“If you want, I can store the encrypted password.” A Password-Storage Field Study withFreelance Developers

A murb'ed feed, posted more than 4 years ago filed in freelance, security, research, payment, encryption, password & quality.

Interesting results. Many Freelancers in this study didn’t deliver on secure implementations when not explicitly told to do so.

Reflecting on my own. I think I’m reasonably security aware but I’ve made my mistakes as well. Recently I was asked to encrypt a confirmation token. I hadn’t thought about that, but there is of course an attack vector where a database is found, and the verification code is then used to complete the normal process. In general, when it comes to security, I try not to reinvent the wheel and use proven solutions.

I’m still kind of sceptical about the research because of the payment the developers got. Developers were hired for €100 or €200, which is not much, and doesn’t leave much time to reflect (when considering western Europe tariffs), on the other hand, the authors state that some developers saw it as a test for a real job.


Go to the original link.