[cremp]

I don't think it is about compliance or security at all; just developers that aren't competent.

> 2.6 million plaintext passwords

Anyone who is actually competent knows hashing at a minimum; and it costs nothing to implement, both time and money wise.

All of this, because Johnny over here read a tutorial on how to make your own app.

The downside of development is that, you do get these people who 'stain' the title, because they just read it and followed blindly instead of actually learning.

[jordan801]

I joined a company as a junior developer. Their senior developers did not see a problem with unsalted MD5 passwords. When I told them how unfathomable it was to think that was secure, they argued that there was a much larger problem if the database was breached. Not even a day later a company like ours was hacked in Canada and they went into bankruptcy because of it. I was called on a Saturday and asked how fast we could implement it. It took one hour to implement the new hashing and have a conversion strategy for the old MD5. The entire system is now upgraded to sha5 hashes with csprng salts.

A few weeks ago I found out a newer hire (at senior level) decided to build his own auth system, because the current one, "doesnt work". It doesn't work because it doesn't allow our employees to handle customer passwords. Even with high turnover, some people don't understand why that is essential.

When simplicity fights security in a corporate setting, simplicity nearly always wins. The exception is when an executive is security savvy and isn't a push over to their peers.

[jmtulloss]

This is especially surprising because Firebase provides authentication APIs that do the right thing by default. This means devs are doing more work to get to a less secure solution.

[cremp]

Or treating it like any other database; and just using it because its 'popular.' Those 'developers' who do that (use popular just because,) are just the people who stain the title.

[dunham]

I think what firebase provides has changed over time. These problematic instances maybe be legacy.

And the difficulty of setting up firebase's auth may also have changed over time. Did they always have hosted user/password auth or did they rely on third party pre-google?

[duxup]

I recently finished a boot camp. When I asked about security I was told "We really don't cover that."

I have had to figure it out myself. It isn't hard, just took some extra effort to look into.

[optimuspaul]

For sure incompetence is at play here, but if these teams had compliance and security procedures in place then their incompetence would have been accounted for.

[sbov]

Realizing you need compliance and security procedures requires competence. The two of you are basically saying the same thing. There is no world where a company that can't get the most BASIC security practices right will realize they should have security procedures in place.