| It is one of your primary duties to safeguard the best interest of your organization. Incontrovertibly, the best interest is not served by storing passwords in plaintext as this can result in grave harm to your organization. Accordingly, while I would not share any details with the outside world, I would advise you to strongly push the issue internally, from the position of an educator. Here are four articles that may assist you in composing a stronger series of arguments: https://www.owasp.org/index.php/Broken_Authentication_and_Se... http://cwe.mitre.org/data/definitions/256.html http://blog.moertel.com/articles/2006/12/15/never-store-pass... http://marknelson.us/2011/02/06/gawker-considered-stupid-cri... You will want to further notate that the effort of implementing non-plaintext authentication really isn't terribly significant. What troubles me is this "most senior" programmer of yours. If storing passwords in plaintext is OK with him/her, meaning that he/she has a weak background in security engineering, I can't imagine that there aren't many additional severe security issues (SQL injection, XSS, CSRF, etc...). Most concerning of all though is that this "most senior" programmer seems disinterested in due diligence and is instead actively arguing against widely known best practices. If, after your strong push, management still is not motivated, personally, I would resign. I would not want to be professionally affiliated with an organization and management that have a materially compromised decision-making process. At some point in the future, your organization may be compromised, which may lead to people losing their jobs. You will not, in the future, want to be on the receiving end of questions like, "So the web application that you worked on stored passwords in _plaintext_???," "So how exactly was it that you were unable to present a compelling case to do something that is so blatantly obvious???." |