"If you want, I can store the encrypted password." A Password-Storage Field Study with Freelance Developers
Date: May 4 2019
Publication: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (CHI '19)
Source 1: https://net.cs.uni-bonn.de/fileadmin/user_upload/naiakshi/Naiakshina_Password_Study.pdf
Source 2: https://doi.org/10.1145/3290605.3300370 - Subscription or payment required
Abstract or Summary:
In 2017 and 2018, Naiakshina et al. (CCS'17, SOUPS'18) studied in a lab setting whether computer science students need to be told to write code that stores passwords securely. The authors' results showed that, without explicit prompting, none of the students implemented secure password storage. When asked about this oversight, a common answer was that they would have implemented secure storage - if they were creating code for a company.
To shed light on this possible confusion, we conducted a mixed-methods field study with developers. We hired freelance developers online and gave them a similar password storage task followed by a questionnaire to gain additional insights into their work. From our research, we offer two contributions. First of all, we reveal that, similar to the students, freelancers do not store passwords securely unless prompted, they have misconceptions about secure password storage, and they use outdated methods. Secondly, we discuss the methodological implications of using freelancers and students in developer studies.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.