[jordan801]

I joined a company as a junior developer. Their senior developers did not see a problem with unsalted MD5 passwords. When I told them how unfathomable it was to think that was secure, they argued that there was a much larger problem if the database was breached. Not even a day later a company like ours was hacked in Canada and they went into bankruptcy because of it. I was called on a Saturday and asked how fast we could implement it. It took one hour to implement the new hashing and have a conversion strategy for the old MD5. The entire system is now upgraded to sha5 hashes with csprng salts.

A few weeks ago I found out a newer hire (at senior level) decided to build his own auth system, because the current one, "doesnt work". It doesn't work because it doesn't allow our employees to handle customer passwords. Even with high turnover, some people don't understand why that is essential.

When simplicity fights security in a corporate setting, simplicity nearly always wins. The exception is when an executive is security savvy and isn't a push over to their peers.