Freelance developers need to be explicitly told to write code that stores passwords in a safe and secure manner, a recent study has revealed.

In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.

For their study, the German academics asked a group of 260 Java programmers to write a user registration system for a fake social network.

Of the 260 developers, only 43 took up the job, which involved using technologies such as Java, JSF, Hibernate, and PostgreSQL to create the user registration component.

Of the 43, academics paid half of the group with €100, and the other half with €200, to determine if higher pay made a difference in the implementation of password security features.

Further, they divided the developer group a second time, prompting half of the developers to store passwords in a secure manner, and leaving the other half to store passwords in their preferred method --hence forming four quarters of developers paid €100 and prompted to use a secure password storage method (P100), developers paid €200 and prompted to use a secure password storage method (P200), devs paid €100 but not prompted for password security (N100), and those paid €200 but not prompted for password security (N200).

Image: Naiakshina et al.

Researchers said developers took three days to submit their work, and that they had to ask 18 of the 43 to resubmit their code to include a password security system when they first sent a project that stored passwords in plaintext.

Of the 18 who had to resubmit their code, 15 developers were part of the group that were never told the user registration system needed to store password securely, showing that developers don't inherently think about security when writing code.

Image: Naiakshina et al.

The other three were from the half that was told to use a secure method to store passwords, but who stored passwords in plaintext anyway.

Image: Naiakshina et al.

The results show that the level of understanding of what "secure passwords" mean differs greatly in the web development community.

Of the secure password storage systems developers chose to implement for this study, only the last two, PBKDF2 and Bcrypt, are considered secure.

8 - Base64

10 - MD5

1 - SHA-1

3 - 3DES

3 - AES

5 - SHA-256

1 - HMAC/SHA1

5 - PBKDF2

7 - Bcrypt

The first, Base64, isn't even an encryption algorithm, but an encoding function, something that the participating developers didn't seem to know. Similarly for MD5, which is a hashing function.

"Many participants used hashing and encryption as synonyms," the team of academics said in their research paper.

"Of the 18 participants who received the additional security request, 3 decided to use Base64 and argued, for example: '[I] encrypted it so the clear password is not visible' and 'It is very tough to decrypt'," researcher said --highlighting that some study participants didn't know the basic difference between an encryption algorithm and a function that just jumbles characters around.

Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor.

The study also found that 17 of the 43 developers copied their code from internet sites, suggesting that the freelancers didn't have the necessary skills to develop a secure system from scratch, and chose to use code that might be outdated or even riddled with bugs.

Paying developers higher rates didn't help considerably, researchers said.

However, the research team found that giving programmers specific instructions to implement a secure password storage system did yield better results than not saying anything at all and then expecting developers to think of security by themselves.

Nonetheless, without precise instructions, developers choose what they "believed" was a secure password storage system, but in reality, was not, suggesting that oversight from a professional is needed when designing any type of security system.

When I was a dev manager, I used something very similar as a exercise as part of the hiring process. At least 90% stored the password as plain text. Their numbers are better than I would have guessed. — Adam Caudill (@adamcaudill) March 6, 2019

The study's results clearly show that each freelance developer's knowledge of cyber-security best practices varies wildly from person to person. This might be to outdated training or no training at all --yet again making a case against using developers without cyber-security experience for such jobs.

Attacks against encryption algorithms have been disclosed left and right in the past two decades, and something a developer might have learned in an outdated school manual might not stand scrutiny today. A good starting point for better password practices is this OWASP cheat sheet.

More details on this University of Bonn study are available in the research paper entitled "'If you want, I can store the encrypted password.' A Password-Storage Field Study with Freelance Developers."

This study is a continuation of two similar studies --from 2017 and 2018-- that used students as subjects, instead of freelance developers.

In the previous studies, students said they would have implemented secure password storage if they were creating code for a company." The 2019 study showed that current developers aren't any better than unsupervised students.

More cyber-security reports: