The big problem is that developers who care are most likely already storing password securely, except for those who for some reasons have to battle various corporate rules. And those who don't care, most of them will not start caring because they have more pressing matters at hand than their company's security.
I don't think it's necessarily that clear cut - the big problem is the lack of knowledge that encryption isn't good enough. There are probably plenty of developers who do care, and aren't aware that the clever algorithm they're using with the key hard-coded in the source code may not be 'secure.' And of the set who know that hashing !== encryption, probably a lot of them (at least in PHP land) will be told to just use md5.
3 comments
[ 2.9 ms ] story [ 24.5 ms ] thread