Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing

Abstract: Lack of usability of security Application Programming In- terfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that pro- vide cryptographic functionalities such as password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API to identify usabil- ity issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution us- ing Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experi- ence for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.