"If you want, I can store the encrypted password." A Password-Storage Field Study with Freelance Developers - Naiakshina_Password_Study.pdf
First of all, we reveal that, similar to the students, freelancers do not store passwords securely unless prompted, they have misconceptions about secure password storage, and they use outdated methods.
Et ça, qui résume :
Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext.
Those devs were then asked to rewrite their code to 'store passwords securely.' Overall here are the methods of password storage chosen by the developers:
8 - Base64
3 - AES
3 - 3DES
10 - MD5
1 - SHA-1
5 - SHA-256
5 - PBKDF2
7 - Bcrypt
1 - HMAC/SHA1
(voir ce tweet :https://twitter.com/PwdRsch/status/1103021803503607808 )