-
"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
Authors:
Jan H. Klemmer,
Marco Gutfleisch,
Christian Stransky,
Yasemin Acar,
M. Angela Sasse,
Sascha Fahl
Abstract:
Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usabil…
▽ More
Usable and secure authentication on the web and beyond is mission-critical. While password-based authentication is still widespread, users have trouble dealing with potentially hundreds of online accounts and their passwords. Alternatives or extensions such as multi-factor authentication have their own challenges and find only limited adoption. Finding the right balance between security and usability is challenging for developers. Previous work found that developers use online resources to inform security decisions when writing code. Similar to other areas, lots of authentication advice for developers is available online, including blog posts, discussions on Stack Overflow, research papers, or guidelines by institutions like OWASP or NIST.
We are the first to explore developer advice on authentication that affects usable security for end-users. Based on a survey with 18 professional web developers, we obtained 406 documents and qualitatively analyzed 272 contained pieces of advice in depth. We aim to understand the accessibility and quality of online advice and provide insights into how online advice might contribute to (in)secure and (un)usable authentication. We find that advice is scattered and that finding recommendable, consistent advice is a challenge for developers, among others. The most common advice is for password-based authentication, but little for more modern alternatives. Unfortunately, many pieces of advice are debatable (e.g., complex password policies), outdated (e.g., enforcing regular password changes), or contradicting and might lead to unusable or insecure authentication. Based on our findings, we make recommendations for developers, advice providers, official institutions, and academia on how to improve online advice for developers.
△ Less
Submitted 26 November, 2023; v1 submitted 1 September, 2023;
originally announced September 2023.
-
"Please help share!": Security and Privacy Advice on Twitter during the 2022 Russian Invasion of Ukraine
Authors:
Juliane Schmüser,
Noah Wöhler,
Harshini Sri Ramulu,
Christian Stransky,
Dominik Wermke,
Sascha Fahl,
Yasemin Acar
Abstract:
The Russian Invasion of Ukraine in early 2022 resulted in a rapidly changing (cyber) threat environment. This changing environment incentivized the sharing of security advice on social media, both for the Ukrainian population, as well as against Russian cyber attacks at large. Previous research found a significant influence of online security advice on end users.
We collected 8,920 tweets posted…
▽ More
The Russian Invasion of Ukraine in early 2022 resulted in a rapidly changing (cyber) threat environment. This changing environment incentivized the sharing of security advice on social media, both for the Ukrainian population, as well as against Russian cyber attacks at large. Previous research found a significant influence of online security advice on end users.
We collected 8,920 tweets posted after the Russian Invasion of Ukraine and examined 1,228 in detail, including qualitatively coding 232 relevant tweets and 140 linked documents for security and privacy advice. We identified 221 unique pieces of advice which we divided into seven categories and 21 subcategories, and advice targeted at individuals or organizations. We then compared our findings to those of prior studies, finding noteworthy similarities. Our results confirm a lack of advice prioritization found by prior work, which seems especially detrimental during times of crisis. In addition, we find offers for individual support to be a valuable tool and identify misinformation as a rising threat in general and for security advice specifically.
△ Less
Submitted 24 August, 2022;
originally announced August 2022.
-
Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security
Authors:
Felix Fischer,
Konstantin Böttinger,
Huang Xiao,
Christian Stransky,
Yasemin Acar,
Michael Backes,
Sascha Fahl
Abstract:
Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-…
▽ More
Online programming discussion platforms such as Stack Overflow serve as a rich source of information for software developers. Available information include vibrant discussions and oftentimes ready-to-use code snippets. Anecdotes report that software developers copy and paste code snippets from those information sources for convenience reasons. Such behavior results in a constant flow of community-provided code snippets into production software. To date, the impact of this behaviour on code security is unknown. We answer this highly important question by quantifying the proliferation of security-related code snippets from Stack Overflow in Android applications available on Google Play. Access to the rich source of information available on Stack Overflow including ready-to-use code snippets provides huge benefits for software developers. However, when it comes to code security there are some caveats to bear in mind: Due to the complex nature of code security, it is very difficult to provide ready-to-use and secure solutions for every problem. Hence, integrating a security-related code snippet from Stack Overflow into production software requires caution and expertise. Unsurprisingly, we observed insecure code snippets being copied into Android applications millions of users install from Google Play every day. To quantitatively evaluate the extent of this observation, we scanned Stack Overflow for code snippets and evaluated their security score using a stochastic gradient descent classifier. In order to identify code reuse in Android applications, we applied state-of-the-art static analysis. Our results are alarming: 15.4% of the 1.3 million Android applications we analyzed, contained security-related code snippets from Stack Overflow. Out of these 97.9% contain at least one insecure code snippet.
△ Less
Submitted 9 October, 2017;
originally announced October 2017.