"What does salting and bcrypting buy in way of protection?"
Information leaks are common: a backup tape gets FedExed to the wrong address, file sharing gets accidentally turned on, a Russian hacker finds a security hole in your machine while scanning millions of machines, some idiot puts the password database on a laptop and loses it. These sorts of problems are constantly making the headlines.
If you have bcrypt-style password encryption, such leaks are a nuisance and embarrassment.
If you do not have password encryption, the leak recipient can easily impersonate any and all users. They can control your system, create false communication, cause industrial equipment to destroy itself, send harassing messages, conduct financial fraud, and so forth.
The cost to use password encryption is a little engineering labor, the return on investment is a substantial reduction in risk.
I've got no question with your first point -- leaks happen. Elements of our hosting environment, regardless of that environment, mean we have lapses in control, whether it's on-site office cabinets, hosted colo, or cloud provider.
Our backups management is pretty solid, with backups encrypted, and even DB systems using on-disk at-rest encryption via an ecryptfs tool.
You did raise the valid point of sensitivity of identity data among some of our clients. While the general case is that PII (personally identifying information) disclosures would largely be embarrassing but not harmful, there are cases in which harm, or even life-threatening risks could arise.
I'm leaning to your conclusion but I'm looking to be able to quantify that more robustly.
And as I noted in my original question: if we were getting pressure from our clients on this, the case would be far easier to make. Market rules.
The trouble with defense in depth is that you have to admit your existing defenses may be inadequate. I can see how that could be politically difficult in a large organization.
Even for a less-than-large organization, there are issues.
One is the perceived fear of looking incompetent in front of your users/clients. For which I feel the appropriate response is "we'll look a lot more competent if we mitigate the risks of such an event than if we don't, regardless of whether or not it happens".
But really, the big one is simply: can you justify the engineering/product cost of this change on the basis of a material business benefit to us and our clients?
Information leaks are common: a backup tape gets FedExed to the wrong address, file sharing gets accidentally turned on, a Russian hacker finds a security hole in your machine while scanning millions of machines, some idiot puts the password database on a laptop and loses it. These sorts of problems are constantly making the headlines.
If you have bcrypt-style password encryption, such leaks are a nuisance and embarrassment.
If you do not have password encryption, the leak recipient can easily impersonate any and all users. They can control your system, create false communication, cause industrial equipment to destroy itself, send harassing messages, conduct financial fraud, and so forth.
The cost to use password encryption is a little engineering labor, the return on investment is a substantial reduction in risk.