Visible to the public Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study

TitleWhy Do Developers Get Password Storage Wrong?: A Qualitative Usability Study
Publication TypeConference Paper
Year of Publication2017
AuthorsNaiakshina, Alena, Danilova, Anastasia, Tiefenau, Christian, Herzog, Marco, Dechand, Sergej, Smith, Matthew
Conference NameProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4946-8
Keywordsdeveloper, Human Behavior, methodology, password storage, priming, pubcrawl, Resiliency, Scalability, Security Audits, studies
Abstract

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems.

URLhttp://doi.acm.org/10.1145/3133956.3134082
DOI10.1145/3133956.3134082
Citation Keynaiakshina_why_2017