Matthew R recently took a team-lead position and was tasked with improving the quality of the company's application. He started with security, specifically the fact that user passwords were stored in plain-text. "But it's easier this way," the developer complained when Matthew suggested to change it, "plus, it's relatively easy to break modern encryption."

 

Matthew insisted on the change, and pointed the developer to a few resources on passwords that discussed hashing, salting, and password retrieval, and the developer begrudgingly made the change. When Matthew went to review the code, this is what he found.

custom_step(crypt(md5(sha1(sha2(mcrypt_cbc($password))))+stream_filter_append($rand,$seed,STREAM_FILTER_WRITE, $opts))+"123", $seed);

"I wanted to make it bullet-proof," he explained. At least it was progress. Now if only ' OR ''=' didn't work as the global log-in name.