> Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext.
> Those devs were then asked to rewrite their code to 'store passwords securely.' Overall here are the methods of password storage chosen by the developers:
> 10 - MD5
> 8 - Base64
> 7 - Bcrypt
> 5 - SHA-256
> 5 - PBKDF2
> 3 - AES
> 3 - 3DES
> 1 - SHA-1
> 1 - HMAC/SHA1
> only 3 of 17 participants, who used other hash algorithms, implemented salting. One of them generated a random salt, one made use of the username, and one hard-coded a static salt
As an industry, we (developers) have a long way to go.
It's insane to me that it's not "common knowledge" to AT LEAST hash the passwords.
It's also interesting because 6 used an encryption algorithm, 10 used MD5 which is as good as plaintext nowadays IMO, and 8 used Base64, so even though 24 people thought they "secured it" the passwords are trivial to recover.
To play devil’s advocate, to me plaintext means I want to finish quickly because you haven’t asked and are paying too little, while any solution other than bcrypt/pbkdf2 means I don’t know what I’m doing.
Having once run my own freelance web dev company, I feel very comfortable saying that I would not take a project where I wasn't getting paid enough to bother hashing passwords. That's beyond justification. Either reject the client or protect their users.
This should be part of the job, no matter how tight the budget is. Password hashing is quite accessible in almost every language and I can't think of any excuse not to hash passwords.
Right? You literally have to go OUT OF YOUR WAY to not be exposed to hasing/salting - every framework does it, most tutorials include it, for most environments its a simple library import/api.
I have to wonder how they sourced their developers. I don't think researchers would be motivated to do much more then post a low bidding ad on craigslist, meaning the quality of the developers will be commiserate.
It's inside the paper. They used Freelancer.com and gave 100EUR/200EUR to 100 developers.
They created a fake company website and asked the devs to completed the sign-up portion of their fake social network because of one of their fake developers resigned recently.
They used 2 tier of payment to see if the payment had an effect on the security of the code.
> Final Study
For the final study we recruited freelancers via direct messages. We searched for all freelancers and filtered for the skill
“Java.” Unfortunately, Freelancer.com’s search function also
returns JavaScript developers or developers where we saw
no connection to Java, so we manually pruned out developers
whose profile did not include Java skills.
Based on our experience in the pre-studies we added two
payment levels to our study design (EUR100 and EUR200). We only
accepted freelancers’ submissions if they were functional
Maybe the segment of in the industry in which the cheapest outsourced devs work, anyway.
Their conclusion states as much (hiring more expensive devs on freelancer.com got them more secure solutions):
"In addition, we found a significant effect in the freelancers’ acceptance rate between the €100 and €200 conditions for the prompted task and examined the effect of different payment levels on secure coding behavior. We saw more secure solutions in the €200 conditions, although the difference was not statistically significant. However, this result might be due to the small sample size and we believe this is worth following up in future work."
I am freelancing on my 10th year now (never set foot in an office to work), and let me tell you hiring people on freelancer.com, no matter how much the budget is, won't end up good.
Fiver and freelancer.com has the worst kind of freelancers in my experience.
I'm curious as to why they only said 3 of 17 used salt -- most bcrypt implementations will automatically generate a random salt (since the salt is visible in the generated hash), and 7 people used bcrypt?
What was the task they were asked to perform? For most work a contract under 1k isn't going to get you an extremely high quality developer. In finding, planing, negotiating, and implementing a project you accrue a lot of billable overhead time.
If you assume it takes....
- 1hr to apply, negotiate, and accept job
- 1hr to do job
- 1hr to submit and aid in support & integration of code
Then at $200 you're making $66/hr. I'd classify myself as an average developer and most contract work people spam me me with on LinkedIn is in the $150/hr + benefits range.
I wonder what kind of quality they'd get with a larger project priced at that range. Something with 15hr of work @ $150 might bring in higher quality freelancers that are closer to the industry average.
I understand your point but that also depends on the geographic location of the developer. 66 US Dollars here in Brazil – as well in many other countries – is an excellent rate and you find top notch developers. Even with half of that you would find excellent and experienced developers around here.
> Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext.
> Those devs were then asked to rewrite their code to 'store passwords securely.' Overall here are the methods of password storage chosen by the developers: > 10 - MD5 > 8 - Base64 > 7 - Bcrypt > 5 - SHA-256 > 5 - PBKDF2 > 3 - AES > 3 - 3DES > 1 - SHA-1 > 1 - HMAC/SHA1
> only 3 of 17 participants, who used other hash algorithms, implemented salting. One of them generated a random salt, one made use of the username, and one hard-coded a static salt
As an industry, we (developers) have a long way to go.