[revetkn]

"For every 1 day estimates of a task, there’s a simpler version of that you can do in 3 hours, and an even simpler still you can do in 30 minutes. Back yourself into a corner and these versions will vividly appear before your eye. You can always do less."

I wonder if this was the reasoning behind 37s' storing passwords in plaintext instead of taking an extra 10 minutes to write the code to encrypt them?

[tjic]

Ouch That's going to leave a mark!

[_pius]

Touché.

[nwjsmith]

Evidence?

[tome]

http://www.jgc.org/blog/2009/05/can-you-trust-37signals-with...

[nwjsmith]

This is from May, and 37signals just made a fairly large change to their authentication system (I think its called Launchpad). Their password recovery system now works differently than described in this post, so I doubt they're still storing them plaintext (thank goodness).

[revetkn]

Yeah, it may work differently now, but I think the point still holds. I understand that engineering's all about tradeoffs and being practical with your time, but things like plaintext passwords are unacceptable (IMHO) in even the first cut of a production system, let alone an established one with a large userbase.

[runevault]

Yeah, however the point stands that it proves they are willing to act this way about things that are too important to treat said way.

Goes to show even good advice can be taken too far.

[almost]

As I understand it they changed how they did things in response to the linked blog post.