recall reading that reddit originally didn't hash them because Steve Huffman
liked having his password emailed to him when he forgot, but I'm having
trouble finding a source for that. It was one of his own comments on reddit I
believe.

~~~
jehna1
Even I recall client or product owner asking for similar requests.

But I wouldn't blame them. These are people that don't know anything about
security.

At least person that should have enough dignity to say "this is so badly
wrong, I refuse to do it" should be the developer.

------
tlubinski
Okay, so I'm playing devil's advocate here:

One good reason is usability. Users are forgetting their passwords all the
time and as buttscicles pointed out it is for a lot of people much easier to
just get an email with their password instead of going through the whole set-
a-new-password-flow. We actually tested that 8+ years ago and although I don't
recall the exact numbers, sending the password lead to much higher login rates
than creating a new password. And I really mean _much_ higher.

Plus from a security perspective it's always better to secure the access to
the DB instead of trying to minimize the damage. And btw the still common
(unsalted) MD5 hashing of passwords is barely better than plain passwords.

