Alena Naiakshina
ABSTRACT
Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems.
Supplemental Material
- Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky 2017. Comparing the usability of cryptographic apis. In Proceedings of the 38th IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L Mazurek, and Christian Stransky 2016. You Get Where You're Looking For: The Impact Of Information Sources on Code Security Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 289--305.Google Scholar
- Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security Developer Studies with GitHub Users: Exploring a Convenience Sample Symposium on Usable Privacy and Security (SOUPS).Google Scholar
- William Albert and E Dixon 2003. Is this what you expected? The use of expectation measures in usability testing Proceedings of the Usability Professionals Association 2003 Conference, Scottsdale, AZ.Google Scholar
- Ben Alex, Luke Taylor, Rob Winch, and Gunnar Hillert. 2004--2015. Spring Security Reference: 4.1.3.RELEASE. (2004--2015). Retrieved May 18, 2017 from http://docs.spring.io/spring-security/site/docs/4.1.3.RELEASE/reference/htmlsingle/##getting-startedGoogle Scholar
- Jason Bau, Frank Wang, Elie Bursztein, Patrick Mutchler, and John C Mitchell 2012. Vulnerability factors in new web applications: Audit tools, developer selection & languages. Stanford, Tech. Rep (2012).Google Scholar
- Patrik Berander. 2004. Using students as subjects in requirements prioritization Empirical Software Engineering, 2004. ISESE'04. Proceedings. 2004 International Symposium on. IEEE, 167--176.Google Scholar
- Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2015. Argon2: the memory-hard function for password hashing and other applications. bibinfotypeTechnical Report. bibinfoinstitutionTech. rep., Password Hashing Competition (PHC).Google Scholar
- Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus of 70 million passwords 2012 IEEE Symposium on Security and Privacy. IEEE, 538--552.Google Scholar
- Joseph Bonneau and Sören Preibusch 2010. The Password Thicket: Technical and Market Failures in Human Authentication on the Web. WEIS.Google Scholar
- Jacob Cohen. 1960. A coefficient of agreement for nominal scales. Educational and psychological measurement Vol. 20, 1 (1960), 37--46. Google ScholarCross Ref
- Password Hashing Competition and our recommendation for hashing passwords: Argon2. 2015. (2015). Retrieved August 09, 2017 from https://password-hashing.net/Google Scholar
- Google Trends: Visualizing Google data. 2017. (2017). Retrieved May 18, 2017 from https://trends.google.com/trends/Google Scholar
- Markus Dürmuth and Thorsten Kranz 2014. On password guessing with GPUs and FPGAs. In International Conference on Passwords. Springer, 19--38.Google Scholar
- Donald E. Eastlake, 3rd and Paul E. Jones 2001. US Secure Hash Algorithm 1 (SHA1). RFC 3174 (Informational). (Sept. 2001). http://www.ietf.org/rfc/rfc3174.txtGoogle Scholar
- Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel 2013. An empirical study of cryptographic misuse in android applications Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 73--84.Google Scholar
- Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley 2013. Does my password go up to eleven?: the impact of password meters on password selection Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2379--2388.Google Scholar
- Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith 2013. Rethinking SSL development in an appified world. Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 49--60. Google ScholarDigital Library
- Matthew Finifter and David Wagner 2011. Exploring the relationship between Web application development tools and security USENIX conference on Web application development.Google Scholar
- Jim Finkle and Jennifer Saba 2012. LinkedIn suffers data breach-security experts. (2012). Retrieved May 18, 2017 from http://in.reuters.com/article/linkedin-breach-idINDEE8550EN20120606Google Scholar
- Kraig Finstad. 2010. Response interpolation and scale sensitivity: Evidence against 5-point scales. Journal of Usability Studies Vol. 5, 3 (2010), 104--110.Google ScholarDigital Library
- Joseph L Fleiss, Bruce Levin, and Myunghee Cho Paik. 2013. Statistical methods for rates and proportions. John Wiley & Sons.Google Scholar
- Dinei Florêncio, Cormac Herley, and Paul C Van Oorschot 2014. An administrator's guide to internet password research 28th Large Installation System Administration Conference (LISA14). 44--61.Google Scholar
- GitHub: Built for developers. 2017. (2017). Retrieved May 18, 2017 from https://github.com/Google Scholar
- Christian Forler, Eik List, Stefan Lucks, and Jakob Wenzel. 2014. Overview of the Candidates for the Password Hashing Competition International Conference on Passwords. Springer, 3--18.Google Scholar
- Christian Forler, Stefan Lucks, and Jakob Wenzel. 2013. Catena: A memory-consuming password-scrambling framework. bibinfotypeTechnical Report. bibinfoinstitutionCryptology ePrint Archive, Report 2013/525.Google Scholar
- Christian Forler, Stefan Lucks, and Jakob Wenzel. 2014. Memory-Demanding Password Scrambling.. In ASIACRYPT (2). 289--305. Google ScholarCross Ref
- HotFrameworks: Web framework rankings. 2017. (2017). Retrieved May 18, 2017 from https://hotframeworks.com/Google Scholar
- PL Gorski and L Lo Iacono 2016. Towards the Usability Evaluation of Security APIs. Proceedings of the Tenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016). Lulu. com, 252.Google Scholar
- Garcia Michael E Fenton James L Grassi, Paul A 2017. DRAFT NIST Special Publication 800 63 3 Digital Identity Guidelines. (2017).Google Scholar
- Paul A Grassi, Elaine M Newton, Ray A Perlner, Andrew R Regenscheid, William E Burr, Justin P Richer, Naomi B Lefkovitz, Jamie M Danker, Yee-Yin Choong, Kristen Greene, and others 2017. Digital Identity Guidelines: Authentication and Lifecycle Management. Special Publication (NIST SP)-800--63B (2017).Google Scholar
- Matthew Green and Matthew Smith 2016. Developers are Not the Enemy!: The Need for Usable Security APIs. IEEE Security & Privacy Vol. 14, 5 (2016), 40--46. Google ScholarDigital Library
- George Hatzivasilis, Ioannis Papaefstathiou, and Charalampos Manifavas 2015. Password Hashing Competition-Survey and Benchmark. IACR Cryptology ePrint Archive Vol. 2015 (2015), 265.Google Scholar
- George Hatzivasilis, Ioannis Papaefstathiou, Charalampos Manifavas, and Ioannis Askoxylakis. 2015. Lightweight password hashing scheme for embedded systems IFIP International Conference on Information Security Theory and Practice. Springer, 260--270.Google Scholar
- Martin Höst, Björn Regnell, and Claes Wohlin. 2000. Using students as subjects - a comparative study of students and professionals in lead-time impact assessment. Empirical Software Engineering Vol. 5, 3 (2000), 201--214. Google ScholarDigital Library
- TIOBE Index. 2017. (2017). Retrieved May 18, 2017 from http://www.tiobe.com/tiobe-index/Google Scholar
- Burt Kaliski. 2000. PKCS# 5: Password-based Cryptography Specification Version 2.0. (Sept. 2000). http://www.ietf.org/rfc/rfc2898.txtGoogle Scholar
- Poul-Henning Kamp, P Godefroid, M Levin, D Molnar, P McKenzie, R Stapleton-Gray, B Woodcock, and G Neville-Neil. 2012. LinkedIn Password Leak: Salt Their Hide. ACM Queue, Vol. 10, 6 (2012), 20.Google ScholarDigital Library
- John Kelsey, Bruce Schneier, Chris Hall, and David Wagner 1997. Secure applications of low-entropy keys. In International Workshop on Information Security. Springer, 121--134.Google Scholar
- Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman 2011. Of passwords and people: measuring the effect of password-composition policies Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2595--2604.Google Scholar
- Thomas D LaToza, Gina Venolia, and Robert DeLine. 2006. Maintaining mental models: a study of developer work habits Proceedings of the 28th international conference on Software engineering. ACM, 492--501.Google Scholar
- David Lazar, Haogang Chen, Xi Wang, and Nickolai Zeldovich 2014. Why does cryptographic software fail?: a case study and open problems Proceedings of 5th Asia-Pacific Workshop on Systems. ACM, 7.Google Scholar
- Katja Malvoni and Josip Knezović 2014. Are your passwords safe: Energy-efficient bcrypt cracking with low-cost parallel hardware WOOT'14 8th Usenix Workshop on Offensive Technologies Proceedings 23rd USENIX Security Symposium.Google Scholar
- Michelle L Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 173--186.Google Scholar
- Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden 2016. Jumping through hoops: why do Java developers struggle with cryptography APIs? Proceedings of the 38th International Conference on Software Engineering. ACM, 935--946. Google ScholarDigital Library
- PYPL PopularitY of Programming Language. 2017. (2017). Retrieved May 18, 2017 from http://pypl.github.io/PYPL.htmlGoogle Scholar
- W3Techs Web Technology Surveys: "Usage of server-side programming languages for websites". 2017. (2017). Retrieved May 18, 2017 from https://w3techs.com/technologies/overview/programming_language/allGoogle Scholar
- Hilarie Orman. 2013. Twelve Random Characters: Passwords in the Era of Massive Parallelism. IEEE Internet Computing Vol. 17, 5 (2013), 91--94. Google ScholarDigital Library
- Colin Percival. 2009. Stronger key derivation via sequential memory-hard functions. Self-published (2009), 1--16.Google Scholar
- Lutz Prechelt. 2011. Plat_Forms: A web development platform comparison by an exploratory experiment searching for emergent platform properties. IEEE Transactions on Software Engineering Vol. 37, 1 (2011), 95--108. Google ScholarDigital Library
- Niels Provos and David Mazieres 1999. A Future-Adaptable Password Scheme.. In USENIX Annual Technical Conference, FREENIX Track. 81--91.Google Scholar
- NIST FIPS PUB. 1994. 186,". Digital Signature Standard," National Institute of Standards and Technology, US Department of Commerce Vol. 18 (1994).Google Scholar
- The RedMonk Programming Language Rankings. 2017. (2017). Retrieved May 18, 2017 from https://redmonk.com/sogrady/2017/03/17/language-rankings-1--16/Google Scholar
- Elissa M Redmiles, Sean Kross, and Michelle L Mazurek. 2016. How i learned to be secure: a census-representative survey of security advice sources and behavior Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 666--677.Google Scholar
- Elissa M Redmiles, Amelia R Malone, and Michelle L Mazurek 2016. I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 272--288.Google Scholar
- Ronald L. Rivest. 1992. The MD5 Message-Digest Algorithm. RFC 1321 (Informational). (April 1992). http://www.ietf.org/rfc/rfc1321.txtGoogle Scholar
- Iflaah Salman, Ayse Tosun Misirli, and Natalia Juristo. 2015. Are students representatives of professionals in software engineering experiments? Proceedings of the 37th International Conference on Software Engineering-Volume 1. IEEE Press, 666--676. Google ScholarCross Ref
- M Angela Sasse. 2003. Computer security: Anatomy of a usability disaster, and a plan for recovery. (2003).Google Scholar
- Martina Angela Sasse, Sacha Brostoff, and Dirk Weirich. 2001. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT technology journal Vol. 19, 3 (2001), 122--131. Google ScholarDigital Library
- Jeff Sauro. 2010. If you could only ask one question, use this one. (2010). Retrieved May 18, 2017 from http://www.measuringu.com/blog/single-question.phpGoogle Scholar
- Jeff Sauro and Joseph S Dumas 2009. Comparison of three one-question, post-task usability questionnaires Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 1599--1608.Google Scholar
- Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor 2014. Can long passwords be secure and usable?. In CHI'14: Conference on Human Factors in Computing Systems. ACM. Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor 2016. Designing Password Policies for Strength and Usability. ACM Transactions on Information and System Security, Vol. 18, 4 (May 2016).Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor 2010. Encountering stronger password requirements: user attitudes and behaviors Proceedings of the Sixth Symposium on Usable Privacy and Security. ACM, 2.Google Scholar
- Password Storage Cheat Sheet. 2014. (2014). Retrieved May 18, 2017 from https://www.owasp.org/index.php/Password_Storage_Cheat_SheetGoogle Scholar
- helping each other Stack Overflow: Stack Overflow is a community of 7.0 million programmers, just like you. 2017. (2017). Retrieved May 18, 2017 from https://stackoverflow.com/Google Scholar
- I Standard. 1998. Ergonomic requirements for office work with visual display terminals (vdts)--part 11: Guidance on usability. ISO Standard 9241--11: 1998. International Organization for Standardization (1998).Google Scholar
- Jeffrey Stylos and Brad A Myers 2008. The implications of method placement on API learnability Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering. ACM, 105--112.Google Scholar
- Mikael Svahnberg, Aybüke Aurum, and Claes Wohlin. 2008. Using students as subjects - an empirical evaluation. ACM, New York, New York, USA. Google ScholarDigital Library
- Donna Tedesco and Tom Tullis 2006. A comparison of methods for eliciting post-task subjective ratings in usability testing. Usability Professionals Association (UPA) Vol. 2006 (2006), 1--9.Google Scholar
- Trendy Skills: Extracting Skills that employers seek in the IT industry. 2017. (2017). Retrieved May 18, 2017 from http://trendyskills.com/Google Scholar
- GitHut: A Small Place to discover languages in GitHub 2017. (2017). Retrieved May 18, 2017 from http://githut.info/Google Scholar
- Meltem Sönmez Turan, Elaine B Barker, William E Burr, and Lidong Chen 2010. Sp 800--132. recommendation for password-based key derivation: Part 1: Storage applications. (2010).Google Scholar
- Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and evaluation of a data-driven password meter CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems. To appear. CHI Best Paper. Google ScholarDigital Library
- Blase Ur, Jonathan Bees, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor 2016. Do Users' Perceptions of Password Security Match Reality? CHI'16: 34th Annual ACM Conference on Human Factors in Computing Systems. ACM. CHI 2016 Honorable Mention.Google ScholarDigital Library
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, and others 2012. Helping users create better passwords. login:: the magazine of USENIX & SAGE Vol. 37 (2012), 51--57.Google Scholar
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor 2015. "I added '!' at the end to make it secure": Observing password creation in the lab SOUPS '15: Proceedings of the 11th Symposium on Usable Privacy and Security. USENIX.Google Scholar
- Ashlee Vance. 2010. If your password is 123456, just make it hackme. The New York Times Vol. 20 (2010).Google Scholar
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords Proceedings of the 17th ACM conference on Computer and communications security. ACM, 162--175.Google Scholar
- Alma Whitten and J Doug Tygar 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Usenix Security, Vol. Vol. 1999.Google ScholarDigital Library
- Friedrich Wiemer and Ralf Zimmermann 2014. High-speed implementation of bcrypt password search using special-purpose hardware ReConFigurable Computing and FPGAs (ReConFig), 2014 International Conference on. IEEE, 1--6. endthebibliographyGoogle Scholar
Index Terms
- Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study
Comments