In fairness, this is because 1) password breaches are the lowest common denominator of hash function discussions in which developers participate, and 2) developers have it beat into their heads not to use e.g. MD5 for password storage, but they don't typically receive the same lectures (with the same vehemence) for things like MACs.
I don't really think this is much of an excuse. Fast collision-resistant hashes and password hashes are very basic crypto concepts. If you don't know that difference, it would be hard to pass even the most introductory course on cryptography. If you've literally no education on crypto except what you heard someone at work say once, you shouldn't feel qualified to correct crypto articles on Hacker News.
Ignorance isn't the problem. The problem is ignorance combined with confidence.
I think crypto is a field where one needs an unfortunately low amount of confidence (relatively speaking) to come across this way, because it's complex enough that the default position is extreme ignorance. That's why I try to be a bit more charitable - I don't think people are trying to come across as authorities on the subject, they just haven't had enough exposure. It's an unknown unknown. Better crypto education would help.
I've been thinking for some time now about the state of cryptography education for non-experts, and what I've noticed over the years is we push a lot of digestible soundbites ("Don't use MD5, don't roll your own, use encrypt-then-mac", etc) without significant explanations. Sometimes there is an accessible explanation for these things that's appropriate for a message board comment, sometimes there isn't, and this advice is necessarily separated from a larger corpus of material due to the medium.
If telling developers what not to do over and over again in order to dissuade them from shooting themselves in the foot has made them more secure overall, this is a good thing. But I do think it comes at the cost of not encouraging real understanding of why not to do these things. You're right that they shouldn't take specific positions without that understanding, but I think it can be hard for them to know they don't have it due to the culture.
Since you guys appear to be familiar with crypto, can you recommend some book/article/blog that give a good intro, to the level of explaining the difference between the two concepts above? Many thanks in advance.
