A recent study by German academics involved 260 developers to write user registration system. Out of 260 Java developers, only 43 freelance developers took up the job. This group was asked to use technologies like Java, JSF, PostgreSQL, and Hibernate. The study highlights that developers try to find an easy way out to write a code that stores user credentials. Most of the developers stored passwords in an unsafe manner.
The German academics paid €100 to half of the group and €200 to the other half. It was expected that the pay difference will also result in better implementation of security features. The developers were given a freedom to choose their own password storage system.
The group was further divided, promoting half of the group to store password in a secure manner. While the second half of the group was not given any specific instructions. The developers that were paid €100 were asked to use secure password storage method. Developers that were paid €200 were asked to use a secure storage method as well.
The study results show that developers took three days to submit the project. 18 out of 43 developers had to resubmit the code to include a password security system when they first sent a project. The first submission included a code that stored password in a plain text format.
Of the 18 developers that resubmitted the code, 15 developers were part of the group that was not asked to store the password in a secure manner. The study clearly shows that programmers don’t think about security while writing the code.
Out of 18 participants that resubmitted the code with secure password storage option, 3 decided to use Base64. 15 developers chose salting, which encrypts passwords inside an application database. Base64 is not even an encryption algorithm, it merely performs encoding function.
The study shows that freelance developers don’t take the issue of encryption seriously. The study highlights the importance of why it is important for programmers to master secure coding practices.