Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study
Date: October 30 2017
Publication: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17)
Source 1: https://arxiv.org/pdf/1708.08759.pdf
Source 2: https://doi.org/10.1145/3133956.3134082 - Subscription or payment required
Abstract or Summary:
Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems.
PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=GfjXTL8R_yk
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.