[developer2]

One reason: you'd be surprised how many companies allow entering the hash as an alternative password to login to customers' accounts in production. Lazy method for customer support teams who don't have support tools to access customer information. Also frequently done to allow developers to debug problems on a customer's account when a bug cannot be reproduced elsewhere.

If such a company's database of hashed passwords is leaked, then an attacker doesn't even have to crack the hashes - the hash itself is a valid version of the password. Yet I've seen this behavior at multiple companies; only one of them pushed back against my request to remove that "feature", and I didn't stay with them much longer after that.

[cestith]

What would it take to get you to name and shame? That whistle pretty likely needs to be blown on the one that didn't agree to abandon such a policy.

[developer2]

Small private company, nobody's ever heard of it. There are a lot of shady ones out there.

[ams6110]

Agree. MANY small development shops will build these kinds of backdoors into systems because they don't have the skill or the resources to build proper customer support features.

[amenghra]

Remember "Chuck Norris"...

[toss1829654]

Microsoft Windows does this. NT hashes are password equivalent:

https://en.wikipedia.org/wiki/Pass_the_hash

[dhimes]

I....have no words. Effectively clear-text password storage. That should be criminal by now.

[yuhong]

I wonder about using HMAC with a secret key that can be changed for things like this.

[cobythedog]

Even some software do that. You can connect to a SAS server using your hashed password, which is stored in an XML config file on your computer when using EG.