Study Shows How Developers Deal with Secure Password Storage

Starting a new social network that aims to compete with Facebook is not difficult at all. All you need is a firm conviction that you are cleverer than Mark Zuckerberg and some cash in your pocket. In simple terms, the procedure is as follows: you jot down the idea, go to a website where freelance developers offer their services, pay a relatively small amount of money, and wait for the finished product.

Although you will ultimately be responsible for everything your future social network does, you don't need to have even the faintest idea of what's going on behind the scenes in technical terms. For the last couple of years, scientists at the University of Bonn, Germany have been wondering about the security implications of this peculiarity of the modern world.

Students have a lot to learn

In 2017, the team of eggheads included Alena Naiakshina, Marco Herzog, Anastasia Danilova, Christian Tiefenau, Sergej Dechand, and Matthew Smith, and they were eager to find out what would happen if they ask 20 computer science students to design and develop registration systems for a social network. The scientists wanted to see how each student will go about storing users' passwords.

The tons of data that gets leaked every day shows that many online service providers, both big and small, are struggling to get to grips with the concept of secure password storage, and the University of Bonn's researchers were hoping to see students that are much more competent in that respect. It wasn't to be.

The students were split into two groups. The first one received a task description that didn't mention the word "security" in any way, the idea being to see if the test subjects will figure out on their own that keeping users safe is high on the priority list. Only two students in that group tried to store people's passwords securely, but they ultimately decided that the work is too much and ended up opting for plain text storage.

The second group of test subjects were explicitly told that their registration forms must be secure. Although a few of the guinea pigs did get it right, some of the efforts were less than impressive. In fact, the post-experiment interviews revealed that students have serious misconceptions about secure password storage. Some of the test subjects were convinced that hashing passwords with MD5 is a good idea while others told the researchers that the mere presence of HTTPS should keep users safe.

In short, the results weren't very encouraging, but the scientists quickly realized that there is a flaw with the experiment. The test subjects knew that their work is used for research purposes. They knew that their systems will never be tasked with handling real people's data, and some of them said that they would have behaved differently if they were working on a real project.

"Real" projects, real developers, same results

A few months ago, Alena Naiakshina, Anastasia Danilova, and Matthew Smith teamed up with Emanuel von Zezschwitz and Eva Gerlitz, two other researchers from the University of Bonn, and set about expanding 2017's study. The team had two main goals.

First, the experts wanted to see how the test subjects react if they're not aware that they are a part of an experiment. Secondly, they wanted to understand how the people that get paid to create web applications handle users' passwords.

So, instead of recruiting students, the scientists picked some developers from Freelancer.com, paid each one of them between €100 ($113) and €200 ($226), and pretended to be customers who had an innovative idea about a clever new social network. This time, the researchers had professional developers who thought that they are working on real projects. In theory, the results should have been much different. Unfortunately, they weren't.

Once again, the test subjects were divided into two groups – one that was specifically instructed to create a secure system, and one that was just asked to put together a social media platform. Although a few added password protection mechanisms without being told to, most didn't bother, and when the researchers pushed them to design something more secure, they asked for additional money because of the extra work.

When it comes to the type of protection mechanisms, the findings were even more worrying. In addition to MD5 and SHA1, some of the developers used Base64 to obscure passwords. This, coupled with interviews taken before and after the experiment, shows that the freelance developers have a hard time distinguishing between simple cryptographical concepts like "hashing", "encryption", and "encoding".

Bear in mind that these are the same people that design and develop applications and handle millions of passwords every day. We knew all along that not all of them do it correctly, but this recent study shows that things might be worse than we thought. The really bad news is, other than taking care of our own password hygiene, there's not much else we can do.