Let’s Hash: Helping Developers with Password Security

Authors: 

Lisa Geierhaas and Anna-Marie Ortloff, University of Bonn; Matthew Smith, University of Bonn, FKIE Fraunhofer; Alena Naiakshina, Ruhr University Bochum

Awarded Distinguished Paper!

Abstract: 

Software developers are rarely security experts and often struggle with security-related programming tasks. The resources developers use to work on them, such as Stack-Overflow or Documentation, have a significant impact on the security of the code they produce. However, work by Acar et al. (SP'16) has shown that these resources are often either easy to use but insecure or secure but hard to use. In a study by Naiakshina et al. (SOUPS'18), it was shown that developers who did not use resources to copy and paste code did not produce any secure solutions at all. This highlights how essential programming resources are for security. Inspired by the Let's Encrypt and Certbot that support admins in configuring TLS, we created a programming aid called Let's Hash to help developers create secure password authentication code easily. We created two versions. The first is a collection of code snippets developers can use, and the second adds a wizard interface on top that guides developers through the decisions which need to be made and creates the complete code for them. To evaluate the security and usability of Let's Hash, we conducted a study with 179 freelance developers, asking them to solve three password programming tasks. Both versions of Let's Hash significantly outperformed the baseline condition in which developers used their regular resources. On average, Let's Hash users were between 5 and 32 times as likely to create secure code than those in the control condition.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {281226,
author = {Lisa Geierhaas and Anna-Marie Ortloff and Matthew Smith and Alena Naiakshina},
title = {{Let{\textquoteright}s} Hash: Helping Developers with Password Security},
booktitle = {Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022)},
year = {2022},
isbn = {978-1-939133-30-4},
address = {Boston, MA},
pages = {503--522},
url = {https://www.usenix.org/conference/soups2022/presentation/geierhaas},
publisher = {USENIX Association},
month = aug,
}