
A Password-Storage Field Study with Freelance Developers [pdf] - jsnell
https://net.cs.uni-bonn.de/fileadmin/user_upload/naiakshi/Naiakshina_Password_Study.pdf
======
gregmac
Good summary:
[https://twitter.com/PwdRsch/status/1103021803503607808](https://twitter.com/PwdRsch/status/1103021803503607808)

> Researchers asked 43 freelance developers to code the user registration for
> a web app and assessed how they implemented password storage. 26 devs
> initially chose to leave passwords as plaintext.

> Those devs were then asked to rewrite their code to 'store passwords
> securely.' Overall here are the methods of password storage chosen by the
> developers: > 10 - MD5 > 8 - Base64 > 7 - Bcrypt > 5 - SHA-256 > 5 - PBKDF2
> > 3 - AES > 3 - 3DES > 1 - SHA-1 > 1 - HMAC/SHA1

> only 3 of 17 participants, who used other hash algorithms, implemented
> salting. One of them generated a random salt, one made use of the username,
> and one hard-coded a static salt

As an industry, we (developers) have a long way to go.

~~~
penagwin
It's insane to me that it's not "common knowledge" to AT LEAST hash the
passwords.

It's also interesting because 6 used an encryption algorithm, 10 used MD5
which is as good as plaintext nowadays IMO, and 8 used Base64, so even though
24 people thought they "secured it" the passwords are trivial to recover.

~~~
ecesena
To play devil’s advocate, to me plaintext means I want to finish quickly
because you haven’t asked and are paying too little, while any solution other
than bcrypt/pbkdf2 means I don’t know what I’m doing.

~~~
blotter_paper
Having once run my own freelance web dev company, I feel very comfortable
saying that I would not take a project where I wasn't getting paid enough to
bother hashing passwords. That's beyond justification. Either reject the
client or protect their users.

------
gravypod
What was the task they were asked to perform? For most work a contract under
1k isn't going to get you an extremely high quality developer. In finding,
planing, negotiating, and implementing a project you accrue a lot of billable
overhead time.

If you assume it takes....

    
    
       - 1hr to apply, negotiate, and accept job
       - 1hr to do job
       - 1hr to submit and aid in support & integration of code 
    

Then at $200 you're making $66/hr. I'd classify myself as an average developer
and most contract work people spam me me with on LinkedIn is in the $150/hr +
benefits range.

I wonder what kind of quality they'd get with a larger project priced at that
range. Something with 15hr of work @ $150 might bring in higher quality
freelancers that are closer to the industry average.

~~~
andregumieri
I understand your point but that also depends on the geographic location of
the developer. 66 US Dollars here in Brazil – as well in many other countries
– is an excellent rate and you find top notch developers. Even with half of
that you would find excellent and experienced developers around here.

