Web developers write unsafe code by default
“If you want, I can encrypt passwords.”
Some developers who were directly instructed to use cryptography used Base64 encryption of the password database.
When the information about another data leak appears in the media, it is always puzzling why the company stored user passwords in plain text, did not protect the API, or made some other basic mistake . Is such a violation of safety rules possible in our time?
A new study from the University of Bonn (Germany) shows that freelance developers by default adhere to extremely unsafe practices, unless the customer requires more.
Researchers have invited 260 Java developers at Freelancer.com to develop a registration system for an imaginary social network, which customers supposedly started to do. Of these, only 43 agreed to an order that included the use of Java, JSF, Hibernate and PostgreSQL
technologies. Half of the developers received 100 euros for the work, and half - 200 euros. Half of each of the two groups was instructed to use a secure password store, while the other did not.
Although the sample is clearly small, the difference is so significant that it suggests some general trends. Here are some of the results of the study:
- Among those who were not provided with instructions, 15 out of 18 kept passwords in clear text
- Three of the people who were instructed to use the secure store also stored their passwords in clear text.
- Programmers who encrypted passwords used unsafe methods: 31 programmers used methods such as Base64, MD5, SHA-1, etc. for encryption.
- Only 12 freelancers have used secure methods such as bcrypt and PBKDF2.
8 people used to encrypt Base64
10 - MD5
1 - SHA-1
3 - 3DES
3 - AES
5 - SHA-256
1 - HMAC / SHA1
5 - PBKDF2
7 - Bcrypt
The table below (increases by click) shows the full results for each participant : how many days it took him to complete the task, how much of this time he spent on implementing security, and which encryption algorithm he applied. In the upper half of the table, those who have been given direct instructions to encrypt the information. Bold participants are those who first sent an unsafe solution, but then received additional instructions to implement a secure password store.
The vast majority of programmers were unable to implement basic security methods, and 17 out of 43 copied code from random websites.
Only 15 developers used salt - a data string that is passed to the hash function along with the password, which greatly complicates the brute force. The table (clickable) shows the demographic data of the study participants. As you can see, these are mainly men, with an average age of 30 years, from 11 countries (in two cases the country is not indicated) Low-paying and high-paying groups worked at approximately the same level of quality.
In general, the study is rather depressing. It can be assumed that the basic safety awareness among freelancers is incredibly low. Of the 18 participants who received special instructions to use cryptography, three decided to use Base64 and claimed, for example: "[I] encrypted everything so that the password is not visible" and "It is very difficult to decrypt it."
Perhaps this behavior is specific only to freelancers, and staff members without any instructions immediately try to make a safe decision? The study does not provide an answer to this question.
SPECIAL CONDITIONS for PKI solutions for small and medium-sized businesses until 11/30/2019 by promo code AL003HRFR. Offer valid for new customers. For details, contact the managers +7 (499) 678 2210, email@example.com.