In a meeting after I explained that the user passwords will be encrypted before we save them in the database

Them: "Please don't do that, we don't want to change our clients data"

Me: " so we should save the clear text?"

Them: "Yes"

😒

Don't even encrypt..

Hash.
Or double hash the salted hash of the peppered password. And don't use a broken hashing algorithm

@linuxxx how am I doing daddy?

@BambuSource Just use BCrypt with its build in functions, it'll take care of the salt itself :)

These are the idiots that are responsible for data breaches. They want to believe they know better than the engineers, but they know sh*t.

@linuxxx Seriously? I didn't knew that haha. I use bcrypt when I can with a generated salt.

@Jifuna Bcrypt takes care of that if you use it properly, yes :)

Yes, please don't MD5 them. If people get a hold on that DB, they will be cracked in days instead of ... Years, I think. Use bcrypt like linuxxx said.

Take this in writing. So when in future any data breaches happens and they call you to blame. You can show the written document.

Never suggest plain text storage just say you store it securely unaltered muggles won't know the difference. And when using PHP just use password_hash and password_verify functions (hard to implement that wrong and uses bcrypt at be the moment will be improved over time automatically)

As some wise guy said, the passwords are not yours to store. You shouldn't do this even if your boss tells you to.