[delichon]

To be fair, security through denial, lies and intimidation is the industry standard.

Leaving the passwords in clear text is double plus ungood. But my employer recently bought another outfit that does just that, and fixing it is not a near term option. So I'm stuck managing that and three of my fingers are pointing back to me.

[cratermoon]

Some powerful people subscribe to the idea that "if I (or the law) says don't touch it, it's secure". This attitude was on full display a little over three years ago in Missouri. https://missouriindependent.com/2021/10/14/missouri-governor...

[coolhand2120]

That's a good one!

Reporter: "Hey, you dropped your wallet" Governor: "Thief!"

[201984]

Missouri

[cratermoon]

fixed, thank you.

[soco]

Technically speaking if there's nothing to break, it is unbreakable right? Also if you change the law about some crime, you don't have a crime anymore...

[dieselgate]

Dang this is real life. “We didn’t used to do it but..”

[scoot]

> my employer recently bought another outfit that does that does just that [leaves passwords in cleartext], and fixing it is not a near term option

Could you expand on why not? I can't think of a good reason why this isn't a relatively quick fix. What's the blocker?

[delichon]

It requires programming in a language specific to one little known db product, in an extremely brittle and spaghettified code base . There's exactly one person in the company who kinda knows how to do it, and they're unavailable for the foreseeable future on higher priorities. We don't have the money to throw at new hires or huge porting projects.

Imagine software that has been in production since the 80's, was written by a very inexperienced dev and has since been continually "organically" upgraded to handle any new promise that a nontechnical product manager feels is necessary to solve the immediate problem of an angry customer. It's a Jenga tower with a reset button.

[scoot]

> they're unavailable for the foreseeable future on higher priorities

Need I respond to that?

[delichon]

If you know the secret to getting a company to prioritize potential security problems that haven't yet emerged in forty years over meeting payroll, please share.

[grayhatter]

why does it sound like you're defending the argument of;

I couldn't act ethically because I had to make money.

[delichon]

My paycheck depends on reconciling myself to it. Should I quit possibly my last job before retirement in a bleak job market to protest my manager's decision to protect her job and mine by putting revenue before protecting jane@doe.com's login from being stolen for the Nth time? Am I the bad guy?

[ben_w]

(not op, just hypothesising)

> I can't think of a good reason why this isn't a quick fix.

What if there's some IoT product with no update mechanism and the access password to function is stored on all of them in plain text?

[scoot]

Possibly, but that's a very different scenario to a database of cleartext passwords (which is what I assumed was meant), as each device would have to be identified and compromised to access a password to a device which at that point is already compromised...