“Shouldn’t” and “won’t” are too very different words. There are plenty of shitty programmers out there, and they tend to band together. And now you have vibe coders on top.
Doesn’t even have to be legacy, some programmers are just completely unaware of the concept of security. I’ve seen services where the forgot password functionality would send your existing password back to you in plaintext.
I considered database stuff, but my password shouldn’t go anywhere near the database!
If they are storing it as plain text in this day and age, then there is no hope for the human race 🤦
“Shouldn’t” and “won’t” are too very different words. There are plenty of shitty programmers out there, and they tend to band together. And now you have vibe coders on top.
Based on the place (a supermarket rewards card), I’m assuming legacy code. But you’re right, the most likely answer is it’s shitty legacy code.
Doesn’t even have to be legacy, some programmers are just completely unaware of the concept of security. I’ve seen services where the forgot password functionality would send your existing password back to you in plaintext.