"Do this! Do that!, And Nothing will happen": Do specifications lead to securely stored passwords?

Joseph Hallett; Nikhil Patnaik; Ben Shreeve; Awais Rashid

"Do this! Do that!, And Nothing will happen": Do specifications lead to securely stored passwords?

Joseph Hallett, Nikhil Patnaik, Ben Shreeve, Awais Rashid

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

278 Downloads (Pure)

Abstract

Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.

Original language	English
Title of host publication	43rd International Conference on Software Engineering
Place of Publication	Madrid, Spain
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Number of pages	13
Edition	43
Publication status	Accepted/In press - 7 Jan 2021

Structured keywords

Cyber Security
passwords
usability
developer centered security

Access to Document

Full-text PDF (author accepted manuscript)
This is the author accepted manuscript (AAM). The final published version (version of record) is available online via IEEE at [insert hyperlink] . Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 257 KB

Handle.net

Persistent link

Cite this

@inproceedings{1fed73f3494d49dea924385bd9cb6a62,

title = "{"}Do this! Do that!, And Nothing will happen{"}: Do specifications lead to securely stored passwords?",

abstract = "Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.",

author = "Joseph Hallett and Nikhil Patnaik and Ben Shreeve and Awais Rashid",

year = "2021",

month = jan,

day = "7",

language = "English",

booktitle = "43rd International Conference on Software Engineering",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

address = "United States",

edition = "43",

}

"Do this! Do that!, And Nothing will happen" : Do specifications lead to securely stored passwords? / Hallett, Joseph ; Patnaik, Nikhil ; Shreeve, Ben et al.

43rd International Conference on Software Engineering. 43. ed. Madrid, Spain : Institute of Electrical and Electronics Engineers (IEEE), 2021.

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - "Do this! Do that!, And Nothing will happen"

T2 - Do specifications lead to securely stored passwords?

AU - Hallett, Joseph

AU - Patnaik, Nikhil

AU - Shreeve, Ben

AU - Rashid, Awais

PY - 2021/1/7

Y1 - 2021/1/7

N2 - Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.

AB - Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.

M3 - Conference Contribution (Conference Proceeding)

BT - 43rd International Conference on Software Engineering

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Madrid, Spain

ER -

"Do this! Do that!, And Nothing will happen": Do specifications lead to securely stored passwords?

Abstract

Structured keywords

Access to Document

Handle.net

Fingerprint

Cite this