Front-line programmers default to insecure practices unless they are instructed to do otherwise

It's always sort of baffling when security breaches reveal that a company has stored millions of users' passwords in unencrypted form, or put their data on an insecure cloud drive, or transmitted it between the users' devices and the company's servers without encryption, or left an API wide open, or some other elementary error: how does anyone in this day and age deploy something so insecure?

A new study conducted by University of Bonn researchers gives an inkling: front-line developers working as freelancers default to incredibly insecure practices unless their clients know enough to demand better ones.

The researchers hired 43 freelance Java programmers through Freelancer.com and asked them to develop a registration system for an imaginary social network the researchers claimed to be starting. Half the devs were paid 100 and half were paid 200 for the job; half of each of the two pay-groups were given explicit instructions to use secure password storage and half were left to their own devices.

Though this yielded small sample sizes, the effect was large enough to bear deeper scrutiny: 15 of the 18 who were not given password security instructions stored passwords in plaintext; 3 of the group who were instructed to store passwords securely also stored passwords in plaintext. Moreover, even the programmers who encrypted the passwords used insecure methods to do so: 31 of the programmers used insecure methods like Base64 encoding (!), MD5, SHA-1, etc -- while only 12 used secure methods like bcrypt and PBKDF2.

The programmers also overwhelmingly failed to implement basic security practices like salting their hashes. Read the rest