
Ask HN: Why do established companies continue to screw up password hashing? - whitepoplar
Today, it seems that even novice devs realize the importance of properly hashing and storing passwords. &quot;Don&#x27;t roll your own! MD5 hashes are baadddd! Just use bcrypt! Don&#x27;t try to outsmart crypto professionals!&quot; seems to be common wisdom. Why is it that very large companies continue to store passwords improperly? (as evidenced by breaches) How could a staff of so many competent people possibly fuck it up?
======
davismwfl
Simple. Legacy and hubris. Legacy in that some systems were engineered before
this was a common wisdom. Also the legacy systems become fragile over time and
both engineers and business execs become really nervous about making a large
change to legacy systems.

Hubris because many business level people (and some engineers) will not free
up the dollars and time to fix systems as they feel it is unnecessary and that
no one will get to the database.

Sadly I did work for a team where the execs recognized we were right for
wanting to change the system but wouldn't free dollars up to do it. Worse, to
pass security audits they would show prototype systems that followed proper
security standards that looked like the primary system, shady shit.

