I think that, often, there's confusion between someone's position and their interest.[0] It's easy to think that if they asked for "MD5", they must want "MD5", right?..
An easy illustration of this is someone with a runny nose asking you for a "Kleenex". You have tissues of another brand, so you tell them you don't have a Kleenex. This is being an asshole who hasn't done any Physics but watches too much Big Bang Theory and wants to be "like logical/analytic". That kind of stuff is only cool when Paul Dirac does it, whom the asshole knows nothing of. Of course we laugh because "nobody" would act like that..
"MD5" is "Kleenex". The runny nose is their concern for security. "Tissue" is "something to clean that runny nose.. or shine their shoes". They might want the tissue to do something else than clean their nose, because they have a handkerchief for that.. So our assumption they want to use it to clear their nose is wrong.
If their only options are "no password-hashing" and "that crypto thingy, what was it? DM5, MD5 or something?", choosing MD5 is actually a sane decision and request.
The underlying interest here is "security", communicated with a request for "MD5" (position) which makes them seem clueless to someone with a broader view and who must, in my opinion, recognize their request for what it is.
One could ask for the specific reason they chose MD5 and not something else? They may be unaware of other options, or give constraints they were trying to satisfy with that choice.
Someone who says the site must be in PHP might mean they want a "dynamic site". Someone who specifies "Bootstrap" might mean "responsive", etc.
We clear assumptions by asking questions, and noses by blowing them.
Exactly. To me a senior consultant should be able to spot the obvious error and then focus on trying to understand what the customer need and move the solution to something that meets the intent.
If it is confidentiality the customer need, provide good solutions to that. But check if confidentiality is really the thing needed. Quite probably, authentication and integrity protection is what is really needed. So AES in CTR mode might not be what the customer should want instead of MD5, but possibly AES-GCM, AES-CMAC or even a Ed25519 signature mechanism using public key.
An easy illustration of this is someone with a runny nose asking you for a "Kleenex". You have tissues of another brand, so you tell them you don't have a Kleenex. This is being an asshole who hasn't done any Physics but watches too much Big Bang Theory and wants to be "like logical/analytic". That kind of stuff is only cool when Paul Dirac does it, whom the asshole knows nothing of. Of course we laugh because "nobody" would act like that..
"MD5" is "Kleenex". The runny nose is their concern for security. "Tissue" is "something to clean that runny nose.. or shine their shoes". They might want the tissue to do something else than clean their nose, because they have a handkerchief for that.. So our assumption they want to use it to clear their nose is wrong.
If their only options are "no password-hashing" and "that crypto thingy, what was it? DM5, MD5 or something?", choosing MD5 is actually a sane decision and request.
The underlying interest here is "security", communicated with a request for "MD5" (position) which makes them seem clueless to someone with a broader view and who must, in my opinion, recognize their request for what it is.
One could ask for the specific reason they chose MD5 and not something else? They may be unaware of other options, or give constraints they were trying to satisfy with that choice.
Someone who says the site must be in PHP might mean they want a "dynamic site". Someone who specifies "Bootstrap" might mean "responsive", etc.
We clear assumptions by asking questions, and noses by blowing them.
[0]: http://web.mit.edu/negotiation/www/NBivsp.html