Developers Not Immune to Sloppy Password Practices

It's no secret that passwords are a weak link in the security world.

But while fingers are often pointed at users' weak passwords or screen-stuck Post-It notes, a recent study by German-based researchers indicates that developers themselves may share some of the blame.

The study found that a significant proportion of freelance developers commissioned to work on a fictitious social-networking site failed to integrate secure password-storage features unless specifically asked to do so – with some failing to do so even then. Moreover, a sizable share of the mechanisms alleged by the developers to be secure fell well short of the security community's best practices for keeping passwords safe.

"Developers, clients and managers need to be more aware of this problem," said Alena Naiakshina, the University of Bonn researcher who led the study, in an email interview. "Our results indicated that developers are only implementing security if explicitly requested to. Therefore, the task description for software-development tasks should consider this aspect in advance."

In an environment where news of password breaches are dismayingly routine, the apparent sloppiness shown by the study's developers might be viewed as startling.

Yet, as shown by the recent revelation that some developers had for years stored hundreds of millions of user passwords in plain text form on internal servers, it appears increasingly evident that even top-level developers are prone to shortcuts that can endanger user security.

"This is not an outlier, in my opinion," said A.J. Nash, global head of cyber intelligence at Symantec. "In general, developers are often focused on getting things done, and in some cases, security is viewed as getting in the way."

The University of Bonn study was designed to determine whether freelance developers hired to work on a simple app – in this case, a fictitious photo-sharing service for sports fans – would integrate features offering secure database storage for users' passwords, and if so, how strong these security measures would in fact be.

Previously, the researchers had conducted two similar studies with university-level computer-science students. There, none of the students who were not explicitly tasked with creating a secure solution wound up storing passwords securely. Just over half of those specifically asked to consider security as a factor produced secure solutions.

Noting that students were likely to act differently than paid, professional coders, the team used a similar approach to focus on developers hired through the Freelancer.com job-matching site.

This time they posed as a start-up company creating a social-networking site. Claiming to have lost a developer, they contacted 260 Java developers, offering payments of either €100 or €200 to complete coding of the site-registration process. A total of 49 accepted, with 43 successfully completing the task. The subjects were randomly assigned to the payment-level groups, and to groups that either were or were not specifically asked to consider security.

Participating coders predominately identified themselves as freelance developers, with "industrial developer" being the second-largest category. The most prominent countries of origin were India and China, but nations ranging from Italy to the United States were also represented.

Among the participants who were not explicitly asked for a secure solution, a large majority produced non-secure code, no matter what the payment scale. Among those who received a prompt to "store it securely," a slim majority within the €100 group provided secure code, while about twice as many developers in the €200 group produced secure solutions as did not (eight secure products as compared to four insecure).

Moreover, many of the developers who claimed to believe they were providing secure code in fact "protected" passwords using techniques deemed outdated by the security community, or by adopting functions today regarded as unsuitable for cryptographic purposes (such as MD5). A significant number simply stored passwords in Base64, a scheme for encoding binary data into an ASCII format that offers no practical protective features.

Developers who did store passwords securely tended to use password-hashing libraries such as bcrypt or the PBKDF2 function.

In total, 17 developers provided secure code, while 25 did not. Following interviews with the freelancers hired, the researchers attributed this lack of security to developers' focus on functionality before security (particularly in the low-paid group), misplaced trust in "standards" such as MD5, and a reliance on outdated methods.

Naiakshina noted that the study's sample size was too small to definitively answer some of the questions they were interested in, such as the effect of nationality or the full effect of the different pay scales. In the future, the team intends to explore how the behavior of freelancers compares to that of full-time developers.

Symantec's Nash said that company-employed coders too are often susceptible to taking security shortcuts, unless structures are in place that make this more difficult from the start.

"It comes down to having a culture of security and being able to be in a situation where security is built into what everybody's doing in a seamless fashion," he said. "People by nature rebel against things that make their jobs harder. But if it's built into processes, people will do it."