"If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers

In 2017 and 2018, Naiakshina et al. (CCS'17, SOUPS'18) studied in a lab setting whether computer science students need to be told to write code that stores passwords securely. The authors' results showed that, without explicit prompting, none of the students implemented secure password storage. When asked about this oversight, a common answer was that they would have implemented secure storage - if they were creating code for a company. To shed light on this possible confusion, we conducted a mixed-methods field study with developers. We hired freelance developers online and gave them a similar password storage task followed by a questionnaire to gain additional insights into their work. From our research, we offer two contributions. First of all, we reveal that, similar to the students, freelancers do not store passwords securely unless prompted, they have misconceptions about secure password storage, and they use outdated methods. Secondly, we discuss the methodological implications of using freelancers and students in developer studies.

[1]  Aiko Fallas Yamashita,et al.  Surveying developer knowledge and interest in code smells through online freelance marketplaces , 2013, 2013 2nd International Workshop on User Evaluations for Software Engineering Researchers (USER).

[2]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[3]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Sebastian Möller,et al.  Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse , 2018, SOUPS @ USENIX Security Symposium.

[5]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[6]  Jacob Cohen A Coefficient of Agreement for Nominal Scales , 1960 .

[7]  David R. Thomas,et al.  A General Inductive Approach for Analyzing Qualitative Evaluation Data , 2006 .

[8]  Nalin Asanka Gamagedara Arachchilage,et al.  Am I Responsible for End-User's Security? A Programmer's Perspective , 2018, ArXiv.

[9]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[10]  Blase Ur,et al.  Diversify to Survive: Making Passwords Stronger with Adaptive Policies , 2017, SOUPS.

[11]  Kamran Ahmed Siddiqui,et al.  Heuristics for Sample Size Determination in Multivariate Statistical Techniques , 2013 .

[12]  Nalin Asanka Gamagedara Arachchilage,et al.  Understanding Software Developers' Approach towards Implementing Data Minimization , 2018, ArXiv.

[13]  Poul-Henning Kamp LinkedIn Password Leak: Salt Their Hide , 2012, ACM Queue.

[14]  Peter Mayer,et al.  A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016 , 2017, SOUPS.

[15]  Aiko Fallas Yamashita,et al.  Do developers care about code smells? An exploratory survey , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[16]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[17]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[18]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[19]  Matthew Smith,et al.  Deception Task Design in Developer Password Studies: Exploring a Student Sample , 2018, SOUPS @ USENIX Security Symposium.

[20]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[21]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[22]  B. Everitt,et al.  Statistical methods for rates and proportions , 1973 .

[23]  Emerson R. Murphy-Hill,et al.  Do Developers Read Compiler Error Messages? , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE).

[24]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[25]  J. Fleiss,et al.  Statistical methods for rates and proportions , 1973 .

[26]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[27]  Chris Kanich,et al.  Leveraging Semantic Transformation to Investigate Password Habits and Their Causes , 2018, CHI.

[28]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[29]  Blase Ur,et al.  Helping Users Create Better Passwords , 2012, login Usenix Mag..

[30]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[31]  Frank Wang,et al.  Vulnerability Factors in New Web Applications : Audit Tools , Developer Selection & Languages , 2013 .

[32]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  Chamila Wijayarathna,et al.  Why Johnny Can't Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing , 2018, EASE.

[34]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[35]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[36]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[37]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[38]  Matthew Finifter Exploring the Relationship Between Web Application Development Tools and Security , 2011, WebApps.

[39]  Lutz Prechelt,et al.  Plat_Forms: A Web Development Platform Comparison by an Exploratory Experiment Searching for Emergent Platform Properties , 2011, IEEE Transactions on Software Engineering.

[40]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.