“Shouldn’t” and “won’t” are too very different words. There are plenty of shitty programmers out there, and they tend to band together. And now you have vibe coders on top.
Doesn’t even have to be legacy, some programmers are just completely unaware of the concept of security. I’ve seen services where the forgot password functionality would send your existing password back to you in plaintext.
“Shouldn’t” and “won’t” are too very different words. There are plenty of shitty programmers out there, and they tend to band together. And now you have vibe coders on top.
Based on the place (a supermarket rewards card), I’m assuming legacy code. But you’re right, the most likely answer is it’s shitty legacy code.
Doesn’t even have to be legacy, some programmers are just completely unaware of the concept of security. I’ve seen services where the forgot password functionality would send your existing password back to you in plaintext.