Deception Task Design in Developer Password Studies: Exploring a Student Sample


Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, and Matthew Smith, University of Bonn, Germany


Studying developer behavior is a hot topic for usable security researchers. While the usable security community has ample experience and best-practice knowledge concerning the design of end-user studies, such knowledge is still lacking for developer studies. We know from end-user studies that task design and framing can have significant effects on the outcome of the study. To offer initial insights into these effects for developer research, we extended our previous password storage study (Naiakshina et al. CCS'17). We did so to examine the effects of deception studies with regard to developers. Our results show that there is a huge effect—only 2 out of the 20 non-primed participants even attempted a secure solution, as compared to the 14 out of 20 for the primed participants. In this paper, we will discuss the duration of the task and contrast qualitative vs. quantitative research methods for future developer studies. In addition to these methodological contributions, we also provide further insights into why developers store passwords insecurely.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {219406,
author = {Alena Naiakshina and Anastasia Danilova and Christian Tiefenau and Matthew Smith},
title = {Deception Task Design in Developer Password Studies: Exploring a Student Sample},
booktitle = {Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018)},
year = {2018},
isbn = {978-1-931971-45-4},
address = {Baltimore, MD},
pages = {297--313},
url = {},
publisher = {{USENIX} Association},