Password Security Flashcards
Developer role password storing
Developers need to ensure that users passwords are stored securely
Password Security Problems
Users often choose weak passwords, admins often complex policies
How to store securely
Hash passwords with salt (hash provides preimage and collision resistance)
Why do developers get passwords wrong?
They might not consider security or not know how to store passwords securely.
Why do developers get password storage wrong? Setting
Lab-Setting with complete control over hardware and software
Complete task in Java over 8 hours
Lab => survey => semi structured interview
Task: Implement registration for social media
Why do developers get password storage wrong? Prompts & Framework
Developer were either prompted to implement secure password storage or to implement API, they could use Spring(opt-in security) or JSP(manual security)
Why do developers get password storage wrong? Grading
Up to seven points available for hashing, lenght, salt, salt length etc
Why do developers get password storage wrong? Results
Unprompted:
Hashing knowledge 9/10
Secure password storage 0/10
Didnt feel like it was security relevant
Prompted:
Hashing knowledge 9/10
Secure password storage 7/10
Framework support:
JSP: No support felt, even felt like it was not possbile
Spring: Support felt by some participants
Result: Friendly API not enough, Prompting required. Functionality first, security second
Deception Task Design in Dev Password. Setup
40 participants took part: Half on Qualitative, Half Quantitive
Deception Task Design in Dev Password. Result
H1: Prompting has an effect on security attempt
H2: Prompting does not have an effect on success after attempt is made
H3: Framework has effect on security score of participants that attempt (spring > jsf)
H4: Java experience has effect on security score (not statistically relevant)
Copy and pasting had positive effect on security
Quantitive group did not add many insights => qualitative analysis for api results
Promt/Deception allowed to study two different aspects:
Security vs Api usability
Non prompted 20/20 plaintext
Prompted 8/20 plaintext
“If you want, I can store the encrypted password.” Setup
Same study with freelancers instead of students => not enough money
Moved to company context:
“If you want, I can store the encrypted password.” Prompting
- Prompted (secure password storage) 100 euro
- non prompted 200 euro
“If you want, I can store the encrypted password.” Results
Non prompted 14/21 plaintext secure 4/21
Prompted 3/21 plaintext: Secure 13/21
payment may increase security (still discussed)
many did not know how to securely store passwords
freelancer.com may be a good place to recruit participants but students did perform similary
Conducting security developer studies with students setup
also prompted and non prompted
also spring and jsf
36 real developers from germany
Conducting security developer studies with students results
Significantly better security score.
spring still performed better then jsf
company devs differed from students in absolute terms
but they were similar in relative terms
