Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing

by   Chamila Wijayarathna, et al.

Lack of usability of security Application Programming In- terfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that pro- vide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usabil- ity issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution us- ing Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experi- ence for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.



There are no comments yet.


page 1

page 2

page 3

page 4


Fighting Against XSS Attacks: A Usability Evaluation of OWASP ESAPI Output Encoding

Cross Site Scripting (XSS) is one of the most critical vulnerabilities e...

A methodology to Evaluate the Usability of Security APIs

Increasing number of cyber-attacks demotivate people to use Information ...

Don't forget your classics: Systematizing 45 years of Ancestry for Security API Usability Recommendations

Producing secure software is challenging. The poor usability of security...

Zur Benutzbarkeit und Verwendung von API-Dokumentationen

A good documentation is essential for a good usability of (security) API...

A Study on Priming Methods for Graphical Passwords

Recent work suggests that a type of nudge or priming technique called th...

That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Thirteen Password Managers

Password managers have the potential to help users more effectively mana...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.