Front-line programmers default to insecure practices unless they are instructed to do otherwise

It's always sort of baffling when security breaches reveal that a company has stored millions of users' passwords in unencrypted form, or put their data on an insecure cloud drive, or transmitted it between the users' devices and the company's servers without encryption, or left an API wide open, or some other elementary error: how does anyone in this day and age deploy something so insecure?

A new study conducted by University of Bonn researchers gives an inkling: front-line developers working as freelancers default to incredibly insecure practices unless their clients know enough to demand better ones.

The researchers hired 43 freelance Java programmers through Freelancer.com and asked them to develop a registration system for an imaginary social network the researchers claimed to be starting. Half the devs were paid €100 and half were paid €200 for the job; half of each of the two pay-groups were given explicit instructions to use secure password storage and half were left to their own devices.

Though this yielded small sample sizes, the effect was large enough to bear deeper scrutiny: 15 of the 18 who were not given password security instructions stored passwords in plaintext; 3 of the group who were instructed to store passwords securely also stored passwords in plaintext. Moreover, even the programmers who encrypted the passwords used insecure methods to do so: 31 of the programmers used insecure methods like Base64 encoding (!), MD5, SHA-1, etc -- while only 12 used secure methods like bcrypt and PBKDF2.

The programmers also overwhelmingly failed to implement basic security practices like salting their hashes. And 17 out of 43 copy-pasted their code from random websites (alas, these copy-pasters didn't consult something useful like OWASP's password security guidelines).

The low-pay and high-pay groups performed at about the same level.

The whole study is pretty depressing, suggesting that basic security awareness is incredibly low among programmers, and that all the things that might correct for this -- like good example code that has high search-rank -- are also lacking.

'Of the 18 participants who received the additional security request, 3 decided to use Base64 and argued, for example: '[I] encrypted it so the clear password is not visible' and 'It is very tough to decrypt',' researcher said --highlighting that some study participants didn't know the basic difference between an encryption algorithm and a function that just jumbles characters around.

Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor.

The study also found that 17 of the 43 developers copied their code from internet sites, suggesting that the freelancers didn't have the necessary skills to develop a secure system from scratch, and chose to use code that might be outdated or even riddled with bugs.

Paying developers higher rates didn't help considerably, researchers said.

'If you want, I can store the encrypted password.'A Password-Storage Field Study with Freelance Developers [Alena Naiakshina, Eva Gerlitz, Emanuel von Zezschwitz and Matthew Smith/University of Bonn]

Study shows programmers will take the easy way out and not implement proper password security [Catalin Cimpanu/Zero Day]

(via Schneier)