Well, this plays into what we keep talking about with any cloud or internet service; time and money. You see to change the password hashing algorithm of all users a company would have to do quite a bit. It is not as simple as buy the new software, install it and you are done. Having gone through the process of changing the encryption software used for a forum once (over 40,000 members) I can very vividly remember the time it took and what we had to do with the user accounts to ensure that their accounts switched over to the new hash (mostly it involved going through and deauthorizing accounts so that when they logged back in they got were transferred over to the new hash). Although there were steps taken to automate things, it was not a smooth transition and we had multiple, multiple emails and messages asking for help… Like we said, it was expensive in terms of licensing and time spent helping out users with issues.
Now think about some of the online services out there that have more than 6 MILLION members they would have to deal with and you get the idea. It is an expensive proposition. This does not excuse them from staying with a known insecure platform, but it is the reason that most companies do not move until they have an actual breach. As long as things are fine there is no reason to spend the money required to do the job. (I had to deal with that mentality over outdated servers very often).
So to help with this the author of md5crypt() has publicly come out and warned against its continued use. I would guess that he feels that if people are aware of this issue it might force some companies to change now before they start losing users over a potential security problem. This is unlikely to work, but it is still a nice effort on his part. There is no such thing as unbreakable encryption, all algorithms and encryption formats become outdated. It is the responsibility of the companies that hold our data to ensure that they are using best practices (and update those on a continual basis) or we will continue to see things like this happen.
Unfortunately bad practices are all rolled up with keeping costs down whenever it comes to services. This is simply what you get when you sign up for “free” and inexpensive cloud based services.
Discuss this in our Forum